Threat Watch

File-less Malware

A shift has been seen in how malware is developed and deployed and must be addressed. For years an attacker’s priorities were to first go undetected and then profit from the breach. Cybercriminals have learned that if they hold an infected system longer then their profits will increase. Cybercriminals have figured out that file-less malware, malware that does not write a file onto the hard drive, is much harder to detect and therefore easier to keep in an infected system. Attackers have realized that many companies are using older, outdated operating systems that have old security defenses that are only programmed to detect file based, written to the hard drive, malware. Small to medium-sized businesses are especially vulnerable due to the lack of adequate security and IT staff that understand and monitor threats. Researchers have found that file-less attacks account for approximately 35% of recent attacks and are 10 times more likely to succeed that file-based attacks. There are 2 main types of file-less based attacks, automated and manual. An automated attack is once a malicious file has been allowed into the victim’s system it follows preset commands and compromise only predetermined files. Examples of automated attacks are Emotet, Trickbot, and Sorebrect malware packages. A manual attack is when the malware is manually launched by an attacker which makes the attack much more powerful. Manually controlled attacks are harder to detect and defend against because they do not follow predictable patterns. SamSam is a common manual malware.


Users should verify that all new security patches are downloaded and installed. Companies should invest in regular and ongoing training for all employees to help them recognize and react to cyber threats. Lastly, businesses should develop, and practice, a protocol that allows the company to assess and react to cyber-attacks.