Threat Management, Malware

JS_POWMET malware is 100% fileless, from infection to payload

A newly observed Windows malware called JS_POWMET features an end-to-end fileless infection chain, installing itself without a trace on the hard drive by compromising an autostart registry procedure.

Such discoveries are rare, explains Trend Micro in a Wednesday blog post, because most fileless malware programs are technically only fileless when first infecting a user's system. Upon actually executing the main malicious payload, they typically end up themselves, the post continues.

But not JS_POWMET, which leaves no evidence of on the machine itself, making it difficult for researchers to analyze it.

In its blog post, Trend Micro describes how JS_POWMET is downloaded as an XML file with malicious JavaScript, via an autostart registry entry:

"In this method, a URL was given to regsvr32 [the Microsoft Register Server] as a parameter, which will make regsvr32 capable of fetching the file... found on the URL. Due to this routine, regsvr32 will become capable of executing arbitrary scripts without saving the XML file on the machine/system. In particular, whenever the affected machine starts up, it will automatically download the malicious file from its Command & Control (C&C) server," the blog post states.

Next, JS_POWMET downloads a secondary file, a Powershell script called TROJ_PSINJECT, which connects to a website from which a file called favicon is downloaded. "The favicon file will then be decrypted and injected into its process using ReflectivePELoader, which is used for injecting EXE/DLL files," the blog post continues.

According to Trend Micro researchers, nearly 90 percent of JS_POWMET infections have affected targets in the Asia-Pacific region. In all likelihood, most infections occur due to either malware droppers or from visiting malicious sites.

"While JS_POWMET and the rest of the files it downloads are relatively light in terms of impact, this malware demonstrates the lengths cybercriminals will go to avoid detection and analysis," wrote blog post author Michael Villanueva, Trend Micro threat research engineer. "It also shows that even relatively uncommon infection methods involving fileless malware continually evolve."

To mitigate such threats, Trend Micro recommends use container-based systems to limit access to important infrastructure, as well as disabling Powershell.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.