Poweliks the persistent malware which doesn’t install any file
Experts at GData discovered Poweliks, a persistent malware able to infect machines without installing any files on the targeted machine.
Researchers
at GData software have discovered a new surprising strain of malware named Poweliks which is able to infect systems and steals data without installing any file onto the victim’s machine. This malware maintains
persistence storing its components only in the computer registry, for this reason it is hard to be detected by common antivirus.
The Poweliks malware spread via emails which include a malicious Microsoft Word document, the file holds all code necessary for the attack,
crypted and hidden, once executed the malicious code creates an encoded
autostart registry key and to fly under the radar it keeps the registry key hidden.
To implement persistence the malicious code creates a registry using a non-ASCII character as key name to avoid Windows Regedit read or open the non-ASCII key entry.
“
All activities are stored in the registry. No file is ever created,” “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.”
“To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.” states the post published by GData.
As explained by the researchers Poweliks uses a technique which reminds the stacking principle of Matryoshka dolls:
“it initially used code embeds and executes further code and this code then leads to even more code used and so on and so on. The initial code executed is JScript code and then a PowerShell script which finally executes shellcode that contains the malicious code of Poweliks.”
Poweliks then creates and executes shellcode, it also tries to contact hardcoded IP addresses to receive further commands from the attacker. This malware can change its behavior simply downloading the correct payload, this make Poweliks a very dangerous threat.
“It might install spyware on the infected computer to harvest personal information or business documents. It might also install banking Trojans to steal money or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud.”
Following the steps described by
Paul Rascagneres, Senior Threat Researcher at GData:
- As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.
- After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden.
- Decoding this key shows two new aspects: Code which makes sure the affected system has Microsoft PowerShell installed and additional code.
- The additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode (assembly).
- As a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point.
- All activities are stored in the registry. No file is ever created.
The malware analysts consider Poweliks a very complex code which use several code layers to hide itself from prying eyes, it is able to survive without any file creation and this circumstance makes it very insidious, he performs every operation in memory and maintain persistence through a smart use of the Windows registry.
No doubts that we will see many other malware like Poweliks in the next future.
Pierluigi Paganini
(Security Affairs – Poweliks, malware)
Pierluigi Paganini
August 08, 2014
