JSLess: A Tale of a Fileless Javascript Memory-Resident Malware

  • Sherif SaadEmail author
  • Farhan Mahmood
  • William Briguglio
  • Haytham Elmiligi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11879)


New computing paradigms, modern feature-rich programming languages and off-the-shelf software libraries enabled the development of new sophisticated malware families. Evidence of this phenomena is the recent growth of fileless malware attacks. Fileless malware or memory resident malware is an example of an Advanced Volatile Threat (AVT). In a fileless malware attack, the malware writes itself directly onto the main memory (RAM) of the compromised device without leaving any trace on the compromised device’s file system. For this reason, fileless malware presents a difficult challenge for traditional malware detection tools and in particular signature-based detection. Moreover, fileless malware forensics and reverse engineering are nearly impossible using traditional methods. The majority of fileless malware attacks in the wild take advantage of MS PowerShell, however, fileless malware are not limited to MS PowerShell. In this paper, we designed and implemented a fileless malware by taking advantage of new features in Javascript and HTML5. The proposed fileless malware could infect any device that supports Javascript and HTML5. It serves as a proof-of-concept (PoC) to demonstrate the threats of fileless malware in web applications. We used the proposed fileless malware to evaluate existing methods and techniques for malware detection in web applications. We tested the proposed fileless malware with several free and commercial malware detection tools that apply both static and dynamic analysis. The proposed fileless malware bypassed all the anti-malware detection tools included in our study. In our analysis, we discussed the limitations of existing approaches/tools and suggested possible detection and mitigation techniques.


Fileless malware Unconventional malware Web vulnerabilities Javascript HTML5 Polymorphic malware 


  1. 1.
    Adas, H., Shetty, S., Tayib, W.: Scalable detection of web malware on smartphones. In: 2015 International Conference on Information and Communication Technology Research (ICTRC), pp. 198–201, May 2015Google Scholar
  2. 2.
    AL-Taharwa, I.A., et al.: RedJsod: a readable JavaScript obfuscation detector using semantic-based analysis. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1370–1375, June 2012Google Scholar
  3. 3.
    Arias, D.: Speedy introduction to web workers, August 2018.
  4. 4.
    Barkly. The 2017 state of endpoint security risk (2017).
  5. 5.
    Blanc, G., Miyamoto, D., Akiyama, M., Kadobayashi, Y.: Characterizing obfuscated JavaScript using abstract syntax trees: experimenting with malicious scripts. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops, pp. 344–351, March 2012Google Scholar
  6. 6.
    Cosovan, D., Benchea, R., Gavrilut, D.: A practical guide for detecting the Java script-based malware using hidden Markov models and linear classifiers. In: 2014 16th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, pp. 236–243, September 2014Google Scholar
  7. 7.
    Google Developers. Introduction to service worker—web, May 2019.
  8. 8.
    Fang, Y., Huang, C., Liu, L., Xue, M.: Research on malicious JavaScript detection technology based on LSTM. IEEE Access 6, 59118–59125 (2018)CrossRefGoogle Scholar
  9. 9.
    Global Research and Analysis Team: KASPERSKY Lab. Fileless attack against enterprise network, White Paper (2017)Google Scholar
  10. 10.
    INFOSEC. Websocket security issues, December 2014.
  11. 11.
    Kishore, K.R., Mallesh, M., Jyostna, G., Eswari, P.R.L., Sarma, S.S.: Browser JS guard: detects and defends against malicious JavaScript injection based drive by download attacks. In: The Fifth International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2014), pp. 92–100, February 2014Google Scholar
  12. 12.
    Magnusardottir, A.: Fileless ransomware: how it works & how to stop it?, June 2018.
  13. 13.
    Maiorca, D., Russu, P., Corona, I., Biggio, B., Giacinto, G.: Detection of malicious scripting code through discriminant and adversary-aware API analysis. In: Armando, A., Baldoni, R., Focardi, R. (eds.) Proceedings of the First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy, 17–20 January 2017. CEUR Workshop Proceedings, vol. 1816, pp. 96–105. (2017)Google Scholar
  14. 14.
    Mao, J., Bian, J., Bai, G., Wang, R., Chen, Y., Xiao, Y., Liang, Z.: Detecting malicious behaviors in JavaScript applications. IEEE Access 6, 12284–12294 (2018) CrossRefGoogle Scholar
  15. 15.
    McAfee. Fileless malware execution with powershell is easier than you may realize, March 2017.
  16. 16.
    Ndichu, S., Ozawa, S., Misu, T., Okada, K.: A machine learning approach to malicious JavaScript detection using fixed length vector representation. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2018Google Scholar
  17. 17.
    Mozilla Developer Network. Glossary: websockets (2015).
  18. 18.
    Oh, S., Bae, H., Yoon, S., Kim, H., Cha, Y.: Malicious script blocking detection technology using a local proxy. In: 2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 495–498, July 2016Google Scholar
  19. 19.
    Kaazing Corporation Peter Lubbers & Frank Greco. HTML5 websocket: a quantum leap in scalability for the web.
  20. 20.
    Shen, V.R.L., Wei, C.-S., Juang, T.T.-Y.: JavaScript malware detection using a high-level fuzzy Petri net, pp. 511–514, July 2018Google Scholar
  21. 21.
    Sachin, V., Chiplunkar, N.N.: SurfGuard JavaScript instrumentation-based defense against drive-by downloads. In: 2012 International Conference on Recent Advances in Computing and Software Systems, pp. 267–272, April 2012Google Scholar
  22. 22.
    Sayed, B., Traoré, I., Abdelhalim. A.: Detection and mitigation of malicious JavaScript using information flow control. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust, pp. 264–273, July 2014Google Scholar
  23. 23.
    Seshagiri, P., Vazhayil, A., Sriram, P.: AMA: static code analysis of web page for the detection of malicious scripts. Procedia Comput. Sci. 93, 768–773 (2016). Proceedings of the 6th International Conference on Advances in Computing and CommunicationsCrossRefGoogle Scholar
  24. 24.
    Netsparker Security Team. DOM based cross-site scripting vulnerability, May 2019.
  25. 25.
    TrendMicro. Analyzing the fileless, code-injecting sorebrect ransomware, June 2017.
  26. 26.
    Wang, C., Zhou, Y.: A new cross-site scripting detection mechanism integrated with HTML5 and CORS properties by using browser extensions. In: 2016 International Computer Symposium (ICS), pp. 264–269, December 2016Google Scholar
  27. 27.
    Wang, Y., Cai, W.-D., Wei, P.: A deep learning approach for detecting malicious JavaScript code. Secur. Commun. Netw. 9, 1520–1534 (2016)CrossRefGoogle Scholar
  28. 28.
    Xu, W., Zhang, F., Zhu, S.: The power of obfuscation techniques in malicious JavaScript code: a measurement study. In: 2012 7th International Conference on Malicious and Unwanted Software, pp. 9–16, October 2012Google Scholar
  29. 29.
    Yoon, S., Jung, J., Noh, M., Chung, K., Im, C.: Automatic attack signature generation technology for malicious JavaScript. In: Proceedings of 2014 International Conference on Modelling, Identification Control, pp. 351–354, December 2014Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Sherif Saad
    • 1
    Email author
  • Farhan Mahmood
    • 1
  • William Briguglio
    • 1
  • Haytham Elmiligi
    • 2
  1. 1.School of Computer ScienceUniversity of WindsorWindsorCanada
  2. 2.Thompson Rivers UniversityKamloopsCanada

Personalised recommendations