Be on the lookout for fileless malware, warns Trend Micro

Infosec pros spend most of their time dealing with the usual threats that pop up on networks every day. Attackers, on the other hand, spend their time figuring out new ways to evade detection. One of the newest is fileless malware, designed to evade sandbox defences looking for signatures.

Trend Micro has detected a example of this new threat, which, while in itself doesn’t have much impact, is a warning of what’s coming.

The security vendor dubs this particular trojan JS_POWMET. The attack starts by infecting the Windows Registry –Trend Micro suspects the trojan is downloaded by users that visit malicious sites or as a file that is dropped by other malware — which adds an autostart registry entry. That pulls in JS_POWMET from a command and control server. The registry alternation allows the executing arbitrary scripts without saving the XML file on the machine.

Once JS_POWMET is executed, it will then download another file, TROJ_PSINJECT, a Powershell script that runs under the process of Powershell. TROJ_PSINJECT will connect to a website to download a normal file called favicon. That file will then be decrypted and injected into its process using ReflectivePELoader, which is used for injecting EXE/DLL files.

Figure 1

(Trend Micro graphic)

A number of routines end up being executed by the malware using PowerShell commands. Among other things the malware gathers system information including administrator privileges, Root Volume Serial Number, operating system version and IP address. But Trend Micro warns that the JS_POWMET authors can easily add more malware.

Trend Micro says one of the more effective methods for mitigating fileless malware is to limit access to critical infrastructure via container-based systems that separate endpoints from the most important parts of the network. For this specific malware look into disabling Powershell itself if it is clear other Windows components don’t need it.

(For more thoughts about PowerShell see this story)

“Organizations and users should always look beyond the obvious malware files and always be on the lookout for “stealthy” malware that manages to slip into the system virtually unnoticed,” the vendor warns.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now