On Tuesday, Symantec researchers published a white paper (PDF) detailing the evolution of the threat, noting that the malware uses “novel techniques” to compromise computers, including using a special naming scheme to hide in the registry, then leveraging CLSID (Class Identifier) hijacking to maintain persistence on systems, the white paper said. Poweliks has also used a now-patched remote privilege escalation vulnerability in Windows (CVE-2015-0016) to gain a foothold on targeted systems and ensare more computers into a click-fraud botnet.
“Poweliks comes with a default list of keywords… that it uses to generate requests for ads. The threat pretends that the victim legitimately searched for these keywords and then contacts an ad network so it knows where to direct the victim. Poweliks sends a request to the URL returned by the ad network and then receives payment for downloading the advertisement,” the paper explained of the click-fraud scheme, which ultimately puts money in attackers’ coffers.
Symantec also noted that Poweliks and Bedep malware “share a number of similarities,” such as using the Windows zero-day exploit to infect users, and Bedep even being used, in some instances, to install Poweliks. The firm said that the similarities provide “no conclusive evidence linking the authors of Poweliks and Bedep together,” only evidence that Bedep “also acts as a downloader and has a similar coding style to Poweliks.”
Within the paper, Symantec also pointed out that Poweliks was used to spread CryptoWall ransonware to users – attacks that happened when ad requests caused malicious web pages to be displayed to victims.
In conclusion, the security firm noted that, “In a world of file-based malware, Poweliks stands out from the crowd because of its nature as a fileless threat. It is innovative in its ability to persist by deeply embedding itself inside the Windows registry,” the paper said. Furthermore, the threat’s ability to install other malware and display potentially malicious web pages (or ads) to users, “can lead to numerous threats ending up on a victim’s computer, or even with the victim being completely locked out of their computer because the secondary threats could include ransomware.”
Symantec has a removal tool for Trojan.Poweliks, and included indicators of compromise (IOCs) in the white paper’s Appendix.