sb-as logo
Story image

Fileless malware sneaks into Windows machines via USB flash drives

05 Sep 2017

A malicious backdoor called BKDR-ANDROM.ETIN is using fileless malware to infect systems through USB flash drives, allowing criminals to conduct attacks without leaving a trace.

Trend Micro researcher Byron Gelera posted details of the backdoor last month, which was used to drop a script that abuses legitimate system functions. The script is a new Trojan called JS_POWMET, which arrives through an autostart registry procedure.

According to Gelera, the infected USB flash drive contains two files, one called 'addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda'; and the other called 'IndexerVolumeGuid'. There may also be a shortcut to a file with the same name as the removable drive, tricking people into clicking it.

Because the malware is loaded into memory, there is no trace of the file being saved on the infected system.

Researchers note that the infection process changes depending on installed version of Windows on the machine. With Windows 10 machines, the infection process is straightforward. 

However, earlier versions of Windows are infected with a second backdoor, BKDR_ANDROM.SMRA.  Earlier versions are also given different URLs in their registries, although these don’t seem to make any difference in terms of actual behaviour.

Gelera suspects the difference could allow attackers to conduct specific attacks on different operating systems.

“It’s unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected,” Gelera says.

In an earlier blog from August, Trend Micro researcher Michael Villanueva discovered that the JS_POWMET Trojan is affecting Asia Pacific countries the most – 90% of infections from the fileless attack are affecting the same region.

Viillanueva says that the Trojan’s damage is ‘relatively light’, he says the malware is an example of how authors can create fileless malware that does its best to avoid detection and analysis.

“It also shows that even relatively uncommon infection methods involving fileless malware continually evolve. Organizations and users should always look beyond the obvious malware files and always be on the lookout for 'stealthy' malware that manages to slip into the system virtually unnoticed,” he says.

He suggests that organisations should limit access to critical infrastructure through containers. These containers can keep endpoints away from critical network areas.

“For this specific malware, IT professionals can also look into disabling Powershell to help mitigate the effects of JS_POWMET and its various payloads,” he concludes.

Story image
Top security threats for 2021
2021 will see several themes develop into full blown security threats, many of them borne from the struggles of pandemic-stricken 2020, writes Wontok head of technology Mick Esber.More
Story image
Palo Alto Networks advances attack surface management with Expanse
"By integrating Expanse's attack surface management capabilities into Cortex after closing, we will be able to offer the first solution that combines the outside view of an organisation's attack surface with an inside view to proactively address all security threats."More
Story image
Malware variants becoming increasingly prevalent, sophisticated and evolved
"The modern threat landscape and ongoing evolution of malware are loud factors pushing every business to understand and identify modern malware threats and the necessary precautions to take to protect against them."More
Story image
A brief history of cyber-threats — from 2000 to 2020
Many significant cybersecurity events have occurred since the year 2000 — not every one of them ‘firsts’, but all of them correlating with a change in security behaviour or protection.More
Story image
Demystifying 'zero trust' and its role in cybersecurity
The principle of ‘zero trust’ in cybersecurity is simple: Trust nothing, and verify everything.More
Story image
Fortinet promises free cybersecurity training until skills gap trend reverses
"We are committed to continue offering the entire catalogue of self-paced Network Security Expert training at no cost until we see the skills gap trend reverse."More