Fileless Trojan JS_POMET and Cryptocurrency Miner TROJ64_COINMINER

LONDON, UK. – August 29, 2017 – Previously we wrote about the growing popularity of fileless attacks: the attack on the restaurant business in the United States and Sorebrect Ransomware. This month researchers from Trend Micro reported about completely fileless Trojan JS_POWMET.DE and a new cryptocurrency miner TROJ64_COINMINER.QO. These malware instances were designed to evade modern security solutions, and most organizations are vulnerable to such attacks. Cybersecurity experts think that their number will significantly increase soon. Discovered viruses have different purposes, and use different techniques to infect the target. For example, JS_POWMET arrives on the victim’s system via autostart registry entry; then it uses Powershell scripts to infect the system and operate Trojan. Fileless cryptocurrency miner TROJ64_COINMINER is distributed through the vulnerability MS17-010, attackers use it to drop & run a backdoor, which installs WMI scripts on an infected system. Scripts connect to command and control servers and download components of cryptocurrency miner.

Most fileless attacks use known vulnerabilities, so you need to install updates promptly. Also, it is necessary to monitor any suspicious activity, since endpoint security can’t detect such malware. APT Framework SIEM use case can help you detect such threats, and it also allows the most efficient use of security technologies, such as Firewalls, Vulnerability Scanners and IDS/IPS, to secure your organization against sophisticated attacks.