Virus scanners can’t detect the malware as nothing is written to the hard drive and the malicious code remains in the RAM, exploiting system tools to attack and plant more code. Flash, javaw.exe and iexplore.exe are perfect for doing so.
There are a few ways to launch fileless malware attacks, such as through malicious banners, or malvertising. When users click on the banner, they are redirected to a website that, at first glance, seems legitimate. A malvertising infection of individual websites is as imaginable as the seizure of an entire advertising network and therefore the widespread distribution of the malicious code.
Flash—which has a number of vulnerabilities—is then used to continue the attack. Flash uses Windows PowerShell to run script in the command line, but in this case, it is only executed in the RAM where the malicious code (e.g. a botnet) can be loaded and run directly.
The execution of PS1 scripts is regulated by the system However, if the malware programmer enters the command set-executionpolicy Unrestricted, and answers the script-controlled question with “A” for “all”, any script can be executed.
When a computer is restarted, the RAM is normally deleted and the fireless malware can be stopped in its tracks. However, Windows 10 has introduced quick start mode that significantly boosts boot times. If this mode has been activated, the computer never fully shuts down. When it is restarted, the system reads the previously written kernel and driver status (hiberfil) instead of completely restarting, meaning that the last system status is loaded with this image in the main memory, making it possible that parts of the malicious code are also reloaded. For this reason, it must be ensured that the system is completely shut down and restarted every time. There are several ways to do this:
Open the command prompt and select “Run as administrator”. Enter
and restart the PC. You can also create a batch file with
Or alternatively, you can enter the command by pressing Windows + R.