Fileless Malware – How safe are you?


More than a hundred banks and financial institutions across the world have been infected with a dangerous sophisticated, memory-based malware that’s almost undetectable, researchers warned.

Newly published report by the Russian security firm Kaspersky Lab indicates that hackers are targeting banks, telecommunication companies, and government organizations in 40 countries, including the US, South America, Europe and Africa, with Fileless malware that resides solely in the memory of the compromised computers.

Fileless malware was first discovered by the same security firm in 2014, has never been mainstream until now.


So what is a File-less Malware?

This is a new form of malware that manages to hide within a computer system and successfully escapes detection. Conventionally, cyber security experts could detect malware in any system because malware programs usually depend on the hard drives of computers for their operation. Thus, anti-malware programs can detect malware by scanning all the files that are on the hard drive of a device. However, this new form of malware does not depend on the files on the hard drive of a device for its survival. In practice, the malware hides in the kernel of RAM of a device. Usually, ordinary users do not know how to access these areas of a device. Therefore, this new form of malware can remain in a device for a long time, giving the hackers unfettered access to a device and the system to which the device is connected.


Three types of fileless malware are common:

Memory resident: This type of fileless malware uses the memory space of a legitimate

Windows file. It loads its code into that memory space and remains resident until it is

accessed or reactivated. Although execution occurs within the legitimate file’s memory

space, there is a dormant physical file that initiates or restarts the execution. As a result,

this malware type is not completely fileless.

Rootkits: Some fileless malware hides its presence behind a user- or kernel-level

application programming interface (API). A file is present on disk but in a stealth mode.

Windows registry: Some new fileless malware types reside in the registry of the

Windows operating system. Malware authors have exploited features such as the

Windows thumbnail cache used to store images for Windows Explorer’s thumbnail view.

The thumbnail cache acts as a persistence mechanism for the malware. Fileless malware

of this type must still enter the victim’s system through a static binary. Most use email as

the medium to reach the system. Once the user clicks on the attachment, the malware

writes the complete payload file in an encrypted form in the Windows registry hive. It

then disappears from the system by deleting itself.


How do hackers use this new form of malware?

Researchers at Kaspersky Lab indicate that hackers have devised new techniques that they use to control this new type of malware. For instance, researchers at Kaspersky Lab have pointed out that hackers are using this new type of malware to attack the systems of banking institutions across the world specifically. The hackers stealthily use file-less malware to gain deeper access to the systems in use


Hackers follow these steps when using file-less malware programs to launch attacks:

  1. Hackers hack the servers of their target. At this stage, the hackers use some of the most common exploits to gain unauthorized access to the servers of their target. Once the hackers can access the servers, they start looking for vulnerabilities that they can take advantage of.
  2. The hackers then infect their target computers with special malware. For the hackers to successfully infect the computers of their targets, they rely on specialized tools such as Meterpreter and PowerShell scripts. The attackers use inventive methods to successfully infect the computers of their targets with special malware programs.
  3. Once the script of the hackers has been successfully installed on the target computer, it hides in the RAM or Windows registry. The ability of the malware program to hide in the RAM or other odd places in a computer makes it very dangerous in the long run. On the one hand, it makes it impossible for security experts to detect any abnormal activity on a computer.
  4. The malware program then starts to channel the information that it gathers in a device to the attackers. To achieve this objective, the malware uses special procedures that help it tunnel the trove of data it steals to a C2 server.
  5. Once a user reboots a computer, the malware disappears from the device, making it impossible for detectors to pinpoint any abnormal behavior on the computer.


The attack has already hit more than 140 enterprise networks across 40 different countries, with most victims located in the US, France, Ecuador, Kenya, the UK, and Russia. Almost every instance of the fileless malware was found in financial institutions and worked towards obtaining login credentials. In the worst cases, infections had already gleaned enough information to allow cyber attackers to withdraw undisclosed sums of cash from ATMs.


So, in conclusion, we can deduce that, whoever created this program is after cold hard cash. Not ransoms, not valuable data, and not destruction. Unless your network directly handles the transfer of cash assets, you’re fine! If you want to be extra careful, employ solutions that analyze trends in behavior. When hackers acquire login information, they usually test it out at odd hours and any intrusion prevention system should be able to recognize the attempt as dubious.


Cybersecurity requires constant attention and education, but it’s not something you can just jump into. What you should do is hire a managed services provider that promises 24/7 network monitoring and up-to-the-minute patches and software updates. Contact us to learn what value we can add to your business.

Leave a Reply

Your email address will not be published. Required fields are marked *