The Myth of “Fileless” Malware

Is “fileless” malware really fileless?

Now, don’t get me wrong…I get what those who use this term are trying to say; that is, the actual malware itself, the malicious code, does not exist as a file on the local hard drive. However, for the uninitiated, the use of the term “fileless” is misleading, because in order for the things to happen and for the malware to persist, there has to be something in a file somewhere on the drive. Otherwise, what’s the point?

Yes, threat actors can release code that had a devastating, even catastrophic effect without persisting on an endpoint. This is not in question. 

However, the term “fileless” can imply to the uninitiated reader that files are not used at all, and this simply is not the case. This is important to understand, as this allows us to develop appropriate protections, detections, and responses for this kind of malware. Understanding this also means allows us to leverage DFIR skill sets to learn more about the threat actor leveraging various techniques to “remain fileless”.

Sometimes, we just get the descriptions of the malware wrong. In Prevailion’s DarkWatchman write-up, at the bottom of pg, 3, the authors state, “Various parts of DarkWatchman, including configuration strings and the keylogger itself, are stored in the registry to avoid writing to disk” (emphasis added), as illustrated in figure 1.

Fig. 1: Excerpt from DarkWatchman Write-up

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Windows Incident Response

Read the original article: