Infosec pros spend most of their time dealing with the usual threats that pop up on networks every day. Attackers, on the other hand, spend their time figuring out new ways to evade detection. One of the newest is fileless malware, designed to evade sandbox defences looking for signatures.
Trend Micro has detected a example of this new threat, which, while in itself doesn’t have much impact, is a warning of what’s coming.
The security vendor dubs this particular trojan JS_POWMET. The attack starts by infecting the Windows Registry –Trend Micro suspects the trojan is downloaded by users that visit malicious sites or as a file that is dropped by other malware — which adds an autostart registry entry. That pulls in JS_POWMET from a command and control server. The registry alternation allows the executing arbitrary scripts without saving the XML file on the machine.
Once JS_POWMET is executed, it will then download another file, TROJ_PSINJECT, a Powershell script that runs under the process of Powershell. TROJ_PSINJECT will connect to a website to download a normal file called favicon. That file will then be decrypted and injected into its process using ReflectivePELoader, which is used for injecting EXE/DLL files.
(Trend Micro graphic)
A number of routines end up being executed by the malware using PowerShell commands. Among other things the malware gathers system information including administrator privileges, Root Volume Serial Number, operating system version and IP address. But Trend Micro warns that the JS_POWMET authors can easily add more malware.
Trend Micro says one of the more effective methods for mitigating fileless malware is to limit access to critical infrastructure via container-based systems that separate endpoints from the most important parts of the network. For this specific malware look into disabling Powershell itself if it is clear other Windows components don’t need it.
(For more thoughts about PowerShell see this story)
“Organizations and users should always look beyond the obvious malware files and always be on the lookout for “stealthy” malware that manages to slip into the system virtually unnoticed,” the vendor warns.