Non-Malware (or Fileless) Attack

A Non-Malware attack is one in which an attacker uses existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as Fileless, memory-based or “living-off-the-land” attacks.

Cyber criminals program Fileless Malware to gain persistence after it was written directly to RAM. That’s because it can hide in locations that are difficult to scan or detect by traditional antivirus products.

Fileless Malware is unique and difficult to detect because the malicious code is embedded into a native scripting language or written straight into the computer’s RAM, where it hides in isolated spots within the computer’s memory. It’s not written to disk nor does the malicious code rely on the hard drive to run these commands.

These type of persistent and masked infections can be a real pain for your computer and data.

Why Fileless Malware so special?

Memory-resident malware this type of quasi-fileless malware makes use of the memory space of a process or an authentic Windows file. It loads its malicious code into that memory space and stays there until it’s triggered. This may not be a completely Fileless Malware type, but we can safely include it in this category.

Rootkits, this kind of malware masks its existence behind a computer user to gain administrator access. Rootkits often reside in the kernel, thus persisting in spite of restarts and usual antivirus scans. Its cloaking abilities are uncanny and removal can be almost impossible. While this isn’t an 100% fileless infection either, it fits here.

Windows registry malware, newer types of Fileless Malware are capable of residing in Windows registry. The Windows Registry is a database that stores low-level settings for the operating system and certain apps. It’s a difficult place to navigate as a normal user. But malware authors have even exploited the OS’s thumbnail cache to gain persistence. It’s true that this type of Fileless Malware executes code in a file in the registry, but the file is set to self-destruct once it carried out its malicious task.

Many current endpoint security solutions (such as traditional AV and machine-learning AV) do nothing to prevent (or even detect) non-malware attacks, providing attackers with a point of entry that goes completely overlooked.  Traditional AV and machine-learning AV are designed to only identify threats at a single point in time.  When a file is written to disk. Since they only look at the attributes of an executable file, they are completely blind in the face of attacks where no files are involved as is the case with non-malware attacks.

How to protect your self from Fileless Malware?

  • Monitor your systems frequently and backup regularly so you can revert back to specific points-in-time when you’re systems were free of malware and malicious attacks.
  • Disable all macros or do not open any files unless the end user is 100 per cent certain the file is not malicious. If there is any cause for concern, contact your MSP or IT administrator immediately.
  • Block all infected emails, pages, and communication with browsers and servers. Since the cybercriminals will write code to infect email and webpages, block anything that is odd, unfamiliar or sketchy.
About Prasad 58 Articles
Prasad Paul is a Technical Writer, Security Blogger, Network Engineer and IT Analyst. He is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.