A new malware variant has been discovered that utilizes a variety of techniques to stay hidden from traditional antivirus technologies and users.
The "Poweliks" malware, originally spotted by members of the KernelMode.info forum nearly three weeks ago, is reportedly being used as a persistent infection point from which attackers can repeatedly download more payloads onto a compromised machine even after reboots, though it is also capable of stealing system information to enable additional attacks.
Paul Rascagnères, senior threat researcher with Germany-based antivirus vendor G DATA Software AG, said in a blog post that the Poweliks malware is noteworthy because it doesn't produce any files that can be analyzed by traditional AV products. Instead, Rascagnères said the malware relies on a complicated infection mechanism that "resembles the stacking principle of [Russian] Matryoshka dolls," or nesting dolls in which one mechanism hides inside another.
To implant the Poweliks malware on a victim's machine, attackers must first trigger a separate vulnerability. The sample analyzed by Rascagnères employs the Microsoft Word flaw detailed in CVE-2012-0158. After a successful infection, the malware creates an encoded autostart key hidden in the Windows registry -- used to survive system reboots -- to store all of Poweliks' malicious code. Attackers utilize non-ASCII characters for the key, Rascagnères noted, so that the RegEdit Windows tools can't open it and the target machine's user can't see it.
Next, Poweliks will search for Windows PowerShell on the infected machine, and if the software isn't present, the malware will download it. That step is necessary because the stored code is actually a PowerShell script that contains a Base64-encoded shellcode. The shellcode triggers a number of actions, including deploying the malware's payload.
"As the malware is very powerful and can download any payload, the amount of possible damage is not really measurable. It might install spyware on the infected computer to harvest personal information or business documents," said Rascagnères. "It might also install banking Trojans to steal money or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud."
To prevent Poweliks infections, Rascagnères said that antivirus products would either have to catch the malicious file -- in this case the Word document -- before it is ever executed, detect the exploit after the file is executed or spot any unusual behavior in the Windows registry that could be associated with a persistent malware infection.
Roddell Santos, a threat analyst with Tokyo-based antimalware vendor Trend Micro, said in a blog post that Poweliks use of the Windows registry is hardly a new discovery -- malware variants such as Emotet and Morto have utilized the registry to similar effect before. Still, such measures are an effective stealth mechanism, he added, and produce more roadblocks for forensics teams.
"The use of registry for evasion tactics is crucial given that file-based AV solution won't be able to detect anything malicious running on the system," said Santos. "Furthermore, unsuspecting users won't necessarily check for the registries but rather look for suspicious files or folders. We surmise that in the future, we may see other malware sporting the same routines as AV security [continues] to grow."
Resident threat expert Nick Lewis details the threat posed by malware variants featuring evasion techniques like virtual machine detection.