Fileless Malware Explained

Kurt Baker - April 17, 2023

What is Fileless Malware?

Fileless malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, fileless malware does not require an attacker to install any code on a target’s system, making it hard to detect.

This fileless technique of using native tools to conduct a malicious attack is sometimes referred to as living off the land or LOLbins

Common Fileless Malware Techniques

While attackers don’t have to install code to launch a fileless malware attack, they still need to get access to the environment so they can modify its native tools to serve their purposes. Access and attacks can be accomplished in several ways, such as through the use of:

  • Exploit kits
  • Hijacked native tools
  • Registry resident malware
  • Memory-only malware
  • Fileless ransomware
  • Stolen credentials

Exploit kits

Exploits are pieces of code, sequences of commands, or collections of data, and exploit kits are collections of exploits. Adversaries use these tools to take advantage of vulnerabilities that are known to exist in an operating system or an installed application.

Exploits are an efficient way to launch a fileless malware attack because they can be injected directly into memory without requiring anything to be written to disk. Adversaries can use them to automate initial compromises at scale.

An exploit begins in the same way, regardless of whether the attack is fileless or uses traditional malware. Typically, a victim is lured through a phishing email or social engineering. The exploit kit usually includes exploits for a number of vulnerabilities and a management console that the attacker can use to control the system. In some cases, the exploit kit will include the ability to scan the targeted system for vulnerabilities and then craft and launch a customized exploit on the fly.

Registry resident malware

Registry resident malware is malware that installs itself in the Windows registry in order to remain persistent while evading detection.
Commonly, Windows systems are infected through the use of a dropper program that downloads a malicious file. This malicious file remains active on the targeted system, which makes it vulnerable to detection by antivirus software. Fileless malware may also use a dropper program, but it doesn’t download a malicious file. Instead, the dropper program itself writes malicious code straight into the Windows registry.

The malicious code can be programmed to launch every time the OS is launched, and there is no malicious file that could be discovered – the malicious code is hidden in native files not subject to AV detection.

The oldest variant of this type of attack is Poweliks, but many have emerged since then, including Kovter and GootKit. Malware that modifies registry keys is highly likely to remain in place undetected for extended periods of time.

Memory-only malware

Memory-only malware resides only in memory. An example of memory-only malware is the Duqu worm, which can remain undetected because it resides exclusively in memory. Duqu 2.0 comes in two versions; the first is a backdoor that allows the adversary to gain a foothold in an organization. The adversary can then use the advanced version of Duqu 2.0, which offers additional features such as reconnaissance, lateral movement and data exfiltration. Duqu 2.0 has been used to successfully breach companies in the telecom industry and at least one well-known security software provider.

Fileless ransomware

Adversaries do not limit themselves to one type of attack. They use any technology that will help them capture their payload. Today, ransomware attackers are using fileless techniques to embed malicious code in documents through the use of native scripting languages such as macros or to write the malicious code directly into memory through the use of an exploit. The ransomware then hijacks native tools like PowerShell to encrypt hostage files without ever having written a single line to disk.

Stolen credentials

Attackers may commence a fileless attack through the use of stolen credentials so they can access their target under the guise of a legitimate user. Once inside, the attacker can use native tools such as Windows Management Instrumentation (WMI) or PowerShell to conduct their attack. They can establish persistence by hiding code in the registry or the kernel, or by creating user accounts that grant them access to any system they choose.

HOW ADVERSARIES USE FILELESS ATTACKS TO EVADE YOUR SECURITY

Download this white paper to learn the detailed anatomy of a fileless intrusion, including the initial compromise, gaining command and control, escalating privileges and establishing persistence.

Download Now

Stages of a fileless attack

To demonstrate how a fileless attack can work, below is an infographic that illustrates a real-world fileless intrusion uncovered by the CrowdStrike Services incident response (IR) team.

Stage #1: Gain Access

Technique: Remotely Exploit a vulnerability and use web scripting for remote access (eg. China Chopper)

The attacker gains remote access to the victim’s system, to establish a beachhead for his attack.

