IT Security Oct 1, 2020

Fileless malware – an old (new) threat?

Fileless malware is an effective means leveraged by attackers to infiltrate systems undetected. This type of attack is different from standard malware in that it doesn’t have to install malicious software in order to infect a computer. It doesn’t even write anything to the hard drive. While it sounds improbable, these kind of attacks are no longer rare.

Share article

Christian Linder
Consultant IT Security

Virus scanners can’t detect the malware as nothing is written to the hard drive and the malicious code remains in the RAM, exploiting system tools to attack and plant more code. Flash, javaw.exe and iexplore.exe are perfect for doing so.

There are a few ways to launch fileless malware attacks, such as through malicious banners, or malvertising. When users click on the banner, they are redirected to a website that, at first glance, seems legitimate. A malvertising infection of individual websites is as imaginable as the seizure of an entire advertising network and therefore the widespread distribution of the malicious code.

Flash—which has a number of vulnerabilities—is then used to continue the attack. Flash uses Windows PowerShell to run script in the command line, but in this case, it is only executed in the RAM where the malicious code (e.g. a botnet) can be loaded and run directly.

The execution of PS1 scripts is regulated by the system However, if the malware programmer enters the command set-executionpolicy Unrestricted, and answers the script-controlled question with “A” for “all”, any script can be executed.

When a computer is restarted, the RAM is normally deleted and the fireless malware can be stopped in its tracks. However, Windows 10 has introduced quick start mode that significantly boosts boot times. If this mode has been activated, the computer never fully shuts down. When it is restarted, the system reads the previously written kernel and driver status (hiberfil) instead of completely restarting, meaning that the last system status is loaded with this image in the main memory, making it possible that parts of the malicious code are also reloaded. For this reason, it must be ensured that the system is completely shut down and restarted every time. There are several ways to do this:

Open the command prompt and select “Run as administrator”. Enter

"powercfg -hibernate off"

and restart the PC. You can also create a batch file with

"shutdown -s -t 0"

Or alternatively, you can enter the command by pressing Windows + R.

Attack defence measures.

  • Deactivate unnecessary and unsecure features
  • Deactivate local user admin rights
  • Only assign as many rights within the network as absolutely necessary
  • Carry out regular software updates
  • Check network traffic and activity protocols for anomalies
  • Consider best practices for the use of PowerShell
  • Change passwords after attacks have been uncovered
  • Train employees