SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Poweliks: a file-less malware Hides in Windows Registry



Description


The Dell SonicWall Threats Research team observed reports of a file-less Trojan named GAV: Poweliks.CCL actively spreading in the wild. The malware tries to reside in the registry only and hides as a subkey in the computer's registry rather than as an executable file. This mechanism could be used by malicious spam emails and exploit kits such as Microsoft Word document vulnerability described in CVE-2012-0158 to targeting computer users.

Once the target system is compromised, the attacker may use it to establish a botnet.

Infection Cycle:

Md5: 0181850239cd26b8fb8b72afb0e95eac

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\(Default)

The character used for the key's name is not an ASCII character. The purpose is to hide the entry from registry that because Regedit cannot read the non-ASCII character. Here is a screenshot of Registry tool on following:

The malware tries to use Encoded Java Script on the Auto-startup registry key, Here is an example of created Registry Key Value:

Poweliks checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system from following links:

Here is how malware download and run the PowerShell:

The malware executes the encoded script via PowerShell and dropping a DLL which is responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion mechanism since it will not be directly executed by windows or any application.

Here is the Script Sample:

Here is the Base64-encoded PowerShell script which executes the shellcodes:

Also here is a DLL dropper sample:

After you restart the system this .DLL file is then injected into the DLLHOST.EXE process. The injected code is capable of downloading other malware.

Malware Traffic

Poweliks has communication over port 80.Requests to statically defined hosts and IPs are made on a regular basis, These requests are as below:

  • 178.89.159.34
  • faebd7.com

The malware uses dynamically generated codes in its own traffic. Here are some details about these codes:

http://178.89.159.34/q/type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s

  • Code 1: type=status: start, install, exist, cmd or low
  • Code 2: version=1.0
  • Code 3: aid=Id
  • Code 4: builddate=%s
  • Code 5: id=UID
  • Code 6: os=OS version_OS architecture

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Poweliks.ACL
  • GAV: Poweliks.BCL
  • GAV: Poweliks.CCL
  • GAV: Poweliks.CCM



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.2 | S2MSW03