DEV Community

Cover image for Malware Without Files: The Danger That Bypasses Traditional Anti-Malware Software
Aashi Agarwal
Aashi Agarwal

Posted on

Malware Without Files: The Danger That Bypasses Traditional Anti-Malware Software

Fileless malware poses some of the biggest problems for traditional anti-malware software because it does not work by way of the usual file-based malicious software. In other words, it works by running in memory, exploiting legitimate software tools, and leaving fewer traces than file-based malware. This means that it poses a problem for those systems that rely heavily on file analysis.
The problem with fileless malware is that it is not magic but quiet. Fileless malware makes use of legitimate tools available on a computer system without creating many of the typical traces. Therefore, in situations where the focus is placed solely on file scanning, it becomes dangerous.

What Fileless Malware Is
Fileless malware refers to malicious software that operates without leaving a traditional executable file on the hard disk as seen in most types of malware. Such malware could exist in the memory, scripts, registry keys or through the use of legitimate administrative programs. The absence of malicious files makes such malware evade many detection systems.
This does not imply that fileless malware is undetectable but that its detection becomes difficult when defenses rely on detecting known malicious files. Detection could be through unusual behavior, command line usage or use of operating system tools.

Why Traditional Antivirus Tools Have a Hard Time
Traditional antivirus software was designed at a time when malware operated in files that would be scanned, identified, quarantined or deleted. Fileless malware does not operate in this manner as the malware may lack any malicious file to detect.
Many fileless malware attacks will utilize trusted utilities which are installed already on the endpoint computer. In such cases, the activity will appear legitimate initially. If there is some abnormal use of a script host, a shell or a management tool, an antivirus program may be unable to detect such malware initially, especially if there is no matching signature of the sample.
This is one of the reasons why modern cybersecurity has shifted towards behavioral analysis and monitoring of endpoints. The problem is not to identify malicious files; the problem is to identify malicious behavior.

How Fileless Attacks Operate
Fileless malware attack usually starts like any other attack - through phishing or social engineering or even exploit which grants initial access to the intruder. Thereafter, the intruder may use legitimate utilities to execute a command, to download a payload, or to execute malicious code in memory. In such cases, scripting tools, scheduled tasks, macros, or legitimate management tools are utilized.
As those utilities are legitimate components of an operating system, the activity may not look suspicious. Thereafter, the intruder may gather credentials, proceed with lateral movements or maintain persistence.
The real threat lies in the fact that defenders might be too concentrated on looking for files which will never be created properly on the hard drive.

Why It Is So Effective
This kind of malware is so effective because it blends into the processes that are already normal in the system. For example, if the company uses PowerShell, WMI, script interpreter, or any other remote administration software, then attackers can easily leverage it for their malicious purposes, hiding their actions among regular activities of IT administrators.
Fileless malware is also effective due to lack of forensic data. The less files are created, the less forensic artifacts there are available and the more time an organization will spend on responding to the incident, figuring out how attackers got in, what they do, and whether they are still in the network.
In other words, fileless malware is not invincible. On the contrary, it is developed to take advantage of assumptions on which older security measures were based.

How Organizations Should Respond
To protect themselves from fileless malware, organizations have to look beyond files. They need endpoint detection and response, proper logging, script monitoring, process tracking, and behavioral analytics.
Application control and least privilege will assist here too. In case users don't require running any powerful scripting applications, they shouldn't have an access to these features. In case administrative applications are misused, the consequences of such actions can be minimized using appropriate segmentation and privileged access management.
Moreover, security team members should also take into account that presence of an infected file on a disk is not the only indicator of malware presence. The system may be compromised even if scanning doesn't indicate any presence of files. This is why security investigation should be focused on system behavior rather than on artifacts.

The Big Takeaway
Fileless malware demonstrates that detection technology needs to be adjusted to the attacker behavior. While antivirus is still important, it is not enough. Modern attacks use applications that are trusted and already present in the system, which means that security teams should monitor system behavior rather than its files.
In other words, the point here is pretty obvious – in case security teams continue relying only on detection of suspicious files, they will fail in identifying malicious activities. Modern security requires monitoring system memory, its behavior, scripts and misuse.

Find more resources on cybersecurity, threat intelligence, digital risk, privacy compliance, and consent management through IntelligenceX and ConsentX. IntelligenceX helps organizations identify and understand emerging cyber threats through focused digital intelligence analysis and investigations, while ConsentX empowers businesses to achieve global privacy compliance with comprehensive consent management, cookie compliance, and data privacy solutions.

Top comments (0)