Press Center

Malware and antivirus software

News

What is fileless malware and how to protect yourself

Created: 2024-09-25 03:54:50

 

Some forms of malware are more sophisticated than others, using varying methods of compromise or evasion. Examples include ransomware, wipers, viruses, worms…designed to intrude upon unsuspecting digital victims to steal, damage, or destroy their data.

Fileless malware is one of those types that is highly evasive – only working within a computer’s memory, leaving no physical footprint on its hard drive.

With such a method of execution, does it mean that our devices are left vulnerable? Not quite.

What is fileless malware?

A common way many types of malware families work is that by opening a malicious attachment, you inadvertently enable the code to execute its dark magic, acting without the user’s knowledge.

Consequently, the code can infest different parts of the system, install other payloads such as keyloggers or other spyware, block access to files or apps, display malicious ads, and more. Think of it as a regular program that’s installed on your PC, just acting against your interests.

Fileless malware is a bit different. Instead of being stored on your computer’s drive, it acts maliciously exclusively after being loaded into a computer’s random-access memory (RAM) – except being less visible as it uses legitimate programs to compromise the computer, as opposed to regular malware, which leverages executable files to run itself (needs to be installed). This means that fileless malware is harder to detect since it has no footprint to speak of – it exists entirely in memory.

Essentially, fileless malware manipulates existing processes/tools for its agenda, as opposed to running a separate standalone ‘campaign’, also making it more persistent due to its ability to manipulate system features, abusing and hiding within them.

Did you know? The fileless beginning of viruses

The first computer virus for the PC, the Brain virus, infected floppy diskette boot sectors only, not files. Dating back to 1986, it was followed by many other floppy diskette (and hard disk drive) boot sector infectors like Form, and hard disk drive master boot record infectors like Stoned and Michelangelo. All of these were never contained in any file on the file system of the disk volume, just in system areas of the disk that were normally inaccessible to users, and subsequently in memory, once a system booted from infected media.

But you might ask, “Alright, but I still need to download it somewhere, no?” and you’d be right: in-memory ‘fileless’ malware is still delivered via malicious links or attachments; it's just that the execution is different – fileless malware wants to evade detection as much as it can.

Examples of fileless malware

A well-known example of the use of fileless malware was within the Astaroth malware campaign (detected by ESET as Guildma), which had been using a fileless method (process injection) to operate an infostealer, originally delivered through a malicious email link. Upon interaction, the malware used legitimate Windows tools such as BITSAdmin, the Alternate Data Streams file attribute, and a utility of Internet Explorer (ExtExport.exe) for defense evasion (through DLL Side-loading).

In essence, it leveraged legitimate system processes and tools to run its code becoming detectable after being run in memory (by ESET as Win32/Spy.Guildma).

Similarly, the Kovter malware family, first detected by ESET Research in 2014, stored its malicious payload encrypted in the Windows registry, considered as fileless persistence. Likewise, GreyEnergy also made sure that some of its modules only ran in memory, hindering detection.

Such malware techniques are problematic for simple endpoint security software that works by scanning files on a system, lacking process or memory scanning capabilities. But this doesn’t mean that they cannot be detected.

Protecting against fileless threats

ESET Endpoint Security’s multilayered product features an Advanced Memory Scanner module, which, combined with our Exploit Blocker, protects against malware designed with evasiveness in mind. Additionally, thanks to different forms of Advanced Machine Learning employed within, detections are fine-tuned to offer the best detection rates.

Only memory scanning can successfully discover active in-memory fileless attacks that lack persistent components in the file system, such as was the case with Astaroth (Guildma) and its use of the Windows toolset.

Furthermore, the ESET Host-based Intrusion Prevention System (HIPS) and its Deep Behavioral Inspection (DBI) use predefined rules to scan for and monitor suspicious behavior related to running processes, files, and registry keys, targeting methods often used by fileless malware to obfuscate its activities. Hence, malware families like Kovter find it hard to hide from ESET Endpoint Security in the Windows registry, since the memory scanner also deals with encrypted threats.

Issue-less

With cybersecurity protections stepping up to protect people against advanced threats such as fileless malware, one thing still needs to be said: Never click on any malicious links or attachments in suspicious emails – even if they are from someone you know and trust.

First, via a different communications medium (e.g., text, phone, or in person for something received in email, etc.), reach out to the apparent sender and verify whether it’s really them who had sent the message, as well as their intent. While this might seem like a bit too much, social engineering has gotten rather complex, and can fool anyone quite easily.

As always, exploiting human error is the best avenue for a compromise, so stay informed by reading our ESET Blogs, WeLiveSecurity, and ESET Research on Twitter (now known as X) to keep ahead of the cyber threat game.

In addition, try our free ESET Cybersecurity Awareness Training to learn how to stay secure at all times.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.