Poweliks, malware known to hide inside the registry of infected Windows' computers, continues to be used to carry out click-fraud by scammers and has now been linked to recentCryptoWall infections.
On Tuesday, Symantec researchers published a white paper (PDF) detailing the evolution of the threat, noting that the malware uses “novel techniques” to compromise computers, including using a special naming scheme to hide in the registry, then leveraging CLSID (Class Identifier) hijacking to maintain persistence on systems, the white paper said. Poweliks has also used a now-patched remote privilege escalation vulnerability in Windows (CVE-2015-0016) to gain a foothold on targeted systems and ensare more computers into a click-fraud botnet.
“Poweliks comes with a default list of keywords… that it uses to generate requests for ads. The threat pretends that the victim legitimately searched for these keywords and then contacts an ad network so it knows where to direct the victim. Poweliks sends a request to the URL returned by the ad network and then receives payment for downloading the advertisement,” the paper explained of the click-fraud scheme, which ultimately puts money in attackers' coffers.
Symantec also noted that Poweliks and Bedep malware “share a number of similarities,” such as using the Windows zero-day exploit to infect users, and Bedep even being used, in some instances, to install Poweliks. The firm said that the similarities provide “no conclusive evidence linking the authors of Poweliks and Bedep together,” only evidence that Bedep "also acts as a downloader and has a similar coding style to Poweliks."
Read more: http://www.scmagazine.com/poweliks-uses-novel-techniques-researchers-explain-in-whitepaper/article/419621/