Researchers at Trend Micro have analyzed a new Trojan that uses the Windows registry to hide all its malicious code, the security company reported on Friday.
The threat, detected by Trend Micro as TROJ_POWELIKS.A or “Poweliks”, is designed to provide attackers with system information which they can use for other operations, but is also capable of downloading additional pieces of malware onto infected computers.
Once it infects a system, Poweliks checks if the Windows PowerShell tool is present. If it’s not, the program is downloaded by the malware and installed. PowerShell is used to run an encoded script file containing the Trojan’s executable code. Because the code is not executed by Windows or any other application directly, it helps the threat avoid detection, the security company explained.
Then, a blank or NULL key is added to HKEY_CURRENT_USERSoftwareMicrosoftWindows CurrentVersionRun (startup entry) by using the ZwSetValueKey API. This entry ensures that the malware runs whenever victims turn on their computers. According to Trend Micro, the content of the malicious entry can’t be seen by the user because the registry value is NULL. This also means that the entry cannot be deleted.
A different registry entry hides an encoded .DLL file containing the malware code. The .DLL file is injected into the dllhost.exe process, which manages DLL-based applications, enabling the attackers to download other threats. The injected code is also designed to harvest information on the operating system, computer architecture, universally unique identifier (UUID), version of the malware, and build date, and sends everything back to a server via a POST request.
Cybercriminals employ various techniques to ensure their creations are not detected by security solutions, including the use of the Tor anonymity network, and the abuse of the PowerShell tool. Some threats rely on domain generation algorithms (DGA), while others disguise their network traffic in an effort to remain hidden.
Trend Micro has pointed out that Poweliks is not the only piece of malware that uses the Windows registry. Emotet, a piece of spyware that’s designed to steal banking information, and the worm Morto also leverage the registry.
“While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their ‘arsenal’ or malware so as to go undetected and to instigate more malicious activities without the user’s knowledge,” Trend Micro Threat Analyst Roddell Santos wrote in a blog post.
“The use of registry for evasion tactics is crucial given that file-based AV solution won’t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won’t necessarily check for the registries but rather look for suspicious files or folders. We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.”
Back in early March, researchers from Sophos warned of Russian ransomware that used Windows PowerShell to perform file encryption with “Rijndael symmetric key encryption.” At the time, experts discovered that the encryption keys could be easily obtained with the aid of PowerShell.
Related Reading: Windows PowerShell Increasingly Abused by Attackers