POWELIKS Levels Up With New Autostart Mechanism

Last August, we wrote about POWELIKS’s malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics.

In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users’ privileges in viewing the registry’s content. As a result, users won’t be able to suspect that their systems are already infected by the POWELIKS malware. This new autostart technique is fairly new to the threat landscape, a technique that is not currently covered by Autoruns for Windows. This Windows utility shows all files and registries that will execute upon Windows startup.

When executed, POWELIKS creates the following registry entry:

[HKEY_CURRENT_USER\Software\Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32]

(Default)=”rundll32.exe javascript:\”\\..\\mshtml,RunHTMLApplication \”;eval…….”

a=”#@~^XHoAAA=……”

Normally, users will see the following screenshots via the registry editor:

poweliks2_fig1

Figure 1: The created key of Poweliks

Based on the above screenshot, it would seem that the malware isn’t present in the registry. However, the contents of the POWELIKS malware is actually hidden and successfully hides its code by removing the user’s permission in the specific registry.

poweliks2_fig2_new

Figure 2: User’s permission profile

Best Practices: How to add permissions

Users can navigate their way around this malware technique and view the registry content by adding the user name or group to the registry key’s permission section. This can be done via the following steps:

  1. Open Registry Editor
  2. Go to the registry key HKCU\Software\Classes\clsid
  3. On the left panel, right click {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
  4. Highlight the user name
  5. In the “Allow” section, select “Full Control” and “Read” (see Figure 3)
  6. Click “OK” to save changes
  7. Close Registry Editor, then open it again to reflect the changes

poweliks2_fig3_new

Figure 3: Updated user’s permission profile

Once done, the malware will now be visible as shown below:

poweliks2_fig4

Figure 4. The visible malware code

When the malware creates an entry in HKCU\SOFTWARE\Classes\CLSID, Windows reflects this entry in HKCR\CLSID as shown below.

poweliks2_fig5

Figure 5. The updated HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} key

Why this CLSID?

CLSID is not a known autostart entry. So, why did cybercriminals opt to use this registry and not the typical autostart entries?

This CLSID is for Window’s thumbnail cache, which Windows calls whenever a thumbnail for any file is needed – for images, audio, etc. As such, when this CLSID is called, it will execute the entry in HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 to show the thumbnail of the file as well as the entry of POWELIKS in this key.  This in turn, loads POWELIKS every time, as seen in the screenshot below:

poweliks2_fig6

Figure 6: POWELIKS uses dllhost.exe to load itself on the system. Each dllhost.exe indicates a running POWELIKS.

Best Practices: Manual Removal

While this threat is continuously evolving as seen in the new evasion tactic, it can be manually removed from the systems via the following steps:

  1. Download and execute Microsoft’s Process Explorer
  2. Restart in Safe Mode.
  3. Select the latest dllhost.exe mother process (see Figure 7)

    poweliks2_fig7

    Figure 7: Terminating the dllhost process

  4. Right click and select “Kill Process Tree”
  5. Open Registry Editor (Run > regedit.exe)
  6. In the left panel, go to HKCU\SOFTWARE\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
  7. Add Permissions to the user (see instructions on Adding Permission)
  8. In the right panel, delete the registry values “Default” and “a”.  The whole CLSID cannot be deleted because of the presence of the blank key.  If this is successful, the registry should look like this:

    poweliks2_fig8

    Figure 8: Clean registry entries

    In the event that these values are recreated, it just means that POWELIKS is still running.  Repeat step 3 to ensure that no dllhost.exe is still running.

  9. Close Registry Editor

Conclusion

The POWELIKS malware poses serious risks as its routines prevent it from being detected and removed from systems. In addition, one of its payloads is click fraud. To check if your systems are infected by this threat, perform the suggested removal actions on your systems.  We also recommend users to install a security software that can detect such malicious files. Trend Micro protects users from this threat via the Trend Micro Smart Protection Network that detects the said malware.The following is the related hash for this threat:

  • F2E179CB7307DF6190A783D5B72F1905C6F3BA3B – TROJ_POWELIKS.B

With additional analysis from Ohlord Gagto

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

POWELIKS Levels Up With New Autostart Mechanism

Read more: POWELIKS Levels Up With New Autostart Mechanism

Story added 18. November 2014, content source with full text you can find at link above.