Story image

Fileless malware sneaks into Windows machines via USB flash drives

05 Sep 2017

A malicious backdoor called BKDR-ANDROM.ETIN is using fileless malware to infect systems through USB flash drives, allowing criminals to conduct attacks without leaving a trace.

Trend Micro researcher Byron Gelera posted details of the backdoor last month, which was used to drop a script that abuses legitimate system functions. The script is a new Trojan called JS_POWMET, which arrives through an autostart registry procedure.

According to Gelera, the infected USB flash drive contains two files, one called 'addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda'; and the other called 'IndexerVolumeGuid'. There may also be a shortcut to a file with the same name as the removable drive, tricking people into clicking it.

Because the malware is loaded into memory, there is no trace of the file being saved on the infected system.

Researchers note that the infection process changes depending on installed version of Windows on the machine. With Windows 10 machines, the infection process is straightforward. 

However, earlier versions of Windows are infected with a second backdoor, BKDR_ANDROM.SMRA.  Earlier versions are also given different URLs in their registries, although these don’t seem to make any difference in terms of actual behaviour.

Gelera suspects the difference could allow attackers to conduct specific attacks on different operating systems.

“It’s unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected,” Gelera says.

In an earlier blog from August, Trend Micro researcher Michael Villanueva discovered that the JS_POWMET Trojan is affecting Asia Pacific countries the most – 90% of infections from the fileless attack are affecting the same region.

Viillanueva says that the Trojan’s damage is ‘relatively light’, he says the malware is an example of how authors can create fileless malware that does its best to avoid detection and analysis.

“It also shows that even relatively uncommon infection methods involving fileless malware continually evolve. Organizations and users should always look beyond the obvious malware files and always be on the lookout for 'stealthy' malware that manages to slip into the system virtually unnoticed,” he says.

He suggests that organisations should limit access to critical infrastructure through containers. These containers can keep endpoints away from critical network areas.

“For this specific malware, IT professionals can also look into disabling Powershell to help mitigate the effects of JS_POWMET and its various payloads,” he concludes.

Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.
SolarWinds extends database anomaly detection
As organisations continue their transition from purely on-premises operations into both private and public cloud infrastructures, adapting their IT monitoring and management capabilities can pose a significant challenge.
Adura launches new SOC and MSP in Singapore
The new SOC focuses on the needs of businesses to gain insight into their organization’s security posture and increase their ability to react promptly.