Typical malware does not contain much more than a malicious file stored on a victims infected computer in order to steal sensitive data alongside abuse it to perform a number of malicious activities. Security researchers have unveiled a new sophisticated piece of malware that infects a system and can steal data without installing any file onto the victims device.
The new persistent malware dubbed, Poweliks, is a sophisticated malware that resides in the registry and is easily gone undetected compared to common malware that leaves an install file on an infected system that an anti-virus would rather pick up.
Paul Rascagneres, Senior threat researcher and malware analyst at GData software said that due to the malware’s subsequent and step-after-step execution of code, the feature sets was similar to a stacking principles of Matryoshka Dolls.
Rascagneres is known for uncovering malware, bots, and undermining cyber criminal operations. Last year he won the Pwnie Aware at Black Hat 2013 in Las Vegas for tearing through the infrastructure of Chinese hacker group, APT1.
To infect the system, Poweliks spreads via email through malicious Microsoft Word documents and after, it creates an encoded autostart registry key and to make it even more covert, it keeps the registry key hidden, Rascagneres writes.
The malware continues to create and execute shellcode, along with a payload Windows binary that tries to connect to a ‘hard coded IP address’ in effort to receive further command from its host.
“All activities are stored in the registry. No file is ever created,” Rascagneres writes in a blog post. “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine]even after a system re-boot.”
“To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.”
To create its autostart mechanism, the malware creates a registry, which is a non-ASCII character key, as Windows Regedit cannot read or open the created non-ASCII key entry.
The capabilities behind Poweliks are shocking and dangerous as it can perform a number of malicious attacks. The malware has the ability to
- Download any payload
- Install spyware onto the victims machine to reap personal or private business information
- Install banking Trojans to hijack credentials and steal money
- Install any desired malware or malicious software which could aid the creation of a botnet or similar
- Generate revenue through ad fraud or cryptocurrency mining
The non-ASCII trick Poweliks abuses stems from a tool Microsoft implemented to hide source code from begin copied or tampered with, later the feature was cracked by a security researcher.
Researchers at KernelMode.info forum analysed Poweliks last month in a sample which was binded into a Microsoft Word document that exploited vulnerability CVE-2012-0158 which affected various Microsoft products including Microsoft Office.
Poweliks authors masqueraded Poweliks as an attachment of a fake Canada Post and/or USPS email holding tracking information
“This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,” Rascagneres concluded.