Poweliks Malware is Hidden in the Registry, Not in Your Harddrive


The new poweliks malware program attacks and analyzes the protective system by running from the Windows registry without creating a file on the poweliks disk.

Poweliks is an infection that runs without a filesystem object, using rundll32.exe, javascript, and generating on-the-fly dll in memory entirely from the registry and memory.

Common malware would be in a physical file on the device, something that can be fairly quickly identified and removed.

When you find an exploit, the exploit is likely to download and execute the malware file into your machine.

The problem with poweliks malware is that it never directly drops a physical file on the network, rather it would insert code into the already operating legitimate processes, such as Internet Explorer. By doing so, it will run backward from the legal method and escape detection.

The idea of ​​this fileless malware that resides in system memory is not new, but such threatening threats are often rare because when the memory is clear it does not normally remain on a system reboot. But this is not the case with poweliks malware which takes a new path while remaining fileless.

How Poweliks Malware Works

Infecting the system, Poweliks creates a startup registry entry that executes a Windows file called rundll32.exe and implements some encoded JavaScript. JavaScript handles a number of sequential actions located in it, in which this attack opens a layer like a layer of Russian dolls. JavaScript code checks if the system has Windows PowerShell which is a command-line shell and scripting environment. If not, Java downloads and installs PowerShell and then decodes an additional code that is actually a PowerShell script.

What is rundll32.exe?

rundll32.exe is a legitimate Windows file used for dll library distribution within system memory, although its name is also used by scammers. rundll32.exe is a legitimate file that runs in the background of all Windows-based operating systems and is located in the \Windows\System32 folder.”

The PowerShell script works by using a trick to bypass the default protection scheme in Windows that prevents the unknown PowerShell script from being launched without the user’s acceptance. The script further decodes and implements the shellcode which inserts a DLL (Dynamic Link Library) directly into the system. This DLL component runs in memory, it connects to two IP addresses to receive commands. It can be used to download and install other threats that depend on the attacker’s will and intentions.

What is PowerShell?

PowerShell is an automated task framework from Microsoft, with a command-line shell and a scripting language integrated into the .NET framework, which can be embedded within other applications. It automates batch processing and creates system management tools.

In this entire process, from executing JavaScript code to inserting the last DLL, the malware does not create infected files on the hard drive and becomes difficult to detect by the antivirus program.

Let me tell you that there is a (non-ASCII character) startup registry created by Poweliks. This trick prevents the Windows registry edit tool regedit and possibly other programs from showing initial startup entries that both users and malware analysts have difficulty finding the infection manually.

Starting with Spam

Initialization via Spam Some conversions of Poweliks were delivered by Microsoft Word documents containing malware associated with spam emails that came from Canada Post or USPS. These malware documents damaged the remote code execution security that Microsoft had installed in April 2012 in Microsoft Office 2003, 2007, and 2010. But some believe it was distributed via the drive by a download attack using Web Exploit.

Email Spam

To prevent malware such as Poweliks, antivirus solutions must either capture files before they are implemented so that they cannot reach the customer’s email box. Or after the files are implemented, the software will have to be detected or the last task will be to alert the user to stop the process of exchange by finding unusual behavior in the registry surveillance. There are apprehensions that other malware makers may use the methods used by Poweliks in the future.