JS_POWMET malware is 100% fileless, from infection to payload

Discussion in 'malware problems & news' started by itman, Aug 2, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,775
    Location:
    U.S.A.
    https://www.scmagazine.com/search/Trend Micro/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,775
    Location:
    U.S.A.
    Does the regsrv32 command line options look familiar folks?
    http://blog.trendmicro.com/trendlab...e/look-js_powmet-completely-fileless-malware/
     
  3. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    234
  4. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,354
    Culprit is Powershell. Disable it or remove it to mitigate fileless malware attacks.
     
  5. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,813
    Location:
    Europe then Asia
    there is several techniques to load powershell scripts without powershell.exe.
    This malware could be modified to do it.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,775
    Location:
    U.S.A.
    You stop malware like this by using a security solution that monitors what is written to registry run and run once keys. Anything after that point is a losing effort.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,837
    Location:
    U.S.A. (South)
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.