File-Less Click Fraud Trojan

The Network: A financial services firm in the Midwest U.S. with a very well run network security team on site. The EventTracker SIEMphonic service supplements this team.

The Expectation: Robust and up-to-date (Antivirus, Next Gen Firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary.

The Catch: EventTracker Intrusion Detection Service (ETIDS) threw up a red flag on suspicious traffic to/from a user workstation. Further investigation showed a possible infection by Poweliks, a Trojan that has gone file-less to prevent removal and evade detection. Poweliks resides only in the Windows registry and uses several tricks to make it hard to remove.

Once installed, Trojan.Poweliks may contact its command and control (C&C) servers to download further instructions. The primary goal of Trojan.Poweliks is to perform click-fraud operations, which involves covertly downloading large numbers of online advertisements onto the compromised computer and then automatically clicking or interacting with them to earn fraudulent advertising revenue for the attacker. 

In certain cases, secondary infections by other threats may occur from downloading the malicious adverts (malvertisement), leading to exploit kits. The ransomware, Trojan.Cryptowall has been seen on some computers compromised by Trojan.Poweliks because of malvertisement.

In order to perform its click-fraud operations, Poweliks disables browser security settings by modifying multiple registry key entries within:  

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

It gets installed in the registry and this allows it to achieve persistence, since no files are stored directly on the file system.

It can load its code using CLSID hijacking. CLSID entries in the registry are required for windows process, like explorer, to run properly. Poweliks uses the below CLSIDs as load points:

  • {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
  • {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

The infection vector may have been an outdated Adobe Flash player or a java script file

 Malware of such kind can abuse vulnerabilities, like CVE-2013-7331, which allows remote-code execution in IE versions 6-11.

 The Find: The SIEMphonic Analyst observed as many as 2000 to 14000  connections from multiple workstations going to random remote IP addresses (of which around 450 were unique) within a short span of time. Upon review, most of these IPs were poorly reputed by many threat intelligence feeds. They had been observed to support malware downloads. Other clues were excessive CPU and memory usage on the infected endpoint.

The Fix: While researching an insurance claim, the user visited websites of poor reputation, which is thought to have caused the infection. Once alerted of the possible infection, IT ran Antivirus, Malware and Poweliks specific removal tools to no avail. The user that noticed sluggish performance had rebooted, which – in this network – causes browser reset.

The Lesson: File-less attacks are prolific, hard to detect and evict even with enhanced controls/tools in place. SIEMphonic succeeds with a combination of technology and trained analysts looking at the entire network landscape.