Jump to content
Nytro

POWELIKS Levels Up With New Autostart Mechanism

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

POWELIKS Levels Up With New Autostart Mechanism

by Roddell Santos (Threats Analyst)

Last August, we wrote about POWELIKS’s malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics.

In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users’ privileges in viewing the registry’s content. As a result, users won’t be able to suspect that their systems are already infected by the POWELIKS malware. This new autostart technique is fairly new to the threat landscape, a technique that is not currently covered by Autoruns for Windows. This Windows utility shows all files and registries that will execute upon Windows startup.

When executed, POWELIKS creates the following registry entry:

[HKEY_CURRENT_USER\Software\Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32]

(Default)=”rundll32.exe javascript:\”\\..\\mshtml,RunHTMLApplication \”;eval…….”

a=”#@~^XHoAAA=……”

Normally, users will see the following screenshots via the registry editor:

poweliks2_fig1.jpg

Figure 1: The created key of Poweliks

Based on the above screenshot, it would seem that the malware isn’t present in the registry. However, the contents of the POWELIKS malware is actually hidden and successfully hides its code by removing the user’s permission in the specific registry.

poweliks2_fig2_new.jpg

Figure 2: User’s permission profile

Best Practices: How to add permissions

Users can navigate their way around this malware technique and view the registry content by adding the user name or group to the registry key’s permission section. This can be done via the following steps:

  1. Open Registry Editor
  2. Go to the registry key HKCU\Software\Classes\clsid
  3. On the left panel, right click {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
  4. Highlight the user name
  5. In the “Allow” section, select “Full Control” and “Read” (see Figure 3)
  6. Click “OK” to save changes
  7. Close Registry Editor, then open it again to reflect the changes

poweliks2_fig3_new.jpg

Figure 3: Updated user’s permission profile

Once done, the malware will now be visible as shown below:

poweliks2_fig4.jpg

Figure 4. The visible malware code

When the malware creates an entry in HKCU\SOFTWARE\Classes\CLSID, Windows reflects this entry in HKCR\CLSID as shown below.

poweliks2_fig5.jpg

Figure 5. The updated HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key

Why this CLSID?

CLSID is not a known autostart entry. So, why did cybercriminals opt to use this registry and not the typical autostart entries?

This CLSID is for Window’s thumbnail cache, which Windows calls whenever a thumbnail for any file is needed – for images, audio, etc. As such, when this CLSID is called, it will execute the entry in HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 to show the thumbnail of the file as well as the entry of POWELIKS in this key. This in turn, loads POWELIKS every time, as seen in the screenshot below:

poweliks2_fig6.jpg

Figure 6: POWELIKS uses dllhost.exe to load itself on the system. Each dllhost.exe indicates a running POWELIKS.

Best Practices: Manual Removal

While this threat is continuously evolving as seen in the new evasion tactic, it can be manually removed from the systems via the following steps:

  1. Download and execute Microsoft’s Process Explorer
  2. Restart in Safe Mode.
  3. Select the latest dllhost.exe mother process (see Figure 7)

    poweliks2_fig7.jpg


    Figure 7: Terminating the dllhost process


  4. Right click and select “Kill Process Tree”
  5. Open Registry Editor (Run > regedit.exe)
  6. In the left panel, go to HKCU\SOFTWARE\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
  7. Add Permissions to the user (see instructions on Adding Permission)
  8. In the right panel, delete the registry values “Default” and “a”. The whole CLSID cannot be deleted because of the presence of the blank key. If this is successful, the registry should look like this:

    poweliks2_fig8.jpg


    Figure 8: Clean registry entries


    In the event that these values are recreated, it just means that POWELIKS is still running. Repeat step 3 to ensure that no dllhost.exe is still running.

  9. Close Registry Editor

Conclusion

The POWELIKS malware poses serious risks as its routines prevent it from being detected and removed from systems. In addition, one of its payloads is click fraud. To check if your systems are infected by this threat, perform the suggested removal actions on your systems. We also recommend users to install a security software that can detect such malicious files. Trend Micro protects users from this threat via the Trend Micro Smart Protection Network that detects the said malware.The following is the related hash for this threat:

  • F2E179CB7307DF6190A783D5B72F1905C6F3BA3B – TROJ_POWELIKS.B

With additional analysis from Ohlord Gagto

Sursa: POWELIKS Levels Up With New Autostart Mechanism

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...