Endpoint Protection

 View Only

Poweliks click-fraud malware goes fileless in attempt to prevent removal 

Jun 09, 2015 08:56 AM

poweliks-header-image.jpg

Trojan.Poweliks first grabbed people’s attention in 2014 when it evolved into a registry-based threat. As a registry-based threat, Poweliks does not exist as a file on the compromised computer and instead resides only in the Windows registry. While fileless threats that reside in memory-only have been seen before, Poweliks stands out from this crowd because of a persistence mechanism that allows it to remain on the compromised computer even after a restart.

This persistence mechanism is not the only trait that makes Poweliks unique. The Trojan uses other registry tricks, such as a special naming method, to make it difficult for users to find it and then uses CLSID hijacking to maintain its persistence on the compromised computer. Poweliks will also exploit a zero-day privilege escalation vulnerability to take control of the compromised computer. Furthermore, the threat adds the compromised computer to a click-fraud botnet and forces it to download advertisements without the victim’s knowledge.

Symantec took an in-depth look at Poweliks to see how this threat has evolved and how it tries to evade detection by hiding in the registry.

A fileless threat
Poweliks is a fileless threat that uses several techniques to persist solely in the registry. The following image can help to explain how it does this:

fig1.png
Figure 1. Poweliks inside the registry

Poweliks uses a legitimate Windows rundll32.exe file (blue outline) to execute JavaScript code (red outline) that has been embedded in the registry subkey itself. The JavaScript code has instructions to read additional data from the registry, which acts as the payload (green outline), and then execute it.

Some of this data is encoded, and after it has been decoded and executed, it installs what we call a Watchdog process. The Watchdog process is used to maintain persistence on the compromised computer. It does this by continuously checking that Poweliks is still running and that its registry subkeys have not been deleted. The functionality will reinstate the registry subkeys if the threat has been deleted.

As the malware is located inside the registry, the Watchdog functionality works to protect this by changing access rights to prevent access and then uses unprintable characters so registry tools cannot find the keys, even with appropriate permissions. Since Poweliks, we have seen these techniques and tactics in use by several other threats, including Trojan.Phase.

The following image demonstrates how Poweliks maintains its persistence on compromised computers:

fig14.png
Figure 2. Poweliks maintains its registry entries to ensure persistence

Hijacking CLSIDs
While many threats frequently change the Run subkey in the registry to load themselves, Poweliks uses new load points by CLSID hijacking. CLSID entries are linked with certain functionalities that Microsoft requires so Windows can run properly. Poweliks adds additional data to these CLSID subkeys, augmenting their functionality with its own. Specifically, Poweliks hijacks the following CLSIDs:

  • {FBEB8A05-BEEE-4442-804E-409D6C4515E9}
  • {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
  • {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} 

All of these CLSIDs are loaded with Windows. For example, {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} causes any file in the LocalServer32 subkey to be run any time a folder is opened. By hijacking this CLSID, Poweliks is able to ensure that its registry entry will be launched any time a folder is opened or new thumbnails are created, even if the Watchdog process has been terminated.

Protecting the registry entry
Poweliks still has more tricks up its sleeves in how it protects its registry entry on the compromised computer. The malware creates an extra registry subkey with a mechanism that prevents it from being opened and viewed. This registry subkey contains an entry created using the 0x06 byte and the 0x08 byte, which are not in the range of the Unicode printable character sets. This prevents the entire LocalServer32 subkey from being read or properly deleted. Some registry tools may be able to read this subkey, but the default Windows Registry Editor (regedit.exe) cannot. Special tools are required to read the characters and read or delete the registry entry. By placing itself in the registry and using this protection mechanism, Poweliks makes itself very difficult to get rid of.

Poweliks_blog_fig_2.png
Figure 3. Extra registry subkey to protect Poweliks in memory

The Bedep connection
Poweliks exploits the Microsoft Windows Remote Privilege Escalation Vulnerability (CVE-2015-0016) to take control of the compromised computer. We discovered and reported this vulnerability to Microsoft and it was subsequently patched in January’s Patch Tuesday updates as MS15-004. Trojan.Bedep also used this zero-day exploit to take control of compromised computers and it did this around the same time that Poweliks was exploiting the vulnerability. This led us to recognize that there could be a connection between Poweliks and Bedep.

Bedep is a downloader and one of the threats it often downloads onto compromised computers is Poweliks.

From Poweliks to ransomware
Despite the complicated and unique ways that Poweliks uses to compromise and stay on computers, it is ultimately just a click-fraud Trojan used to earn money for the attacker through advertisements. It requests ads based on keywords, pretends the victim legitimately searched for the selected keywords, browses to the URL returned by the ad network, and then allows the attacker to receive money. The selected ads are not shown to the victim, so they remain unware of Poweliks’ presence on their computer. While this is alone can be a problem for the victim, a bigger problem manifests in the sheer number of advertisements Poweliks sends to a compromised computer.

Poweliks can request as many as 3,000 advertisements per day on a computer. As it requests so many ads, and doesn’t really care where they come from, it could eventually download malicious adverts onto the compromised computer. This can cause other malware to be installed on the computer, and we have observed that Trojan.Cryptowall, or one of its variants, was installed on computers already compromised by Poweliks. So, while a victim may be initially unaware that Poweliks was displaying ads on their computer, they could eventually end up locked out of their computer while being prompted to pay a ransom.

Poweliks_blog_fig_3_edit.png
Figure 4. Trojan.Cryptowall lock screen

Mitigation
Symantec and Norton products detect Trojan.Poweliks as:

AV

IPS

Removal tool
If you believe your computer has been compromised by Trojan.Poweliks, please run the following removal tool:

Further reading
For more information on how Poweliks has evolved, read our whitepaper.

evolution-of-poweliks-blog-whitepaper_TN.png

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.