Fileless Malware Makes Almost 200,000 Victims, Mostly in the US

[Karamjit]

Windows zero-day exploited for privilege escalation

Cybercriminals wielding Poweliks, a piece of malware that resides only in the memory of the compromised system, managed to distribute it in the past six months to thousands of systems, most of them in the US.

Poweliks is an insidious threat that does not leave any trace on the storage drive of the infected machine and plants a script in Windows Registry that points to the malware and executes it in memory.

An early version was identified in 2014, but it appears that it was not fully developed at the time and could not achieve persistence on the machine, being removed at a simple restart of the computer.

Fraudulent clicks is the ultimate goal of the cybercriminals

Symantec researchers tracked its evolution, and discovered that in its effort to take control of the infected system, Poweliks also relied on a then zero-day vulnerability (CVE-2015-0016) in Windows, patched by Microsoft in January.

Unlike previous reports revealing Poweliks as an infostealer, Symantec informs that the threat is used for ad-fraud purposes, launching web pages in the background and clicking on the advertisements, indicating that the crooks enrolled to a cost-per-click advertising model to generate money.

In one example provided by the company in a recently released report, the malware made about 3,000 ad requests from a single computer, each with a bid amount of $0.000503. The total revenue generated this way per day was calculated to $1.51 / €1.34.

Out of context, this is not significant, but considering that there are hundreds of thousands of computers compromised, the return value becomes evident (100,000 bots would rack in $10,000 / €8,900 on a daily basis).

Privilege escalation achieved via Windows zero-day

To pull its stunt, the malware also exploited in December 2014 a vulnerability in Windows that was unknown at that time, which permitted execution of an arbitrary file with elevated privileges. Microsoft patched it in the first month of the year, after receiving a report from Symantec.

Interestingly, Bedep ad-fraud malware also exploited this glitch around the same period, although there is no solid evidence to indicate that the same operators are behind this threat.

According to Symantec, in half a year’s time, Poweliks compromised 198,500 computers and more than 99.5% of them were located in the US.

The pages loaded without the user’s knowledge sometimes hosted a web-based attack tool called Magnitude, which served an exploit for Flash Player that downloaded a variant of CryptoWall ransomware.

From: http://news.softpedia.com/news/Fileless-Malware-Makes-Almost-200-000-Victims-Mostly-In-the-US-484030.shtml

[Chancer]

If it plants a script in the windows registry - then it is leaving a trace on the infected machine, doesn't it?

[CODYQX4]

If it plants a script in the windows registry - then it is leaving a trace on the infected machine, doesn't it?

Yes. The registry in itself is a file, even if it is a database of sorts.

I'd consider MBR and BIOS infections to be "fileless" however, as neither is a part of the standard OS concept of a "File System".

You could detect those of course, though it might not be easy depending on how clever the malware.

[Chancer]

If it plants a script in the windows registry - then it is leaving a trace on the infected machine, doesn't it?

Yes. The registry in itself is a file, even if it is a database of sorts.

I'd consider MBR and BIOS infections to be "fileless" however, as neither is a part of the standard OS concept of a "File System".

You could detect those of course, though it might not be easy depending on how clever the malware.

MBAM and fingers crossed :-)

[oliverjia]

If it plants a script in the windows registry - then it is leaving a trace on the infected machine, doesn't it?

Yes. The registry in itself is a file, even if it is a database of sorts.

I'd consider MBR and BIOS infections to be "fileless" however, as neither is a part of the standard OS concept of a "File System".

You could detect those of course, though it might not be easy depending on how clever the malware.

I thought UEFI with secure boot can prevent such types of malware?