Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“Poweliks” Malware Uses Windows Registry to Avoid Detection

Researchers at Trend Micro have analyzed a new Trojan that uses the Windows registry to hide all its malicious code, the security company reported on Friday.

Researchers at Trend Micro have analyzed a new Trojan that uses the Windows registry to hide all its malicious code, the security company reported on Friday.

The threat, detected by Trend Micro as TROJ_POWELIKS.A or “Poweliks”, is designed to provide attackers with system information which they can use for other operations, but is also capable of downloading additional pieces of malware onto infected computers.

Once it infects a system, Poweliks checks if the Windows PowerShell tool is present. If it’s not, the program is downloaded by the malware and installed. PowerShell is used to run an encoded script file containing the Trojan’s executable code. Because the code is not executed by Windows or any other application directly, it helps the threat avoid detection, the security company explained.

Then, a blank or NULL key is added to HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRun (startup entry) by using the ZwSetValueKey API. This entry ensures that the malware runs whenever victims turn on their computers. According to Trend Micro, the content of the malicious entry can’t be seen by the user because the registry value is NULL. This also means that the entry cannot be deleted.

A different registry entry hides an encoded .DLL file containing the malware code. The .DLL file is injected into the dllhost.exe process, which manages DLL-based applications, enabling the attackers to download other threats. The injected code is also designed to harvest information on the operating system, computer architecture, universally unique identifier (UUID), version of the malware, and build date, and sends everything back to a server via a POST request.

Cybercriminals employ various techniques to ensure their creations are not detected by security solutions, including the use of the Tor anonymity network, and the abuse of the PowerShell tool. Some threats rely on domain generation algorithms (DGA), while others disguise their network traffic in an effort to remain hidden.

Trend Micro has pointed out that Poweliks is not the only piece of malware that uses the Windows registry. Emotet, a piece of spyware that’s designed to steal banking information, and the worm Morto also leverage the registry.

 “While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their ‘arsenal’ or malware so as to go undetected and to instigate more malicious activities without the user’s knowledge,” Trend Micro Threat Analyst Roddell Santos wrote in a blog post.

Advertisement. Scroll to continue reading.

“The use of registry for evasion tactics is crucial given that file-based AV solution won’t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won’t necessarily check for the registries but rather look for suspicious files or folders.  We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.”

Back in early March, researchers from Sophos warned of Russian ransomware that used Windows PowerShell to perform file encryption with “Rijndael symmetric key encryption.” At the time, experts discovered that the encryption keys could be easily obtained with the aid of PowerShell.

Related Reading: Windows PowerShell Increasingly Abused by Attackers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.