Besides residing in memory, the second aspect of fileless malware is the extensive usage of widely deployed tools which system administrators rely on, such as PowerShell. It was stated in 2015 on how attackers could be living off the LAN by using similar techniques.
Why are attackers are using fileless malware?
For starters, not every endpoint solution inspects memory directly. This makes memory an ideal place to hide. Second, tools such as PowerShell are already deployed. Therefore, these have multiple benefits for the attacker as it enables them to live off the LAN with reduced noise in having to deploy malware to their victims.
Being the primary focus of existing fileless malware, Windows is looking at why fileless malware isn’t actually fileless. With a narrow scope of defining malware with the actual code that is executing on the operating system, it can determine that fileless malware are indeed fileless.
Taking a step back from the narrow definition, the aim of the person behind the malware is to gather as much data against their target as possible. In order to do that, the malware needs to be able to recover from interruption, and the way to do that is persist across reboots. In order to persist, something needs to be written to disk.
Any malware that hopes to survive for an extended length of time in due course needs to persist something, and that will likely be found somewhere on disk.