A malicious backdoor called BKDR-ANDROM.ETIN is using fileless malware to infect systems through USB flash drives, allowing criminals to conduct attacks without leaving a trace.
Trend Micro researcher Byron Gelera posted details of the backdoor last month, which was used to drop a script that abuses legitimate system functions. The script is a new Trojan called JS_POWMET, which arrives through an autostart registry procedure.
According to Gelera, the infected USB flash drive contains two files, one called 'addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda'; and the other called 'IndexerVolumeGuid'. There may also be a shortcut to a file with the same name as the removable drive, tricking people into clicking it.
Because the malware is loaded into memory, there is no trace of the file being saved on the infected system.
Researchers note that the infection process changes depending on installed version of Windows on the machine. With Windows 10 machines, the infection process is straightforward.
However, earlier versions of Windows are infected with a second backdoor, BKDR_ANDROM.SMRA. Earlier versions are also given different URLs in their registries, although these don’t seem to make any difference in terms of actual behaviour.
Gelera suspects the difference could allow attackers to conduct specific attacks on different operating systems.
“It’s unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected,” Gelera says.
In an earlier blog from August, Trend Micro researcher Michael Villanueva discovered that the JS_POWMET Trojan is affecting Asia Pacific countries the most – 90% of infections from the fileless attack are affecting the same region.
Viillanueva says that the Trojan’s damage is ‘relatively light’, he says the malware is an example of how authors can create fileless malware that does its best to avoid detection and analysis.
“It also shows that even relatively uncommon infection methods involving fileless malware continually evolve. Organizations and users should always look beyond the obvious malware files and always be on the lookout for 'stealthy' malware that manages to slip into the system virtually unnoticed,” he says.
He suggests that organisations should limit access to critical infrastructure through containers. These containers can keep endpoints away from critical network areas.
“For this specific malware, IT professionals can also look into disabling Powershell to help mitigate the effects of JS_POWMET and its various payloads,” he concludes.