Fileless malware is an effective means leveraged by attackers to infiltrate systems undetected. This type of attack is different from standard malware in that it doesn’t have to install malicious software in order to infect a computer. It doesn’t even write anything to the hard drive. While it sounds improbable, these kind of attacks are no longer rare.
Virus scanners can’t detect the malware as nothing is written to the hard drive and the malicious code remains in the RAM, exploiting system tools to attack and plant more code. Flash, javaw.exe and iexplore.exe are perfect for doing so.
There are a few ways to launch fileless malware attacks, such as through malicious banners, or malvertising. When users click on the banner, they are redirected to a website that, at first glance, seems legitimate. A malvertising infection of individual websites is as imaginable as the seizure of an entire advertising network and therefore the widespread distribution of the malicious code.
Flash—which has a number of vulnerabilities—is then used to continue the attack. Flash uses Windows PowerShell to run script in the command line, but in this case, it is only executed in the RAM where the malicious code (e.g. a botnet) can be loaded and run directly.
The execution of PS1 scripts is regulated by the system However, if the malware programmer enters the command set-executionpolicy Unrestricted, and answers the script-controlled question with “A” for “all”, any script can be executed.
When a computer is restarted, the RAM is normally deleted and the fireless malware can be stopped in its tracks. However, Windows 10 has introduced quick start mode that significantly boosts boot times. If this mode has been activated, the computer never fully shuts down. When it is restarted, the system reads the previously written kernel and driver status (hiberfil) instead of completely restarting, meaning that the last system status is loaded with this image in the main memory, making it possible that parts of the malicious code are also reloaded. For this reason, it must be ensured that the system is completely shut down and restarted every time. There are several ways to do this:
Open the command prompt and select “Run as administrator”. Enter
and restart the PC. You can also create a batch file with
Or alternatively, you can enter the command by pressing Windows + R.