A trojan is leveraging infected USB flash disks to help spread fileless malware that abuses legitimate functions on a compromised system. The baddy, which Trend Micro detects as "TROJ_ANDROM.SVN," conceals itself within two malicious files on an infected USB. These files are called "addddddadadaaddaaddaaaadadddddaddadaaaaadaddaa.addddddadadaaddaaddaaaadadddddadda" and "IndexerVolumeGuid." Alternatively, the trojan may use shortcut files, detected as "LNK_GAMARUE.YYMN," that appear to have the same as the USB flash disk and thereby trick a user into clicking on them. In either case of TROJ_ANDROM.SVN, clicking the malicious files decrypts some code, loads the results into memory, and runs it. This process, in turn, creates the autostart registry key responsible for loading JS_POWMET.DE, malware which ultimately installs a backdoor known as BKDR_ANDROM.
Infection chain. (Source: Trend Micro) Trend Micro first detected JS_POWMET.DE back in early August 2017. At the time, its researchers had no idea how the malware arrived on a machine. They reasoned it relied on malicious sites or other malware infections for distribution. Now the researchers know that an infected USB device is involved. But as pointed out by Trend Micro's Byron Gelera, it's not that simple. He explains there's more to this initial attack sequence than meets the eye:
"Two things are worth noting here. First, the process differs slightly based on the version of Windows installed. The process is relatively straightforward for Windows 10—the registry entry is created, eventually leading to the download and execution of a backdoor onto the affected system. On earlier versions of Windows, however, there is an additional step: a second backdoor (detected as BKDR_ANDROM.SMRA) is also dropped in the %AppData% folder, with the filename ee{8 random characters}.exe. A shortcut to it is also created in the user startup folder, ensuring that this second backdoor is automatically executed."
Gelera feels this additional step of installing a second backdoor via less sophisticated means could be designed to divert a researcher's attention away from the fileless malware. To protect against JS_POWMET.DE, users should not plug in any suspicious USB drives to their computers. If for some reason they need to connect an unknown flash disk, they should make sure to install an anti-virus solution onto their machines and use that software to scan the USB drive's files for malware before clicking on anything.