Researchers dubbed this persistent malware as Poweliks, which resides in the computer registry only and is therefore not easily detectable as other typical malware that installs files on the affected system which can be scanned by antivirus or anti-malware Software.
According to Paul Rascagneres, Senior Threat Researcher, Malware analyst at GData software, due to the malware’s subsequent and step-after-step execution of code, the feature set was similar to a stacking principles of Matryoshka Doll approach.
Paul has made a number of name ripping malware and bots to uncover and undermine cyber crimes. He won last years' Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1.
In order to infect a system, the malware spreads via emails through a malicious Microsoft Word document and after that it creates an encoded autostart registry key and to remain undetectable it keeps the registry key hidden, Rascagneres says.
The malware then creates and executes shellcode, along with a payload Windows binary that tried to connect to ‘hard coded IP addresses’ in an effort to receive further commands from the attacker.
"All activities are stored in the registry. No file is ever created," Rascagneres said in a blog post. "So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.”
"To prevent attacks like this, antivirus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."
To create an autostart mechanism, the malware creates a registry, which is a non-ASCII character key, as Windows Regedit cannot read or open the non-ASCII key entry.
CAPABILITIES OF POWELIKS MALWARE
Poweliks malware is quite dangerous and can perform a number of malicious activities. The malware can:
- Download any payload
- Install spyware on the infected computer to harvest users’ personal information or business documents
- Install banking Trojans in order to steal money
- Install any other type of malicious software that can fulfil the needs of the attackers
- used in botnet structures
- generate immense revenue through ad-fraud
The non-ASCII trick is a tool which the Microsoft created and uses in order to hide its source code from being copied or tampered with, but this feature was later cracked by a security researcher.
The security and malware researchers on the KernelMode.info forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office.
The malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.
"This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful," Rascagneres said.