Chat with us, powered by LiveChat

What Is File-Less Malware and How You Can Protect against It

Q.C. Crea

By now ‘malware’ has entered the lexicon of everyday life. If you don’t know exactly what it is, you know that it’s a bad thing that happens on your computer—a virus.

So, for educative purposes, malware is a software that gets installed on your computer through a malicious file/link in an attempt to disable your system or steal information.

That’s the thing, though—Malware has most commonly been acquired through a download or file transfer.

So much so, in fact, that most operating systems, Internet browsers, and antivirus programs have done a pretty good job at detecting and removing them.

file-less cyber attacks

Just like in biology, the virus evolves at the same rate or faster than the defenses. And that’s what is happening with malware.

What is File-Less Malware?

Meet file-less malware. A scary more commonly used type of infiltration technique in which a hacker can access a network without malware inside its programming, like before.

File-less malware bybasses anti-virus software and firewalls without being detected. It’s a technique called “living off of the land” where hacks infiltrate programs already on your machine and come via a harmless file like a Word document of .PDF file.

These attacks leave very little evidence. Tony Rowan of SentinelOne describes it perfecty by saying file-less malware is “an absence of evidence is equal to evidence of absence.” This means that these attacks are can be long-term. If you’re a visual learner, file-less cyberattacks is explained very well in this video from AT&T

But how do they work and how are they file-less you may be asking?

How is a File-Less Cyber Attack File-Less?

We mentioned ‘living off the land’ and that’s because a report by Symantec called “Living off the Land and Fileless Attack Techniques” describes four different types of “fileless infection techniques:”

  • Fileless persistence imbeds malicious scripts inside your computer’s registry which ensures that attacks start fresh every restart of disinfect.
  • Non-Portable Executable (non-PE) don’t use the binary executable (EXE) or dynamic-link library (DLL) files typical of most malware attacks. Instead, they infect Visual Basic Script, JavaScript, and PowerShell which complete the same attack, but look different in doing so.
  • Memory-only threats, you guessed it, run in your computer’s memory. That means to script or file is actually written on a file or disk. Once your computer restarts, it actually disinfects your machine and leaves no trace of the virus ever being there. This disinfect usually occurs after the harm is already done.
  • Dual-use tools are tools that most computer users use on a daily basis. These tools are legitimately clean tools to use but during attacks, these tools are co-op’d by hackers for their own benefit.

As you can see, with most softwares being harder and harder to hack, hackers are going at it through different routes which are more difficult to defense against.

Candid Wueest, the main author of the Symantec report, stated:

“The attackers are falling back to proven methods, which are usually simple, but with a little bit of social engineering and clever wording, they are nevertheless still successful. Why would they spend a lot of money or resources to find exploits if they can simply do an invoice attached to an email and have someone deliberately infect themselves?”

Missouri state Chief Information Security Officer (CISO), Michael Roling, told Government Technology that officials have seen more and more of these types of attacks in recent years as ‘signature-based’ malware detections aren’t good enough anymore.

As more network firewalls and networks are better at detecting and eradicated tradional malware, hackers are going after “vulnerable plug-ins and extensions” according to Roling.

It’s important, then, that you only use and download from sources that you trust. But even then, popular tools like Piriform’s CCleaner are still prone to attacks.

Everyone has got to get on the same page.

How to Protect Against File-Less Cyber Attacks

Since these file-less attacks are so hard to detect, let alone defend against, it’s always a good idea to upgrade, upgrade, upgrade.

what is fileless malware

Legacy systems are the most susceptible to any type of attack, especially file-less cyber attacks. Therefore always update to the latest version of your software, operating systems, and anti-virus programs.

Also, and this is something every single company should do as part of their business plan and budget: invest in high-quality end-to-end encryption, two-factor authentication, and any and all other security measures.

Oh, and make sure it’s a good anti-virus program. Only 10 out of 61 tested softwares were able to stop the NotPetya attack. That’s not a good rate.

There needs to be laws and regulations put in place not only at the government level, but at the enterprise level as well. But first there needs to be a lesson. The learning process, according to Wueest, should take “at least two years” for government agencies whose funding is rather tight and they are always slow to adapt to new cyber-threats, especially at the local level.

Finally, we need to educate, educate, educate. God forbid, if you or your company is hit with one of these file-less attacks—don’t be quiet! Educate other on what happened so that a defense can be crafted sooner rather than later.


Like with anything, don’t rest once file-less attacks are stopped. Hackers are always going to find new avenues to use to wreak havoc across the Internet. Stay vigilant, change your password, and spread the word about cyber-security today!

Leave a Reply