Story image

Fileless malware sneaks into Windows machines via USB flash drives

05 Sep 17

A malicious backdoor called BKDR-ANDROM.ETIN is using fileless malware to infect systems through USB flash drives, allowing criminals to conduct attacks without leaving a trace.

Trend Micro researcher Byron Gelera posted details of the backdoor last month, which was used to drop a script that abuses legitimate system functions. The script is a new Trojan called JS_POWMET, which arrives through an autostart registry procedure.

According to Gelera, the infected USB flash drive contains two files, one called 'addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda'; and the other called 'IndexerVolumeGuid'. There may also be a shortcut to a file with the same name as the removable drive, tricking people into clicking it.

Because the malware is loaded into memory, there is no trace of the file being saved on the infected system.

Researchers note that the infection process changes depending on installed version of Windows on the machine. With Windows 10 machines, the infection process is straightforward. 

However, earlier versions of Windows are infected with a second backdoor, BKDR_ANDROM.SMRA.  Earlier versions are also given different URLs in their registries, although these don’t seem to make any difference in terms of actual behaviour.

Gelera suspects the difference could allow attackers to conduct specific attacks on different operating systems.

“It’s unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected,” Gelera says.

In an earlier blog from August, Trend Micro researcher Michael Villanueva discovered that the JS_POWMET Trojan is affecting Asia Pacific countries the most – 90% of infections from the fileless attack are affecting the same region.

Viillanueva says that the Trojan’s damage is ‘relatively light’, he says the malware is an example of how authors can create fileless malware that does its best to avoid detection and analysis.

“It also shows that even relatively uncommon infection methods involving fileless malware continually evolve. Organizations and users should always look beyond the obvious malware files and always be on the lookout for 'stealthy' malware that manages to slip into the system virtually unnoticed,” he says.

He suggests that organisations should limit access to critical infrastructure through containers. These containers can keep endpoints away from critical network areas.

“For this specific malware, IT professionals can also look into disabling Powershell to help mitigate the effects of JS_POWMET and its various payloads,” he concludes.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.