Stage #2: Steal Credentials

Technique: Remotely Exploit a vulnerability and use web scripting for remote access (eg. Mimikatz)

Using the access gained in the previous step, the attacker now tries to obtain credentials for the environment he has compromised, allowing him to easily move to other systems in that environment.

Stage #3: Maintain Persistence

Technique: Modify registry to create a backdoor (eg. Sticky Keys Bypass)

Now, the attacker sets up a backdoor that will allow him to return to this environment at will, without having to repeat the initial steps of the attack.

Stage #4: Exfiltrate Data

Technique: Uses file system and built-in compression utility to gather data , then uses FTP to upload the data

In the final step, the attacker gathers the data he wants and prepares it for exfiltration, copying it in one location and then compressing it using readily available system tools such as Compact. The attacker then removes the data from the victim’s environment by uploading it via FTP.

How to Detect Fileless Malware

If legacy AV, whitelisting, sandboxing, and even machine learning methods cannot protect against fileless attacks, what’s left? Organizations can protect themselves by taking an integrated approach that combines multiple methods.

Rely on Indicators of Attack instead of Indicators of Compromise alone

Indicators of Attack (IOAs) are a way to take a proactive approach against fileless attacks. IOAs do not focus on the steps of how an attack is being executed – instead, they look for signs that an attack may be in progress.

IOAs include signs such as code execution, lateral movements, and actions that seem to be intended to cloak their true intent.

IOAs do not focus on how the steps are launched or executed. It does not matter whether the action was initiated from a file on the hard drive or from a fileless technique. The only thing that matters is the action performed, how it related to other actions, its position in a sequence, and its dependent actions. These indicators reveal the true intentions and goals behind their behaviors and the events around them.

Because fileless attacks exploit legitimate scripting languages such as PowerShell and are never written to disk themselves, they go undetected by signature-based methods, whitelisting, and sandboxing. Even machine learning methods fail to analyze fileless malware. But IOAs look for sequences of events that even fileless malware must execute in order to achieve its mission.

And because IOAs examine intent, context, and sequences, they can even detect and block malicious activities that are performed using a legitimate account, which is often the case when an attacker uses stolen credentials.

Employ Managed Threat Hunting

Threat hunting for fileless malware is time-consuming and laborious work that requires the gathering and normalization of extensive amounts of data. Yet it is a necessary component in a defense that protects against fileless attacks, and for these reasons, the most pragmatic approach for the majority of organizations is to turn their threat hunting over to an expert provider.

Managed threat hunting services are on watch around the clock, proactively searching for intrusions, monitoring the environment, and recognizing subtle activities that would go unnoticed by standard security technologies.

How CrowdStrike can Prevent Fileless Attacks in your Organization

As we have seen, fileless techniques are extremely challenging to detect if you are relying on signature-based methods, sandboxing, whitelisting or even machine learning protection methods.

To protect against stealthy, fileless attacks, CrowdStrike uniquely combines multiple methods into a powerful and integrated approach that delivers unrivaled endpoint protection. The CrowdStrike Falcon® platform delivers cloud-native, next-generation endpoint protection via a single lightweight agent and offers an array of complementary prevention and detection methods:

  • Application inventory discovers any applications running in your environment, helping find vulnerabilities so you can patch or update them and they can’t be the target of exploit kits.
  • Exploit blocking stops the execution of fileless attacks via exploits that take advantage of unpatched vulnerabilities.
  • Indicators of Attack (IOAs) identify and block malicious activity during the early stages of an attack, before it can fully execute and inflict damage. This capability also protects against new categories of ransomware that do not use files to encrypt victim systems.
  • Script Control provides expanded visibility and protection against fileles script-based attacks.
  • Advanced Memory Scanning protects against fileless and malware-free attacks like APTs, ransomware, and dual use tools like Cobalt Strike in memory.
  • Managed hunting proactively searches around the clock for malicious activities that are generated as a result of fileless techniques.

GET TO KNOW THE AUTHOR

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.