Powmet, discovered by Trend Micro, is an entirely fileless trojan malware which makes it much more difficult to detect and analyze. The trojan is likely downloaded to victims' devices via malicious websites or a malware downloader, though analysts are still unsure of the exact infection vector. What is known is that the trojan is injected via an autostart registry entry. Upon machine boot-up, a malicious file is automatically downloaded from the C2 server. Once Powmet executes, it downloads a PowerShell script file, "PSINJECT," that connects to a malicious site and downloads a non-malicious file, "Favicon." Favicon is decrypted and injected into its process using ReflectivePELoader. It is then decrypted using a RC4 key which results in a DLL file called "BKDR_ANDROM," which is also fileless as it is injected into the powershell.exe process. After successful injection, BKDR_ANDROM retrieves the following data: root volume serial number, operating system version, local IP address, and administrator privileges.
Ninety percent of known Powmet infections are located in the Asia-Pacific region. The threat actors responsible for this trojan have gone to great lengths to evade detection and analysis. All of the routines are executed using PowerShell commands and Powmet adds registry entries into the system to ensure it executes during startup. Users and administrators are recommended to limit access to critical infrastructure via container-based systems that separate endpoints from critical nodes on the network, and disable PowerShell to mitigate Powmet and other malicious payloads delivered via PowerShell.
August 2017: Trend Micro reported that the Pownet trojan is delivered via an infected USB drive. (Trend Micro)
- Trend Micro provides technical analysis of the Powmet trojan, here.