Poweliks: Rare malware with no file exploits Microsoft Word vulnerability
Posted by: Jon Ben-Mayor on 08/04/2014 08:23 AM
[
Comments
]
A rare and quite sneaky malware has been uncovered which does not have a file associated with it - the lack of an associated file makes it very hard for AV scanners to pick up. The Poweliks malware lurks within the registry without installing any type of file at all.
Researchers at GData say that this technique is something rarely put into focus. The initial file, which starts all malicious activity on the computer system, holds all code necessary for the attack, crypted and hidden, waiting to be called and executed. To unfold the harmful actions, the attackers work step-by-step deeper into the code. Executing these steps one after the other reminds of the stacking principles of Matryoshka dolls:
As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.
After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden.
Decoding this key shows two new aspects:
Code which makes sure the affected system has Microsoft PowerShell installed and additional code.
The additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode (assembly).
As a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point.
All activities are stored in the registry. No file is ever created.
So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action “when they reach the innermost layer of the Matryoshka doll” – even after a system re-boot!
According to The Hacker News, the security and malware researchers on the KernelMode.info forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office.
The malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.
Trend Micro vice president of cloud and emerging technologies Mark Nunnikhoven told V3 that while Poweliks only features basic data-stealing powers, its detection-dodging technique could be used to mount more dangerous follow-up cyber strikes.
Nunnikhoven said there are ways businesses can protect themselves from Poweliks and recommended IT managers adopt them sooner rather than later.
"In this case, your defenses must be able to conduct memory analysis in order to detect TROJ_POWELIKS.A."
Researchers at GData say that this technique is something rarely put into focus. The initial file, which starts all malicious activity on the computer system, holds all code necessary for the attack, crypted and hidden, waiting to be called and executed. To unfold the harmful actions, the attackers work step-by-step deeper into the code. Executing these steps one after the other reminds of the stacking principles of Matryoshka dolls:As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.
After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden.
Decoding this key shows two new aspects:
Code which makes sure the affected system has Microsoft PowerShell installed and additional code.
The additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode (assembly).
As a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point.
All activities are stored in the registry. No file is ever created.
So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action “when they reach the innermost layer of the Matryoshka doll” – even after a system re-boot!
According to The Hacker News, the security and malware researchers on the KernelMode.info forum last month analysed a sample which is dropped by a Microsoft Word document that exploited the vulnerability described in CVE-2012-0158, which affected Microsoft products including Microsoft Office.
The malware authors distributed the malware as an attachment of fake Canada Post and/or USPS email allegedly holding tracking information.
Trend Micro vice president of cloud and emerging technologies Mark Nunnikhoven told V3 that while Poweliks only features basic data-stealing powers, its detection-dodging technique could be used to mount more dangerous follow-up cyber strikes.
Nunnikhoven said there are ways businesses can protect themselves from Poweliks and recommended IT managers adopt them sooner rather than later.
"In this case, your defenses must be able to conduct memory analysis in order to detect TROJ_POWELIKS.A."
Comments
