POWELIKS: Malware Hides In Windows Registry

We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A.  When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further system infection. In addition, it has the capability to steal system information, which may be used by cybercriminals to launch other attacks.

Evasion Mechanism

Apart from stealth mechanism, this may also provide difficulty in forensics because there are no file references. As much as possible, threats tried to avoid being detected in the system and network in order to instigate more malicious activities. Based on our analysis, TROJ_POWELIKS checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system.  This will be used later to execute the encoded script file. As such, PowerShell runs the encoded script containing the malware’s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application.

It then creates a blank or NULL Autostart entry using the API ZwSetValueKey:


This is not necessarily a new feature and is documented in MSDN. Through a NULL registry value, users cannot see the content of the registry key with null value. Although there is an option to delete the registry key, deleting it will just result to an error due to the null value. However, the specific data will still execute during the system’s restart without any problem. To put simply, users cannot see and therefore, delete the entry thus when they reboot the system, the malware will still run.

It also creates another registry entry that contains the malware code.  This created registry data is shown below:


This registry data is an encoded file. After several decoding, a .DLL file can be found in the following code:


This .DLL file is then injected in the normal DLLHOST.EXE process.  The injected code is capable of downloading other malware, thus compromising the security of the system. It also steals the following information from the affected system:

  • Operating system and architecture
  • UUID
  • Malware version
  • Build date

This information is then sent via POST command using the following format:

  • http://178[dot]89[dot]159[dot]34/q/type={status: start, install, exist, cmd or low}&version=1.0&aid={id}&builddate=%s&id={iuuid}&os={OS version}_{OS architecture}

We detect the .EXE and .DLL files as TROJ_POWELIKS.A and the encoded script as JS_POWELIKS.A. The hashes used in this threat are:

  • EXE – BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A
  • DLL – 3506CE5C88EE880B404618D7759271DED72453FE

Impact to the threat landscape

Cybercriminals often use new tactics and techniques to avoid being detected in the system and remain under the radar. These tactics can be from simple hidden file attributes to the more advance rootkit technology. In the past, we blogged about attacks that exhibit various notable evasion tactics:

Notable malware like EMOTET and MORTO also employed the same tactic of leveraging the registry. EMOTET, which sniffs network activity for information theft, has its PE component in the registry.  In addition, its (EMOTET) downloaded files are located in the entries. The encrypted stolen information is also stored in the registry entry. On the other hand, MORTO was encrypted in the registry.

While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their ‘arsenal’ or malware so as to go undetected and to instigate more malicious activities without the user’s knowledge. The use of registry for evasion tactics is crucial given that file-based AV solution won’t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won’t necessarily check for the registries but rather look for suspicious files or folders.  We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.

Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file despite its evasion tactics.

With additional analysis from Rhena Inocencio

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

POWELIKS: Malware Hides In Windows Registry

Read more: POWELIKS: Malware Hides In Windows Registry

Story added 1. August 2014, content source with full text you can find at link above.