One of the most prominent examples of registry run key persistence is Trojan.Poweliks from 2014, which uses PowerShell to create a fileless persistent load point. After this, Trojan.Kotver started to use similar tricks and it is one of the most active threats today. Poweliks creates a registry run key with a non-ASCII character as a name. This prevents normal tools from being able to display this value. The threat also modifies access rights, making the key difficult to remove. The registry entry uses the legitimate rundll32.exe to execute a small JavaScript embedded in the registry key. The JavaScript uses a WScript object to decrypt a PowerShell script from another registry key and runs it. The PowerShell loads a watchdog DLL and other payloads. These techniques allow Poweliks to stay active on the computer without writing a common file on disk, which would expose it to detection from traditional security tools.
Trojan Poweliks first grabbed people’s attention in 2014 when it evolved into a registry-based threat. As a registry-based threat, Poweliks does not exist as a file on the compromised computer and instead resides only in the Windows registry. While fileless threats that reside in memory-only have been seen before, Poweliks stands out from this crowd because of a persistence mechanism that allows it to remain on the compromised computer even after a restart.
This persistence mechanism is not the only trait that makes Poweliks unique. The Trojan uses other registry tricks, such as a special naming method, to make it difficult for users to find it and then uses CLSID hijacking to maintain its persistence on the compromised computer. Poweliks will also exploit a zero-day privilege escalation vulnerability to take control of the compromised computer. Furthermore, the threat adds the compromised computer to a click-fraud botnet and forces it to download advertisements without the victim’s knowledge.
Poweliks is a fileless threat that uses several techniques to persist solely in the registry. The following image can help to explain how it does this:
Figure 1. Poweliks inside the registryPoweliks uses a legitimate Windows rundll32.exe file (blue outline) to execute JavaScript code (red outline) that has been embedded in the registry subkey itself. The JavaScript code has instructions to read additional data from the registry, which acts as the payload (green outline), and then execute it.
Some of this data is encoded, and after it has been decoded and executed, it installs what we call a Watchdog process. The Watchdog process is used to maintain persistence on the compromised computer. It does this by continuously checking that Poweliks is still running and that its registry subkeys have not been deleted. The functionality will reinstate the registry subkeys if the threat has been deleted.
As the malware is located inside the registry, the Watchdog functionality works to protect this by changing access rights to prevent access and then uses unprintable characters so registry tools cannot find the keys, even with appropriate permissions. Since Poweliks, we have seen these techniques and tactics in use by several other threats, including Trojan. Phase.
The following image demonstrates how Poweliks maintains its persistence on compromised computers:
Figure 2. Poweliks maintains its registry entries to ensure persistence• Task Manager showing multiple (3+) dll Host processes running.
• Performance trouble caused by high CPU utilization.
• Consistent excessive inbound LAN traffic.
While many threats frequently change the Run subkey in the registry to load themselves, Poweliks uses new load points by CLSID hijacking. CLSID entries are linked with certain functionalities that Microsoft requires so Windows can run properly. Poweliks adds additional data to these CLSID subkeys, augmenting their functionality with its own. Specifically, Poweliks hijacks the following CLSIDs:
• {FBEB8A05-BEEE-4442-804E-409D6C4515E9}
• {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
• {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
All of these CLSIDs are loaded with Windows. For example, {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} causes any file in the LocalServer32 subkey to be run any time a folder is opened. By hijacking this CLSID, Poweliks is able to ensure that its registry entry will be launched any time a folder is opened or new thumbnails are created, even if the Watchdog process has been terminated.
Poweliks still has more ways in how it protects its registry entry on the compromised computer. The malware creates an extra registry subkey with a mechanism that prevents it from being opened and viewed. This registry subkey contains an entry created using the 0x06 byte and the 0x08 byte, which are not in the range of the Unicode printable character sets. This prevents the entire LocalServer32 subkey from being read or properly deleted. Some registry tools may be able to read this subkey, but the default Windows Registry Editor (regedit.exe) cannot. Special tools are required to read the characters and read or delete the registry entry. By placing itself in the registry and using this protection mechanism, Poweliks makes itself very difficult to get rid of.
Figure 3. Extra registry subkey to protect Poweliks in memoryPoweliks exploits the Microsoft Windows Remote Privilege Escalation Vulnerability (CVE-2015-0016) to take control of the compromised computer. This vulnerability was discovered and reported to Microsoft and it was subsequently patched in January’s Patch Tuesday updates as MS15-004. Trojan.Bedep also used this zero-day exploit to take control of compromised computers and it did this around the same time that Poweliks was exploiting the vulnerability. This led to the recognition that there could be a connection between Poweliks and Bedep. The latter is a downloader and one of the threats it often downloads onto compromised computers is Poweliks.