A new form of persistent malware has been discovered, one which does not create any file on the disk and stores all activities in the registry.


In a blog posted at the end of July, security researcher Paul Rascagneres of GData details the particularities of the new type of malware, dubbed Poweliks, whose methods he labels as “rather rare and new,” since everything is performed in the memory of the computer system and there are several layers of code to get through in order to avoid analysis.

The attack vector is an email with a malcrafted Microsoft Word document attached. The vulnerability leveraged by the attackers is CVE-2012-0158, which affects Office and several other Microsoft products. It is not new, but many users are still using old versions of the software that could be compromised.

Once the file is launched, the cybercriminals turn on the persistency feature of the malware by creating an encoded autostart key in the registry. It seems that the encoding technique used by the malware was originally created by Microsoft to safeguard their source code from being altered.

In order to avoid detection by system tools, the registry key is hidden by providing a name in non-ASCII characters, which makes it unavailable to the Registry Editor (regedit.exe) in Windows.

By creating the auto-start key, the attackers make sure that a reboot of the system does not remove it from the computer.

By decoding the key, Rascagneres observed two sets of code: one that verified if the affected machine had Windows PowerShell installed, and another one, a Base64-encoded PowerShell script, for calling and executing the shellcode.

According to the researcher, the shellcode executes the payload, which attempts to connect to a remote command and control (C&C) server for receiving instructions. There are multiple IP addresses for C&C servers, all hard-coded.

The peculiarity of this malware is that it does not create any file on the disk, making it more difficult to be detected through classic protection mechanisms.

“To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user,” writes Rascagneres.

This type of malicious behavior is not new though, as a sample was also analyzed on KernelMode.info in mid-July, this year. In that case, the same vulnerability was exploited through a malicious RTF attached to an email claiming to be from Canada Post and/or USPS mail service.
Kepler Reviewed by Kepler on . Registry-Residing Malware Creates No File for Antivirus to Scan http://i1-news.softpedia-static.com/images/news-700/Registry-Residing-Malware-Creates-No-File-for-Antivirus-To-Scan.jpg A new form of persistent malware has been discovered, one which does not create any file on the disk and stores all activities in the registry. In a blog posted at the end of July, security researcher Paul Rascagneres of GData details the particularities of the new type of malware, dubbed Poweliks, whose methods he labels as “rather rare and new,” since Rating: 5