What is fileless malware?

Of all threats challenging a business’s integrity, a fileless malware is near the top of the list, as it’s rarely detected, even by antivirus tools.

Detection is difficult because fileless malware, true to its name, doesn’t rely on files to infect a machine or network. Instead, seemingly genuine programs serve as entry points for malware. Equifax’s data breach story is a classic example of how benignly malware can present itself before ultimately taking the target machine hostage.

A command injection vulnerability in the consumer complaints portal led to the Equifax breach. Login credentials of three servers allowed access to another 48 servers containing consumer data saved in plain text. This lack of encryption added to the theft. The vulnerability paved the way for something even more sinister: remote code execution. It was later revealed that the hackers accessed the portal for nearly 76 days.

In 2018, 90% of financial institutions reported being targeted by fileless malware. This leaves an obvious question hanging in the air: what makes fileless malware so elusive? And, is there a way out?

The anatomy of fileless malware

Fileless malware is malicious software that finds and exploits vulnerabilities in a target machine, using applications, software or authorized protocols already on a computer. This type of malware resides in the RAM where it re-employs trusted processes running on the operating system, a phenomenon often called “living off the land.”

The idea behind the attack is deviously clever: no safety system, however sophisticated, scans a legitimate file or software on the disk. It’s also good to note that, despite the name, fileless malware holds the potential to use shortcuts, script files and trusted processes like adobe.exe to install malicious code.

There are no quick fixes, either. Fileless malware leaves a footprint so small that it evades detection nine times out of ten. It is this stealthiness that keeps fileless malware immune to ground-level security solutions. And although malware typically attacks all kinds of operating systems, most fileless malware targets Windows computers.

Here is a small list of entry points hackers use to make way into a target system:

  • Phishing emails peppered with ‘safe-looking’ links
  • Websites that redirect and hint download
  • Trusted and frequented programs

The scenarios indicate fileless attacks are often user-initiated — an individual receives an unsolicited email, clicks on a link and is redirected to a malicious website.

A more native example is Microsoft’s PowerShell framework. A staple in modern IT environments, PowerShell automates repetitive tasks, so you don’t have to do them manually.

Fileless malware can violate original PowerShell scripts and remain undetected because firewalls and antivirus programs don’t blacklist PowerShell routines. The utility is vital to most organizations, which is why the platform can’t be shut down or blocked. Macros in Microsoft Office tools and Adobe Flash video player are other common fileless malware carriers.

What happens to stolen data after a breach?

Compromised data is often sold on the dark web for profit. Certain infiltrations can also take over your web browser to run redundant marketing ads, steal passwords and more.

With no file to take action on, data security systems are caught off guard and defense becomes difficult. Attacks can also be extended to other locations or shared networks via the internet.

All in all, as malware evolves, we’re faced with a greater challenge of developing equally competent tools that are ready for combat.

How to protect against fileless malware?

Much of malware defense involves shifting the focus from security tools to human vulnerability. System behavior analysis and fraud-detection software are helpful, but only at the surface. For all we know, a slight delay in updating a security patch can prove treacherous.

However, the good news is a user can do several things to stop the malware in its tracks. Safeguard your PC from fileless malware by:

  • Implementing two-factor authentication
  • Turning off PowerShell and WMI when not in use
  • Visiting secure websites only (look for a padlock icon on the browser)
  • Revising download policies by disabling PDFs and Flash from loading in browsers
  • Watching out for phishing emails that come with jaw-dropping offers
  • Keeping tabs on the latest security patches

A final word

When it comes down to it, a window of opportunity is all it takes for a cybercriminal to turn a machine against itself. That said, the concept of absolutely zero-footprint malware doesn’t truly exist, as there are ways to detect malware, even when the threat isn’t readily visible.

“Software vulnerabilities in the software already installed are necessary to carry out a fileless attack, so the most important step in prevention is patch and update not only the operating system, but software applications," states Jon Heimerl, senior manager of the threat intelligence communications team at NTT Security. "Browser plugins are the most overlooked applications in the patch management process and the most targeted in fileless infections."

The strongest defense against fileless malware is user vigilance and reliable anti-malware software. By carefully monitoring admin and user activity, corporate networks can steer clear from fileless malware invasions.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.