File less Malware:
Usually a file less malware is a piece of code that works directly with the system memory.
IMP: It uses or attach itself to the existing legitimate applications/system program already present in the system for its operation.
In general every thing that we are downloading is normally stored in the HD (Hard drive), means we have a record of that item in terms of storage, hash, path... etc.
But in the case of Fileless Malware as it uses legitimate programs available in the system so we usually don't have any "IOC's".
What is actual meaning of calling it "FILELESS":
Its called fileless because unlike traditional malware which often involves the creation and execution of malicious files on the victim's system for "Action on Objectives (hope you know this)" file less malware believes in modification and usage of legit programs/applications for its objectives rather creating/downloading files.
How the malware is delivered into the users system:
It usually delivered into the target system by the means of social engineering, compromised websites, or exploiting unpatched software vulnerabilities. Mostly by the technique called "PHISHING" (Where user tricked into clicking the malicious link or attachment)
Working of Fileless Malware:
-
Working process of the Fileless Malware is really a lengthy process, But I tried to make it simpler for you, below is the short and simple explanation of the working:
-
When the malicious code delivered into the target system. The code works upon its functionality like some malwares are pre-calculated like targets specific application/program and some search for known vulnerabilities after delivery.
-
Now the main case why I stating every where that is uses "Legit system software or applications". It uses legit system software or applications as it allows file less malware to "run code in memory" without writing anything onto the memory.
-
its first executes the payload (typically called a memory based payload) without writing any thing to the systems memory. The payload include various malicious activities, such as Data exe , C2 , Pre exe ... etc
-
File less malware uses the attack technique "Living off the Land". means it often leverages legitimate system tools and utilities like PowerShell, Windows Management Instrumentation (WMI), or script interpreters like JavaScript or VBScript. These tools are used to execute malicious scripts or commands in memory.
How the File less malware make Persistence:
To ensure that the malware survives system reboots and remains active on the compromised system it uses below techniques for persistence:
- Modification in registry keys and windows API's
- Creation of Scheduled Tasks.
- etc... (I need you to find the different ways)
Now comes to the part of detection:
If the File less malware does not leaves any IOC's (Indicator of compromise) then how we can detect this...?
Although the File less malware does not leaves any traces of hash or execution but its way of working is quit similar to the traditional malwares means it will stimulate the system utilities (PowerShell, Windows Management Instrumentation (WMI), or script interpreters) in the malicious way, Exfiltration of data to external entity.. etc that means for detection of FLM we have to focus on IOA's (Indicator of attack) instead of IOC's (Indicator of compromise).
Need to focus on behavioral based detection instead of signature based detection.