What is fileless malware?

This near-invisible threat can go virtually undetected by even the most advanced antivirus software

Of all threats challenging a business’s integrity, a fileless malware is near the top of the list, as it’s rarely detected, even by antivirus tools.

Detection is difficult because fileless malware, true to its name, doesn’t rely on files to infect a machine or network. Instead, seemingly genuine programs serve as entry points for malware. Equifax’s data breach story is a classic example of how benignly malware can present itself before ultimately taking the target machine hostage.

A command injection vulnerability in the consumer complaints portal led to the Equifax breach. Login credentials of three servers allowed access to another 48 servers containing consumer data saved in plain text. This lack of encryption added to the theft. The vulnerability paved the way for something even more sinister: remote code execution. It was later revealed that the hackers accessed the portal for nearly 76 days.

In 2018, 90% of financial institutions reported being targeted by fileless malware. This leaves an obvious question hanging in the air: what makes fileless malware so elusive? And, is there a way out?

The anatomy of fileless malware

Fileless malware is malicious software that finds and exploits vulnerabilities in a target machine, using applications, software or authorized protocols already on a computer. This type of malware resides in the RAM where it re-employs trusted processes running on the operating system, a phenomenon often called “living off the land.” 

The idea behind the attack is deviously clever: no safety system, however sophisticated, scans a legitimate file or software on the disk. It’s also good to note that, despite the name, fileless malware holds the potential to use shortcuts, script files and trusted processes like adobe.exe to install malicious code. 

There are no quick fixes, either. Fileless malware leaves a footprint so small that it evades detection nine times out of ten. It is this stealthiness that keeps fileless malware immune to ground-level security solutions. And although malware typically attacks all kinds of operating systems, most fileless malware targets Windows computers.

Here is a small list of entry points hackers use to make way into a target system:

  • Phishing emails peppered with ‘safe-looking’ links 
  • Websites that redirect and hint download
  • Trusted and frequented programs  

The scenarios indicate fileless attacks are often user-initiated — an individual receives an unsolicited email, clicks on a link and is redirected to a malicious website. 

A more native example is Microsoft’s PowerShell framework. A staple in modern IT environments, PowerShell automates repetitive tasks, so you don’t have to do them manually. 

Fileless malware can violate original PowerShell scripts and remain undetected because firewalls and antivirus programs don’t blacklist PowerShell routines. The utility is vital to most organizations, which is why the platform can’t be shut down or blocked. Macros in Microsoft Office tools and Adobe Flash video player are other common fileless malware carriers.

What happens to stolen data after a breach?

Compromised data is often sold on the dark web for profit. Certain infiltrations can also take over your web browser to run redundant marketing ads, steal passwords and more. 

With no file to take action on, data security systems are caught off guard and defense becomes difficult. Attacks can also be extended to other locations or shared networks via the internet. 

All in all, as malware evolves, we’re faced with a greater challenge of developing equally competent tools that are ready for combat.

How to protect against fileless malware?

Much of malware defense involves shifting the focus from security tools to human vulnerability. System behavior analysis and fraud-detection software are helpful, but only at the surface. For all we know, a slight delay in updating a security patch can prove treacherous. 

However, the good news is a user can do several things to stop the malware in its tracks. Safeguard your PC from fileless malware by:

  • Implementing two-factor authentication
  • Turning off PowerShell and WMI when not in use
  • Visiting secure websites only (look for a padlock icon on the browser)
  • Revising download policies by disabling PDFs and Flash from loading in browsers
  • Watching out for phishing emails that come with jaw-dropping offers
  • Keeping tabs on the latest security patches

A final word

When it comes down to it, a window of opportunity is all it takes for a cybercriminal to turn a machine against itself. That said, the concept of absolutely zero-footprint malware doesn’t truly exist, as there are ways to detect malware, even when the threat isn’t readily visible. 

“Software vulnerabilities in the software already installed are necessary to carry out a fileless attack, so the most important step in prevention is patch and update not only the operating system, but software applications," states Jon Heimerl, senior manager of the threat intelligence communications team at NTT Security. "Browser plugins are the most overlooked applications in the patch management process and the most targeted in fileless infections."

The strongest defense against fileless malware is user vigilance and reliable anti-malware software. By carefully monitoring admin and user activity, corporate networks can steer clear from fileless malware invasions.

Featured Resources

Shaping the workplaces of the future

Rise to the challenge

Download now

Enabling a hybrid future

A guide to setting up new working practices

Download now

Seven steps to successful digital innovation and transformation

What to invest in and what to avoid when pursuing digital transformation

Watch now

Defend your organisation from evolving ransomware attacks

Learn what it takes to reduce risk and strengthen operational resiliency

Download now


ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
Hackers use open source Microsoft dev platform to deliver trojans

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021