A new form of persistence was discovered malware, which does not create any files in the disk and stores all the commands for its activities in the registry.
In a blog post, security researcher Paul Rascagneres of GData developed in detail the peculiarities of the new type of malware, named Poweliks. The researcher describes his methods as "rather rare and new", since everything is done in the computer's memory and not on the hard disk, thus avoiding detection and analysis by security software.
The malware comes with an email containing a Word document. The vulnerability that usesknown by the attackers is CVE-2012-0158, which affects the Office and many other Microsoft products. It's not new, but many users still use old versions of the software.
Μόλις κάποιος πάει να ανοίξει το αρχείο, οι επιτιθέμενοι ενεργοποιούν τη λειτουργία ανθεκτικότητας του κακόβουλου λογισμικού, δημιουργώντας ένα κωδικοποιημένο key autostart στο μητρώο. Φαίνεται ότι η τεχνική κωδικοποίησης που χρησιμοποιείται από το κακόβουλο λογισμικό αρχικά δημιουργήθηκε από τη Microsoft για να προστατέψει τον πηγαίο κώδικα από διάφορες μεταβολές.
To avoid detection by system tools, the registry key is hidden behind a non-ASCII-formatted name, which makes it unavailable in Windows Regedit.exe.
By creating the auto-boot key, the attackers are confident that a restart of the system does not remove it from the computer.
By decoding the key, Rascagneres noticed two different sets of code: one that verifies that the infected computer has Windows PowerShell installed, and another, with a Base64 gia PowerShell encoded script, for invoking and executing the shellcode.
According to the researcher, the shellcode runs the payload, which attempts to connect to a remote command and control (C&C) server to receive instructions. There are multiple IP addresses for C&C servers, all strictly coded.
The peculiarity of this malware is that it does not create any file on the disk, making it very difficult to detect it through classic mechanisms protections.