The language of cybersecurity evolves in step with attack and defense tactics. You can get a sense for such dynamics by examining the term fileless. It fascinates me not only because of its relevance to malware, but also because of its knack for agitating many security practitioners.
I traced the origins of “fileless” to 2001, when Eugene Kaspersky (of Kaskersky Labs) used it in reference to Code Red worm’s ability to exist solely in memory. Two years later, Peter Szor defined this term in a patent for Symantec, explaining that this form of malware doesn’t reside in a file, but instead “appends itself to an active process in memory.”
Eugene was prophetic in predicting that fileless malware “will become one of the most widespread forms of malicious programs” due to antivirus’ ineffectiveness against such threats. When I look at the ways in which malware bypasses detection nowadays (see below), the evasion techniques often fall under the fileless umbrella, though the term expanded beyond its original meaning.
Fileless was synonymous with in-memory until around 2014.
Purely in-memory malware disappears once the system restarts. In 2014, Kevin Gossett’s Symantec article explained how Powerliks malware overcame this limitation by using legitimate Windows programs rundll32.exe and powershell.exe to maintain persistence, extracting and executing malicious scripts from the registry. Kevin described this threat as “fileless,” because it avoided placing code directly on the file system. Paul Rascagnères at G Data mentioned that Poweliks infected systems by using a boobietrapped Microsoft Word document.
The Powerliks discussion, and similar malware that appeared afterwards, set the tone for the way fileless attacks are described today. Yes, fileless attacks strive to maintain clearly malicious code solely or mostly in memory. Also, they tend to involve malicious documents and scripts. They often misuse utilities built into the operating system and abuse various capabilities of Windows to maintain persistence, such as the registry.
However, the growing ambiguity behind the modern use of the term fileless is making it increasingly difficult to understand what specific methods malware uses for evasion. It’s time to disambiguate this word to hold fruitful conversations regarding our ability to defend against its underlying tactics.
Here’s my perspective on the methods that comprise modern fileless attacks:
- Malicious Documents: They can act as flexible containers for other files. Documents can also carry exploits that execute malicious code. They can execute malicious logic that begins the infection and initiates the next link in the infection chain.
- Malicious Scripts: They can interact with the OS without restrictions that some applications, such as web browsers, might impose. They are harder for anti-malware tools to detect and control than compiled executables. They offer a opportunity to split malicious logic across several processes.
- Living Off the Land: Microsoft Windows includes numerous utilities that attackers can use to execute malicious code with the help of a trusted process. They allow adversaries to “trampoline” from one stage of the attack to another without relying on compiled malicious executables.
- Malicious Code in Memory: Memory injection can abuse features of Microsoft Windows to interact with the OS even without exploiting vulnerabilities. Attackers can wrap compiled executables into scripts, extracting payload into memory during runtime.
While some attacks and malware families are fileless in all aspects of their operation, most modern malware that evades detection nowadays includes at least some fileless capabilities. Such techniques allow malware to operate in the peripheral vision of anti-malware software. The success of such attack methods is the reason for the continued use of the term in discussions among security vendors and enterprises.
Language evolves as people adjust the way they use words and the meaning they assign to them. This certainly happened to fileless, as the industry looked for ways to discuss attacks that avoided the file system and misused OS features to evade detection. For a deeper dive into this topic, read the following three articles upon which I based this overview: