When a device isn’t properly running—whether it’s your phone, laptop, or smart plug, for example—many tech pros recommend that you restart it. That’s the advice the FBI issued to small businesses and households in 2018, after a report found that cybercriminals launched a fileless attack that infected 500,000 routers.

A fileless attack—also called fileless malware—covertly infects computers. While traditional malware uses a file that requires execution to infect a victim’s system, fileless attacks permeate and usually reside in memory. Nothing is written directly to the hard drive, says Vasilios Hioureas, malware researcher at Malwarebytes.

The malware that infected hundreds of thousands of routers, called VPNFilter, was linked to a Russian state-sponsored hacking group, researchers said. It was capable of spying on traffic sent through infected routers, stealing website log-ins, and allowing its controllers to wipe a portion of an infected device’s firmware, rendering it useless. The attackers could choose to destroy a single device, or wipe all infected devices at once.


Why are Androids less secure than iPhones?
What’s in an APT?
Why people are flocking to messaging app Signal
How to protect your payment apps
Why (and how) to stop cryptojacking

“We see quite a lot of fileless attacks against IoT devices in particular,” says Chet Wisniewski, principal research scientist at Sophos. “They exploit a vulnerability in the router, copy the malicious code into the memory, and start running it. It runs until you reboot the device. In that case, most people never reboot their router, so it runs for a long time.”

While Internet-connected devices, collectively known as the Internet of Things, or IoT, are common targets for fileless attacks, hackers also target built-in Microsoft Windows tools to create scenarios of “living off the land,” Hioureas says.

In these instances, cybercriminals email attachments, which are often a .doc, .rtf, or .xls. They aren’t actually executable files, which is why they’re considered fileless attacks, Wisniewski explains. They are more likely macros, instruction sets typically designed to automatically perform tasks such as changing the font, size, or alignment of text.

“If you open it, sometimes the malicious content in there will be a macro, which locks malicious code into memory when you open the document,” he says.

Because there isn’t a malicious file for antivirus tools to identify, fileless attacks are difficult to detect. In many cases, however, they’re easy to expunge, requiring only a reboot of the system. Traditionally, this lack of persistence was a problem for cybercriminals, but work-arounds allowed hackers to bypass it.

One solution was writing malicious code into the device’s registry—a database that stores configuration information about the software installed on the computer, Wisniewski says. Every time your computer starts up, the registry runs through a set of programs, which might include your instant-messaging program or Skype, for example. When these programs launch as part of your device’s start-up, so does the malicious shell script, he says.

“In the past, every criminal wanted to have a botnet to either instruct to send spam, or to do a service attack. That’s how they’d profit from fileless attacks,” Wisniewski says.

Cybercriminals also used ransomware to address their malicious code’s lack of persistence after reboot and to boost the prevalence of their fileless attacks.

“There are so many attacks now focused on ransomware that they don’t care that much about persistence,” he says. “If you can launch a malicious code in the memory once and encrypt enough of the files, it doesn’t matter if you’re there in the next reboot.”

Mitigating fileless attacks

Mitigating fileless attacks is a cat-and-mouse game, Wisniewski says. Cybercriminals design new techniques to bypass security researchers’ engineered defenses, which are typically “incredibly successful” until criminals find new work-arounds, he says.

“It’s very interesting to those of us who look at malware because we need to understand it in order to provide an effective defense,” he says. “This shows how clever and advanced the criminals are getting. They’re tenacious and not giving up, and are getting very sophisticated in how they’re compromising our computers.”

Because fileless attacks are dependent on vulnerabilities or code hidden in attachments, Wisniewski recommends keeping your devices’ software up-to-date, regularly restarting your devices, and not opening unknown attachments.

Another best practice, Wisniewski says, is opting for cloud-based office tools, such as Microsoft’s Office 365, Apple’s iWork for iCloud, or Google Docs. “That way, if the malicious stuff is there, it’s loaded in the cloud and not on the computer, so it’s less likely to cause any harm,” he says. “It’s a free and easy way to get past the problem.”