Without a Trace: Fileless Malware Spotted in the Wild
Were you aware that there’s memory only malware out now for windows? A dangerous new trend is detailed.
With additional analysis from David Agni
Improvements in security file scanners are causing malware authors to deviate from the traditional malware installation routine. It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats.
A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive. POWELIKS is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry.
In August 2014, POWELIKS’s evasion techniques and use of Windows PowerShell were observed as a potentially dangerous tool for future attacks.