Poweliks

Poweliks is a click-fraud trojan, first discovered by G Data SecurityLabs researchers in 2014. It is used to generate revenue through ad-click fraud. It requests advertisements based on keywords, manipulates searches to make them seem like legitimate user requests, and loads the URLs returned by the ad network. These ads, however, are not displayed to victims and, therefore, they remain unaware of the infection for a longer amount of time. Poweliks sends up to 3,000 ads to the victim’s device each day, using a great deal of the machine’s memory. Additionally, the trojan can be used as a vehicle for other malware infections, such as ransomware. It continued to evolve and became a "fileless" threat in 2015, increasing its detection-evasion capability. Poweliks became a registry-based threat, only residing in Windows registries and using persistence mechanisms to allow the trojan to stay on the machine even after it restarts. It uses a legitimate Windows “rundl32.exe” file to execute JavaScript code embedded within the registry subkey. It then reads data from the registry, some of which is encoded. After execution, a “Watchdog process” – used to ensure the trojan is still operating – is installed. If Poweliks is no longer running and its subkeys have been deleted, the subkeys are reinstated. To keep the trojan running, Watchdog modifies access rights, prevents access, and uses unprintable characters so the keys are hidden.

Reporting

  • June 2015: Poweliks Click-Fraud Malware Goes Fileless in Attempt to Prevent Removal. (Symantec)

Technical Details

  • G Data provides technical analysis of the original Poweliks trojan, available here.