Malware analysis

Malware spotlight: Fileless malware

Fakhar Imam
December 30, 2019 by
Fakhar Imam


Fileless malware is a malicious technique that uses existing software, legitimate applications, operating system files and the authorized protocols of the victim’s machine to achieve their goals. Fileless malware leaves no footprint because it is not a file-based attack that requires the downloading of executable files on the infected system. Rather, this attack is memory-based, and this is why detecting it is a daunting task.

According to Symantec’s 2019 Internet Security Threat Report, fileless malware is growing rapidly. It is now one of the most substantial digital infiltration threats to organizations.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

In this article, we will go through what fileless malware is, its common types and how it works, as well as prevention techniques used to get rid of it.

What are the common types of fileless malware attacks?

Fileless malware attacks are divided into three primary categories:

  1. Script-based techniques: This may not be completely fileless. However, their detection can be difficult. Examples of these attacks include Operation Cobalt Kitty and SamSam ransomware
  2. Memory code injection: This technique is used to hide malicious code in the memory of legitimate software programs. Some processes are critical for proper Windows functionality. Fileless malware disseminates and re-injects itself into these processes in order to help hackers accomplish their malicious targets
  3. Windows registry manipulation: Using this technique, malware attackers utilize a link or malicious file (when clicked on) that involves Windows processes to write and execute fileless malware code into the Windows registry. Poweliks and Kovter are examples of this type of attack

What is the difference between fileless malware and traditional malware?

In the past, the malware was simply an executable file written to perform malicious acts on a victim’s computer. There was an easy solution: the antivirus vendors would create signatures for these files in order to detect static pieces of this malicious code on disk. In 2017, fileless malware emerged, and so began the new age of malware detection and prevention. We could no longer simply rely on signatures to block malware because the malicious payload no longer resided on the victim’s hard drive.

According to the State of Endpoint Security Risk Report published by Ponemon Institute, pieces of fileless malware are evasive threats that distinguish themselves from the traditional malware by limiting their malicious activities solely in the memory of the victim’s computer and avoid leaving any artifact on the file system.

How does fileless malware avoid detection?

Fileless malware attacks are considered evasive in nature for several reasons. First, as said above, fileless malware attacks piggyback on legitimate software and operating system files by executing suspicious activities while the allowed applications continue to run. Secondly, fileless malware resides on the memory, not on the disk. Thirdly, it leaves none of the traditional footprints of a signature that would help antivirus products to detect it. Fileless malware mostly leverages built-in Windows tools such as Windows Management Instrumentation (WMI) and PowerShell to avoid detection.

The whitelisting security approach, which only allows legitimate applications to install, is also useless against fileless attacks. This is because these attacks take advantage of trusted applications that are already on the approved list.

Why do hackers use PowerShell for fileless attacks?

One of the most important reasons hackers use PowerShell for fileless attacks is that it gives them quick access to operating system functions and is accepted as a trusted and legitimate tool. Other reasons include:

  • PowerShell is a built-in program on Windows
  • The scripts of PowerShell are easy to obfuscate and are difficult to detect with traditional security products

What techniques do hackers use to penetrate your network?

We have already shed light on some techniques hackers use to penetrate your networks, such as through PowerShell or WMI. However, there are several other ways fileless malware can be injected into your computer. They include:

  • Attackers often create fraudulent websites that seem legitimate but are actually malicious
  • Attackers inject malicious code through by-default, legitimate applications such as JavaScript or Microsoft Office tools
  • The malicious payload can also be injected through infected downloads, suspicious links and phishing emails that look trustworthy

Here is the potential chain that hackers may use to compromise your data.

  1. Cybercriminals send you a spam message that includes a link to a malicious website
  2. You click on the link
  3. The infected website loads a Flash player
  4. Flash player further opens the Windows PowerShell tool
  5. PowerShell will download and execute a script from a command-and-control (C&C) server
  6. The PowerShell script finds and sends your data to threat actors

How can I defend against fileless malware attacks?

Though defending against fileless malware attacks is a daunting task due to their evasive nature, several techniques have been developed. Below are some proactive security measures that can help to protect against fileless malware.

Endpoint Detection and Response (EDR)

We need to take a more active approach to our network security. This involves having a next-generation endpoint security solution, which will log all system activity. Threat hunters monitor all activities in information systems. Even if calc.exe has been compromised, they will be able to see that there is suspicious system activity happening under this executable. Custom rules can then be created to hunt for and stop any threats.

More importantly, the EDR should perform real-time monitoring of outgoing and incoming network traffic, phishing emails and unwanted tasks in operations like PowerShell and WMI.

Anti-malware solutions

Many anti-malware solutions also attempt to help in this effort. They do this by creating a dynamic detection-based approach on system activity rather than just static detections.

Patches and updates 

Always keep your software applications and operating systems up to date with security patches and latest updates. Unpatched and outdated applications can provide backdoors to hostile actors.

Memory analysis

Since fileless malware resides on the memory, your security solutions should also be capable of performing memory analysis and protection.

Behavior monitoring

Fileless malware often relies on human vulnerability, which means system and user behavior analysis and detection will be a key to security measures. Using a User Behavior Analytics (UBA), you can find hidden threats and increase the accuracy of your security operations while shortening the investigation timelines. Today, behavior monitoring features are offered by many security solutions such as McAfee Enterprise Security Manager.


Since fileless malware is evasive and sophisticated, you need to deploy multilayered security. This means your security solution must allow the integration of other security tools in order to strengthen your cybersecurity defense against the fileless malware.

Employee training

Train your employees on how to identify suspicious activity, whether it is suspicious emails or web links. Creating internal “phishing tests” is an ongoing need, and you’ll be surprised at how many of your employees will fail these tests.


This article has taken a look at fileless malware, its types, operations and prevention techniques. You can see that fileless malware attacks are evasive and very sophisticated in nature, as they don’t need to be installed on the hard drive like other common malware. Instead, fileless malware stores itself on the memory and uses legitimate applications and operating system processes to perpetrate malicious activities. 

Various techniques are available to defend against this attack, which includes installing the next generation EDR solution, antimalware program, behavior analysis techniques, anti-phishing best practices, memory analysis, and patches and upgrades.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. What is fileless malware and how does it work?, Norton
  2. What Is Fileless Malware?, McAfee
  3. How to Stop Fileless Malware: A Deep Dive for Enterprises, Endpoint Security Solutions Review
  4. How to Protect Against Fileless Malware Attacks, Minerva
  5. Fileless Malware 101: Understanding Non-Malware Attacks, Cybereason
  6. What is Fileless Malware?, VMware Carbon Black
  7. What is a fileless attack? How hackers invade systems without installing software, CSO
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.