Experts at GData discovered Poweliks, a persistent malware able to infect machines without installing any files on the targeted machine.
“All activities are stored in the registry. No file is ever created,” “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.” “To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.” states the post published by GData.
“It might install spyware on the infected computer to harvest personal information or business documents. It might also install banking Trojans to steal money or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud.”
- As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.
- After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden.
- Decoding this key shows two new aspects: Code which makes sure the affected system has Microsoft PowerShell installed and additional code.
- The additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode (assembly).
- As a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point.
- All activities are stored in the registry. No file is ever created.
The malware analysts consider Poweliks a very complex code which use several code layers to hide itself from prying eyes, it is able to survive without any file creation and this circumstance makes it very insidious, he performs every operation in memory and maintain persistence through a smart use of the Windows registry.
No doubts that we will see many other malware like Poweliks in the next future.
(Security Affairs – Poweliks, malware)