Poweliks: a file-less malware Hides in Windows Registry

The SonicWall Threats Research team observed reports of a file-less Trojan named GAV: Poweliks.CCL actively spreading in the wild. The malware tries to reside in the registry only and hides as a subkey in the computer’s registry rather than as an executable file. This mechanism could be used by malicious spam emails and exploit kits such as Microsoft Word document vulnerability described in CVE-2012-0158 to targeting computer users.

Once the target system is compromised, the attacker may use it to establish a botnet.

Infection Cycle:

Md5: 0181850239cd26b8fb8b72afb0e95eac

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun(Default)

The character used for the key’s name is not an ASCII character. The purpose is to hide the entry from registry that because Regedit cannot read the non-ASCII character. Here is a screenshot of Registry tool on following:

The malware tries to use Encoded Java Script on the Auto-startup registry key, Here is an example of created Registry Key Value:

Poweliks checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system from following links:

Here is how malware download and run the PowerShell:

The malware executes the encoded script via PowerShell and dropping a DLL which is responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion mechanism since it will not be directly executed by windows or any application.

Here is the Script Sample:

Here is the Base64-encoded PowerShell script which executes the shellcodes:

Also here is a DLL dropper sample:

After you restart the system this .DLL file is then injected into the DLLHOST.EXE process. The injected code is capable of downloading other malware.

Malware Traffic

Poweliks has communication over port 80.Requests to statically defined hosts and IPs are made on a regular basis, These requests are as below:

• 178.89.159.34
• faebd7.com

The malware uses dynamically generated codes in its own traffic. Here are some details about these codes:

http://178.89.159.34/q/type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s

• Code 1: type=status: start, install, exist, cmd or low
• Code 2: version=1.0
• Code 3: aid=Id
• Code 4: builddate=%s
• Code 5: id=UID
• Code 6: os=OS version_OS architecture

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Poweliks.ACL
• GAV: Poweliks.BCL
• GAV: Poweliks.CCL
• GAV: Poweliks.CCM

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.