New ‘Poweliks’ Stealth Malware on the Prowl: Hides within Your System’s Registry Undetected
An analyst looks at code in the malware lab of a cyber security defense lab.Reuters

A new 'fileless' malware that lives and works entirely out of your computer system's registry has been detected by security experts.

The latest infection is termed Poweliks malware by G Data Software, whose security researchers are credited with having detected the stealthy software.

According to G Data engineers, Poweliks malware cannot be easily detected by traditional methods, as it does not create/install files within the hard-drive of the host Windows systems.

Upon infecting the host system, Poweliks exploits a vulnerability in Microsoft Word, with the assistance of another specially designed malicious Word file that transmits via email.

Poweliks is designed to create a new registry key at every system boot-up, using a non-ASCII charecter to create the name.

This registry key runs the genuine Windows rundll32.exe application, which is used to launch functionality stored within shared .dll files.

Generally, rundll.exe is not recognised as a threat by Windows, and is considered a valid executable file.

Along with the new registry key, Poweliks also creates and executes certain JavaScript code. This code in turn results in newer codes getting executed, and the process continues, similar to a chain reaction, and a series of new JavaScript codes are created and executed on the infected computer by Poweliks.

These executed codes finally execute a PowerShell script that in turn results in the execution of a shellcode containing the malicious program that hackers have embedded within Poweliks.

Malicious code executes Windows Binary files which results in initiation of the attack that cyber-criminals plan to launch on host computers.

No standalone files created

According to G Data, all processes executed by Poweliks, right from creating a new Windows Registry entry, to executing shellcode, are stored within the registry itself rather than in a separate file within the computer's hard-drive.

"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action– even after a system re-boot!", detail G DATA security engineers.

Non-ASCII registry key

The new registry key created by Poweliks upon system startup contains a non-ASCII character which is not identified by the Microsoft Registry editor, Regedit.

"To remain undetected, this key is disguised/hidden," say G Data researchers. "Decoding this key shows two new aspects: Code which makes sure the affected system has Microsoft PowerShell installed and additional code."

Poweliks Detection and Prevention

Security experts at G Data say that to detect Poweliks, anti-virus software programs should be designed to detect the initial word file exploitation that Poweliks resorts to upon its entry into the host system.

Experts at G Data also opine that with advanced in-registry surveillance software (third-party), users should be able to receive alerts regarding unusual registry modifications (by Poweliks).

"AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer's email inbox. Or, as a next line of defense, they need to detect the software exploit after the file's execution, or, as a last step, in-registry surveillance has to detect unusual behaviour, block the corresponding processes and alert the user," say G Data security experts.

However, security experts state that Poweliks can indeed be identified early, and eliminated completely from the computer's registry.

"In this day of super-fast hardware and gigabytes of memory, problems are associated with poorly uninstalled applications or remnants of files that no longer exist on your computer, but now we actually have something bad that can exist in your registry, it does not create any files to be cleaned or identified. It's not all bad though, the initial file used to infect the registry can be identified and cleaned/deleted before it is executed, so your antivirus will still protect you once your vendor has all the information for detection.", stated Mr Mark James, Security Specialist at ESET, when contacted by IBTimes UK.