Malware
USB Malware Implicated in Fileless Attacks
We discussed a backdoor being installed filelessly onto a target system using JS_POWMET.DE, a script that abused legitimate functions.We recently learned the exact arrival method of this backdoor. As it turned out, it arrived via USB flash disks.
Save to Folio
Updated on August 30, 2017, 10:30 p.m. PDT to clarify details regarding its propagation routine.
In early August we discussed a case where a backdoor (BKDR_ANDROM.ETIN) was being installed filelessly onto a target system using JS_POWMET.DE, a script that abused various legitimate functions. At the time, we did not know how the threat arrived onto the target machine. We speculated that it was either downloaded by users or dropped by other malware.
We recently learned the exact arrival method of this backdoor. As it turned out, we were wrong: it was neither dropped nor downloaded. Instead, it arrived via USB flash disks.
Technical Details
The USB flash disk contains two malicious files (both detected as TROJ_ANDROM.SVN), which are named:
A shortcut with the target path %System%\cmd.exe /c start rundll32 {DLL file with long file name},{DLL’s export function} may also be used. These shortcut files may have appear to have the same name as the removable drive, tricking the user into clicking it. (We detect these shortcuts as LNK_GAMARUE.YYMN.)
The results of the decryption are then loaded into memory and then run. The decryptor's filename serves as the encryption key in this instance. No file is actually saved onto the affected system.
The decrypted code is responsible for creating the autostart registry entry that served as the starting point for our previous analysis. We won’t recap the entire infection chain here; we’ll instead note that the end result was the installation of a backdoor detected as BKDR_ANDROM.ETIN. None of this changed.
Figure 1. Infection chain
Two things are worth noting here. First, the process differs slightly based on the version of Windows installed. The process is relatively straightforward for Windows 10—the registry entry is created, eventually leading to the download and execution of a backdoor onto the affected system. On earlier versions of Windows, however, there is an additional step: a second backdoor (detected as BKDR_ANDROM.SMRA) is also dropped in the %AppData% folder, with the filename ee{8 random characters}.exe. A shortcut to it is also created in the user startup folder, ensuring that this second backdoor is automatically executed.
One more thing to note is that the URL contained in the created registry entries differs—one URL is used for Windows 10, another for earlier versions of Windows. While we didn’t see any difference in the actual behavior, this could allow for different attacks to be delivered based on the user's operating system.
It's unclear why this second backdoor is installed in a manner that is less sophisticated than the other method used by this attack. It could be a diversion: a researcher or user would be able to find this second backdoor much more easily than the first fileless one. Removing this more obvious backdoor might allow the more stealthy fileless threat to remain undetected.
Trend Micro solutions
Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security all include behavior monitoring to detect fileless malware attacks. This helps organizations look out for malicious behavior that can block the malware before the behavior is executed or performed. OfficeScan can also include a device control feature which can prevent USB and optical drives from being accessed, preventing an attack similar to the one discussed in this post.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware. The following SHA-256 hashes are connected to this attack: