One of the more common forms of fileless malware that’s making the rounds across organizations cloud environments, is something called PyLoose. In rotation since 2014, this specific strain of malware targets the cloud workloads and enters environments through an open-source Python code execution application.
While this malware strain needs a tech-savvy threat actor to execute, it highlights how, in the age of rapidly digitizing environments and expanding attack surfaces, threat actors can and will move beyond basic social engineering and its reliance on human error, and instead use technology to install fileless malware on environments and endpoints themselves.
What is Fileless Malware?
Fileless malware uses legitimate tools or applications to install malware and launch a cyber attack on an organization or single user. As the name suggests, it doesn’t rely on a file for execution, and instead leverages applications like PowerShell or scripting languages. Unlike file-based malware, a threat actor can often deploy this malware without needing a user to download a file from social engineering, instead relying on vulnerability exploits or legitimate tools for deployment.
Before this innovation, malware came from a file written on a disk, and once installed and executed, would be copied onto memory. Fileless malware doesn’t need the disk or the step of being copied.
As just one example of the prominence of fileless malware, Arctic Wolf observed an increase of 2,000 instances of the WinZ.32 Trojan, a fileless infostealer malware, across our customer base in 12 months.
Fileless malware can be referred to as living off the land (LOTL), but the two are not identical. LOTL is the technique of using legitimate or native tools to avoid detection, and while the term can apply to fileless malware, it can also apply in other kinds of attacks, such as remote code execution (RCE).
Examples of Fileless Malware
Fileless malware can come in all forms. Because it’s the nature of how it’s deployed, not the malware strain itself, that defines it as fileless, theoretically any malware strain can be fileless.
Common techniques used to deploy fileless malware include:
- Vulnerability exploits and the use of exploit kits
- The hijacking and use of native tools, such as with PyLoose
- Registry resident malware, which installs itself on a Windows registry
- Memory-only malware, which evades detection by residing only in the memory
- Fileless ransomware
- Stolen credentials
- Malicious Microsoft Office documents that include macros used by PowerShell to execute demands
- Drive-by download attacks
- Watering hole attacks
While these techniques are more sophisticated than the basic “document attached to a spam email” method of deploying malware, that doesn’t mean the user can’t be important for execution. Social engineering can be used to trick a user into activating macros used by PowerShell, and fileless malware often relies on malicious websites and visitors, as seen below.
Recent example: Abusing BOINC
In the summer of 2024, Arctic Wolf found itself responding to multiple intrusions that resulted from what appeared to be benign payloads from Berkeley Open Infrastructure for Network Computing (BOINC). Further investigation revealed that the victims had visited a compromised website to download the update, which had been bundled with malware that originated with a PowerShell script. The victim was completely unaware until the intrusion began, and Arctic Wolf® Managed Detection and Response (MDR) received an alert.
Learn more about this instance of fileless malware.
Fileless Malware and Drive-By Download Attacks
Drive-by download attacks, where malicious programs are installed on a device without consent, are a common form of fileless malware attacks. However, the name refers to a specific instance of the attack.
In drive-by download attacks, a user visits a malicious website, and, unknowingly, malware is downloaded onto their device in the background. Unlike more active fileless malware attacks where a user may download code or a file from the website, the attack happens without the user taking action, making it a passive form of the attack. Both rely on stealth and detection evasion for success, and a drive-by download attack can be a reliable initial access vector for fileless malware.
Fileless Malware and Remote Code Execution
Remote code executions (RCE), and their vulnerabilities that threat actors can exploit, offer a simple avenue for deploying fileless malware. RCEs are incredibly common;, nine of the top 10 vulnerabilities identified by Arctic Wolf Labs in 2023 were RCEs, so they offer threat actors a direct line to an environment that allows control and stealth.
Learn more about remote code execution attacks.
Why Threat Actors Turn to Fileless Attacks
File-based malware rose to prominence in the 1990s due to the proliferation of home internet, websites, and email accounts, and indeed, file-based malware is still a common tactic employed by threat actors today. The first instance of a fileless attack was recorded in 2001, with the Code Red worm, which exploited a vulnerability in the Microsoft IIS web server. Using vulnerability exploits to launch malware has become a common attack method for threat actors since that first one in 2001.
Fileless malware is advantageous to threat actors because:
- It evades detection of traditional antivirus software, which are often limited to scanning files and signatures for malware detection
- It resides in the memory, meaning it often does not leave traces in a file system
- It can hide in system processes or registry keys
- It can be quickly removed if needed, evading initial investigations
- It is useful for targeted attacks where either a sophisticated attack is launched, and/or a threat actor needs extended access to gather sensitive information
Threat actors often opt for the path of least resistance, so if there is a technique that has a higher success rate and allows them to move through an environment with a lower risk of detection, that’s what they will choose — and fileless malware offers both.
How a Fileless Malware Attack Works
Like any cyber attack, a fileless malware attack has multiple stages.
1. Deployment. The malware is deployed into the target environment. As seen above, this can happen through a multitude of ways, with vulnerability exploits far outweighing user action. According to Arctic Wolf, exploits are the most common initial access point in attacks.
2. Execution. Once the malware is deployed, it needs to execute the code. This can be achieved through an RCE, social engineering, or the use of a malicious website, as was the case in the BOINC incident. Fileless malware can also use legitimate tools, memory exploitation, or other methods for execution.
3. Persistence. Malware needs to ensure it will evade detection and stay in the system. The way that is achieved depends on the strain of malware, but it can run every time a system is rebooted, or in the case of a malware executed through Windows registry, autorun keys are added for continued access.
4. Objective. Malware is deployed with a goal, so once it achieves persistence, the virus gets to work. The objective depends on the strain and the specific desires of the threat actor, but the fileless malware can do anything from disrupting operations, changing commands and permissions, exfiltrating sensitive data, or just observing and gathering information for a secondary, more sophisticated attack.
How to Prevent and Defend Against Fileless Malware Attacks
Because fileless malware excels in evasion, the best defense against these kinds of attacks is to cut off their deployment methods and, if they manage to get into your environment, to stop them early.
Ways to prevent fileless malware attacks include:
- Implementing a risk-based vulnerability management program. Fileless malware thrives when there are vulnerabilities to exploit, and while no organization can patch every vulnerability that pops up, focusing on the most critical, and the ones that pose the highest risk to your organization’s security goals is a strong starting point.
- Educating users on the risks of social engineering. While it’s easier for threat actors to deploy malware without a middleman, social engineering can and does still play a role when it comes to fileless malware. Having security awareness training that educates users on how they can be tricked can be the difference between a stopped threat and a sophisticated attack.
- 24×7 monitoring with broad visibility. When it comes to fileless malware, traditional antivirus or firewalls won’t do the job. Your organization needs to not only be monitoring your environment 24×7 but also needs broad visibility and correlation capabilities to ensure that unusual behaviors like privileged escalations or code executions are detected in real time. Those are key indicators of attack (IOAs) when it comes to fileless malware attacks, so being able to detect them is critical for proper defense.
Explore how the Arctic Wolf Security Operations Center detects threats and what organizations should be concerned about with our in-depth report.
Learn how you can better educate your users against social engineering threats and reduce your human risk.