Fileless malware is on the rise and is enabling many attacks in 2018. While fileless techniques were prevalent in 2017, most of the more well-known attacks still accessed the disk and left traces. 2017 was also a high-point for ransomware.
What is the problem with attacks that leave files? They produce an easy signature that defenders can easily pick up on. So once an attack is launched, its effectiveness starts to diminish as defenders hunt for evidence of the malware on disk.
If the goal of the attack is short lived — i.e. launch a DDoS attack, hold a computer for ransom, or conduct a destructive attack (i.e. NotPetya) — then the malware has to outrun security researchers — who will identify what files it uses as one of the first steps.
But if the goal of the attack requires time, for example an advanced persistent threat, then a higher level of stealth is needed. So, the creation of files is the first thing to go.
In 2018, we are seeing a rise in cryptomining. In this attack, the victim unwillingly starts mining for cryptocurrency for the attacker. It is essentially a theft of resources. However, the malware needs to persist for a longer period of time. Because of this, hackers need to reduce the signature. Fileless malware goes a long way in helping accomplish that goal.
Fileless malware can be detected by examining processes running in memory. However, these signatures often take longer to determine than files on a disk.
However, one thing fileless malware still must utilize are vulnerabilities on the host system. But to keep up with the threat, its not only important to patch, but to do so in a way directed at the most current threats.