Malware hidden in the Registry-Poweliks

Malware hidden in the Registry-Poweliks
A few days ago, GData, a foreign security company, found a relatively new type of malware and defined it as Poweliks. This malware can persistently infect the target machine, it is novel that the software will not install any files on the target host.

Poweliks only stores its components in the computer's registry, so it is difficult to detect it through common anti-virus software.

 

Poweliks malware is generally transmitted by email, which contains a malicious Word document, which contains some malicious code, once malicious code is executed, a hidden self-starting project is added to the Registry.

The key value created by Poweliks in the Registry uses non-ASCII characters as the key name to prevent direct reading by the Windows Registry Editor. Example 1:

 

Open the Registry Editor, as shown in the following figure:

The Registry Editor cannot read non-ASCII key names.

According to an article published by GData, all Poweliks activities are stored in the registry and no files have been created. Therefore, the traditional malware file scanning technology can be bypassed, and can perform any operation. To prevent such attacks, the anti-virus solution must detect the carrier Word file before Poweliks is executed.

GData, for example, shows that Poweliks runs on a layer like a Russian doll. It initially executes JScript code and finally executes PowerShell scripts containing malicious code after a series of judgments. In addition, Poweliks queries the hard-coded IP address of the machine. attackers can execute arbitrary commands, such as downloading the payload of some attacks.

Poweliks behavior characteristics:

[CSS] view plain text/double-click the code area Ctrl + A quick copy

1. Use the Microsoft Word Vulnerability to create a Word file and then send it via email.

2. Create a hidden self-starting registry key

3. decode the startup Item and find that one part of the code will determine whether the system has installed PowerShell, and the other part is a Base64-encoded PowerShell script that calls and executes the shellcode defined by the attacker.

4. shellcode executes the Windows binary file payload, which queries the hardware-encoded IP address of the machine to receive further instructions from attackers.

5. All the preceding execution processes are stored in the registry, and no files are created.

Poweliks is a software with complex functions. It uses multiple codes to hide itself. It can complete operations without creating any files and execute any operation in the registry, FB editor does not find the source code of Poweliks. If any of you find the source code of Poweliks, please send it to FB for research.