Hacking group FIN7 is reportedly using the technique to infect Windows computers of US restaurants. This specific attack arrives via a booby-trapped Word document attached to a phishing e-mail. Once the victim opens the file, the user is tricked to exit Protected View and the malware uses clever methods to avoid detection by behavior based solutions. The final payload resides only in the computer memory and none of the 56 most widely used anti-virus programs managed to detect the attack.
To be sure, the attack isn't entirely fileless, since it arrives in a booby-trapped Word document attached to a phishing e-mail. The e-mails are tailored to the person receiving them and contain attachments with names including menu.rtf, Olive Garden.rtf and Chick Fil A Order.rtf. Unlike most other Word-based attacks, however, once the document triggers an infection, the final payload resides only in memory.Full details at ARS Technica.