Story image

Fileless malware sneaks into Windows machines via USB flash drives

05 Sep 2017

A malicious backdoor called BKDR-ANDROM.ETIN is using fileless malware to infect systems through USB flash drives, allowing criminals to conduct attacks without leaving a trace.

Trend Micro researcher Byron Gelera posted details of the backdoor last month, which was used to drop a script that abuses legitimate system functions. The script is a new Trojan called JS_POWMET, which arrives through an autostart registry procedure.

According to Gelera, the infected USB flash drive contains two files, one called 'addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda'; and the other called 'IndexerVolumeGuid'. There may also be a shortcut to a file with the same name as the removable drive, tricking people into clicking it.

Because the malware is loaded into memory, there is no trace of the file being saved on the infected system.

Researchers note that the infection process changes depending on installed version of Windows on the machine. With Windows 10 machines, the infection process is straightforward. 

However, earlier versions of Windows are infected with a second backdoor, BKDR_ANDROM.SMRA.  Earlier versions are also given different URLs in their registries, although these don’t seem to make any difference in terms of actual behaviour.

Gelera suspects the difference could allow attackers to conduct specific attacks on different operating systems.

“It’s unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected,” Gelera says.

In an earlier blog from August, Trend Micro researcher Michael Villanueva discovered that the JS_POWMET Trojan is affecting Asia Pacific countries the most – 90% of infections from the fileless attack are affecting the same region.

Viillanueva says that the Trojan’s damage is ‘relatively light’, he says the malware is an example of how authors can create fileless malware that does its best to avoid detection and analysis.

“It also shows that even relatively uncommon infection methods involving fileless malware continually evolve. Organizations and users should always look beyond the obvious malware files and always be on the lookout for 'stealthy' malware that manages to slip into the system virtually unnoticed,” he says.

He suggests that organisations should limit access to critical infrastructure through containers. These containers can keep endpoints away from critical network areas.

“For this specific malware, IT professionals can also look into disabling Powershell to help mitigate the effects of JS_POWMET and its various payloads,” he concludes.

Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.