Security experts are warning of new persistent malware designed to evade detection by traditional tools by residing only in the computer registry.
G DATA Security Labs senior threat researcher, Paul Rascagnères, explained in a blog post that because the malware is not present as a file, it can’t be scanned and blocked in the usual way by AV products.
“This technique is something rarely put into focus. The initial file, which starts all malicious activity on the computer system, holds all code necessary for the attack, crypted and hidden, waiting to be called and executed,” he added.
“To unfold the harmful actions, the attackers work step-by-step deeper into the code. Executing these steps one after the other reminds of the stacking principles of Matryoshka dolls.”
This “Russian doll” technique begins by executing JScript code, then a PowerShell script which finally executes shellcode that contains the malware’s executable code (a .DLL) which will download other malicious files onto the victim’s machine, Rascagnères explained.
Malware like Poweliks is rare, usually because residing only in the registry means the malicious code will be wiped if there’s a system reboot.
However, the authors of this threat have got around this problem by creating an encoded autostart registry key, which is also disguised to remain undetected by the Windows registry editor tool.
Poweliks has been spotted in the wild, arriving via a malicious Word document attached to a social engineering email.
“To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox,” wrote Rascagnères.
“Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user.”
Trend Micro researchers, who have also analyzed Poweliks, warned that obfuscation techniques like using TOR, disguising network traffic and abusing Windows PowerShell, are becoming increasingly common.
“While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their ‘arsenal’ or malware so as to go undetected and to instigate more malicious activities without the user’s knowledge,” the firm wrote in a blog post.
“We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.”