If you thought accidentally installing malware on your PC was bad, wait until you discover fileless malware, a stealthy intruder that doesn’t leave a trace on your storage drive.
Traditional malware is easier to remove once detected since they have visible files on the storage drive for antivirus to scan and eliminate. Fileless malware works entirely from the PC memory (RAM), so it’s much more difficult to detect it.
In this post, I will tell you everything you need to know about fileless malware and how to protect against it.
What is Fileless Malware?
Fileless malware is a malicious piece of code that executes itself from the system’s memory. It mainly looks for vulnerabilities in legit apps and then compromises them to execute itself. In rare cases, it might open its own malicious processes to execute functions.
Since antivirus usually scans downloaded and installed files/programs, fileless malware is much harder to detect as it doesn’t have an associated file. The malicious functions it can perform are similar to what most other malware can perform; the main difference is how it resides in the PC.
How Fileless Malware Infects the Device?
Like most other types of malware, fileless malware also mainly spreads through malicious links in email spam, malicious websites, or social engineering attacks. However, it differs in execution since it looks for vulnerabilities in the programs in the PC or the operating system itself.
Common vulnerable apps include Powershell, Windows Management Instrumentation (WMI), the browser, and any vulnerable plugins installed. It takes advantage of the vulnerability to inject malicious code into the legitimate program and execute tasks according to its purpose.
For example, an infected Powershell can execute administrator-level commands to steal data or encrypt important data.
It can also use “process hollowing” to empty the contents of a legitimate process and then fill it up with its malicious code to work under its name.
PowerGhost is a good example of a fileless malware attack that used WMI and Powershell for crypto-mining corporate PCs without detection.
What Threats Fileless Malware Poses?
As I said before, fileless malware can perform most tasks similar to malware that resides in PC storage. It all depends on the purpose for which the fileless malware was coded and what vulnerability it takes advantage of.
Common malicious functions it can perform include data theft, credential theft, data encryption, monitor activity, keylogging, crypto-mining, DDoS attacks, and altering security settings for further attacks.
To give you a better idea, below I am listing previous wide-scale fileless malware attacks:
PowerWare: This was a type of ransomware that utilized Powershell to run commands stealthily to lock important files and try to fake that they are encrypted. Afterward, it asks for payment in cryptocurrency.
PowerSniff: It spread by taking advantage of the Microsoft Word security settings to execute a macro sent as a document. The macro searched the PC and stole credentials.
TrickBot: Although not entirely fileless malware, TricktBot did load its modules in memory in one of its advanced versions. The malware’s main purpose was to steal financial credentials.
Netwalker Ransomware: It’s another ransomware that uses fileless tactics, but its encryption is real. It replaced legit Microsoft processes with malicious code to hide itself and run commands.
How to Detect Fileless Malware?
Since fileless malware is all about being sneaky, it’s really difficult to detect it. If you think you have clicked on a malicious link and your PC has been infected, there are a few things you can do to guess and move towards protective measures.
Below are some common clues to look for:
Unusual system behavior: Fileless malware can introduce unusual behaviors like certain apps opening and closing, PC freezing, crashes or restarts, etc.
A slowdown in performance: You might notice a sudden decrease in overall system performance. It might lead to freezes as well.
Unusual network activity: Along with a slower network performance, you might notice unusual traffic to a domain you didn’t access. I always recommend GlassWire for network analysis.
High CPU usage of a process: Open Task Manager and see if an unusual process is using too much CPU resource. A compromised process usually uses high CPU power even when not in active use.
Changes to antivirus app: Fileless malware might try to disable your antivirus software to make the PC vulnerable to more types of malware attacks.
Apart from these, you should also use an antivirus that has built-in behavior detection features to catch fileless malware. Such antivirus apps can detect unusual behavior in apps and processes to detect if it’s infected.
For this purpose, Kaspersky Antivirus has dedicated fileless malware protection tools that not only detect unusual behavior but also scan Sensitive Windows functions like WMI or Windows Registry to look for malicious code. Kaspersky also has a long history of discovering popular fileless malware attacks.
What To Do If Your Device Got Infected?
If you think your PC got infected, there is a good chance it’s already too late. If the malware intended to steal something, then they probably have done that already.
However, your first line of defense is to turn off the PC completely and start it again. Since RAM is volatile memory, it gets completely deleted when the PC shuts down. This will remove the fileless malware automatically, hopefully, before doing any damage.
Unfortunately, most fileless malware has built-in methods to survive a reboot, like loading the code in a Registry entry. If possible, try to start the PC in safe mode and then follow the below methods:
#1. Scan With Antivirus
Again, you’ll need an antivirus app that has the tools to protect against fileless malware. Kaspersky is still my recommendation for finding changes made by fileless malware. However, you can also give Malwarebytes a try which has AI-based behavior detection for fileless malware.
#2. Use System Restore
System Restore can revert the PC to a previous state in time and reset all the changes made to it. Since it’s enabled by default on all Windows PCs, it should be enabled on your PC, too, unless you disabled it yourself.
Just type Recovery in Windows Search to open System Restore. Here you will see all restore points currently saved to revert back to. Just pick the one before the malware infection to fix all changes.
#3. Reset the PC
If you didn’t have a restore point, then resetting the PC can also fix all the damage while keeping the local data. However, a reset will delete all the programs installed on the PC, so make sure you don’t have any important saved data in them.
In Windows Settings, go to System > Recovery and then click on Reset PC. On the pop-up window, click on Keep my files and follow the instructions to reset.
How To Protect Against Fileless Malware?
Most of the measures that protect against regular malware also protect against fileless malware. Just make sure to install an antivirus with behavior detection, and don’t download or click on malicious content.
However, there are a few protection measures that are more important for protection against fileless malware. I am listing them below:
Keep Operating System and Apps Updated
Fileless malware heavily depends on security vulnerabilities in apps and the operating system. You should make sure that your OS has the latest security updates and all the apps are up-to-date. Many of these updates contain fixes for vulnerabilities that fileless malware can exploit.
Be careful With Browser Extensions
Fileless malware can also infect browser plugins with vulnerabilities. Make sure you only download trusted and reputable browser extensions and keep them up-to-date. In case of an infection, it’s recommended to reinstall the extensions to ensure they aren’t the culprit.
Monitor Network
Almost all fileless malware make network connections with their own servers to perform their job. A tool like GlassWire can not only help you see suspicious connections but also block them automatically, thanks to the built-in firewall. I will recommend you set up notifications in it to always receive a notification when a suspicious connection is detected.
Increase Security in User Account Control (UAC)
You can configure Windows UAC to always notify you when any system change is made by you or an app. It can make things a little annoying due to notification on each change, but it can greatly enhance security against hidden malware like fileless malware.
Search for UAC in Windows Search and click on Change User Account Control Settings. Here set the security bar to the top.
Apply Endpoint Security Solution
For enterprises, an endpoint security solution can protect all the PCs on a network by centralizing the security. Even if a device gets infected, your other devices on the network will stay secure, and the security solution can help fix the infected device. Their updates are also in real-time, so the vulnerabilities are immediately patched when fixed.
CrowdStrike is a good solution for this purpose that offers AI-based protection against cyber attacks. It also has a dedicated memory scanner feature for fileless malware protection.
Final Thoughts 🖥️🦠
Fileless malware is indeed among the most clever malware attacks. Sometimes hackers even use them as part of their grand attack to either gain initial access or weaken the system. Honestly, most such attacks can easily be avoided if we keep our curiosity in control and don’t click on anything we have doubts about.
Next, you may also read about how to scan and remove malware from Android and iOS phones.
