Poweliks: a file-less malware Hides in Windows Registry
The SonicWall Threats Research team observed reports of a file-less Trojan named GAV: Poweliks.CCL actively spreading in the wild. The malware tries to reside in the registry only and hides as a subkey in the computer's registry rather than as an executable file. This mechanism could be used by malicious spam emails and exploit kits such as Microsoft Word document vulnerability described in CVE-2012-0158 to targeting computer users.
Once the target system is compromised, the attacker may use it to establish a botnet.
The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:
The character used for the key's name is not an ASCII character. The purpose is to hide the entry from registry that because Regedit cannot read the non-ASCII character. Here is a screenshot of Registry tool on following:
The malware tries to use Encoded Java Script on the Auto-startup registry key, Here is an example of created Registry Key Value:
Poweliks checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system from following links:
Here is how malware download and run the PowerShell:
The malware executes the encoded script via PowerShell and dropping a DLL which is responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion mechanism since it will not be directly executed by windows or any application.
Here is the Script Sample:
Here is the Base64-encoded PowerShell script which executes the shellcodes:
Also here is a DLL dropper sample:
After you restart the system this .DLL file is then injected into the DLLHOST.EXE process. The injected code is capable of downloading other malware.
Poweliks has communication over port 80.Requests to statically defined hosts and IPs are made on a regular basis, These requests are as below:
The malware uses dynamically generated codes in its own traffic. Here are some details about these codes:
- Code 1: type=status: start, install, exist, cmd or low
- Code 2: version=1.0
- Code 3: aid=Id
- Code 4: builddate=%s
- Code 5: id=UID
- Code 6: os=OS version_OS architecture
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Poweliks.ACL
- GAV: Poweliks.BCL
- GAV: Poweliks.CCL
- GAV: Poweliks.CCM