Tech

Poweliks Trojan goes fileless to evade detection and removal

The registry-based threat avoids creating PC files and exploits zero-day threats to hijack compromised computers.

Written by Charlie Osborne, Contributing Writer June 10, 2015 at 3:39 a.m. PT

A recently-discovered Trojan in the wild does not exist as a detectable files on compromised PCs to stay hidden under the radar as it generates ad-click revenue for hackers.

The Poweliks Trojan has been in a constant state of evolution to avoid detection by today's antivirus systems. First discovered in 2014, the Trojan now uses interesting techniques to infect and stay undetected on victim systems -- such as staying fileless.

Explored by Symantec researchers and explained in a blog post Tuesday, the malware, used to generate revenue for cyberattacks through ad-click fraud, is now a registry-based threat which resides only in Windows registries -- and with no files to speak of and persistence mechanisms which allow the malware to stay on a PC even after a restart.

Poweliks is considered a "fileless" threat which uses a variety of techniques in order to exist only in a Windows registry. Security researchers from Symantec say Poweliks "stands out from crowd" due to a persistence mechanism which involves the use of a legitimate Windows rundll32.exe file to execute Javascript code embedded within the registry subkey itself. The code reads additional data from the registry, acting as a payload before execution. Some of this data is encoded, and after execution what is called a "Watchdog process" is installed.

A Watchdog process is used to make sure the malware is still operating. If Poweliks is no longer running and the malware's registry subkeys have been deleted, the process reinstates the subkeys.

In order to keep Poweliks running, Watchdog changes access rights to prevent access and uses unprintable characters so the keys can be hidden, according to the firm.

In addition, Symantec says the Microsoft Windows Remote Privilege Escalation Vulnerability (CVE-2015-0016) may be exploited by the Trojan in order to wrestle control of a compromised computer. The vulnerability has been patched on up-to-date systems, but those who have not patched their systems are vulnerable.

The security team says:

Kaspersky Security Summit

"Trojan.Bedep also used this zero-day exploit to take control of compromised computers and it did this around the same time that Poweliks was exploiting the vulnerability. This led us to recognize that there could be a connection between Poweliks and Bedep.
Bedep is a downloader and one of the threats it often downloads onto compromised computers is Poweliks."

Despite the sophisticated techniques Poweliks uses to stay lurking undetected on computer systems, the malware is ultimately still just a click-fraud Trojan used to generate money through fraud. The Trojan requests adverts based on keywords, manipulates searches to make them seem like legitimate user requests, and browses to the URL returned by the ad network by the search. This, in turn, allows the threat actor to earn money based on click rates.

However, these adverts are not shown to victims, so they remain unaware of the infection for longer. The adverts themselves are not such a problem in comparison to the vast amount of adverts Poweliks sends to victims, which can reach up to 3,000 per day according to the security team.

As a result, this high influx of ads can end up clogging up victim machines, hogging memory and can also provide a tunnel for additional malware to be downloaded.

For example, Poweliks can provide a conduit for ransomware to be downloaded, which can end up with a computer being locked, its files encrypted and the victim receiving a demand for money to unlock their PC.

This tool is available to remove infections from your computer if you suspect this malware may be present.