As a registry-based threat, Poweliks does not exist as a file on the compromised computer and instead resides only in the Windows registry.
Trojan Poweliks first grabbed people’s attention in 2014 when it evolved into a registry-based threat. These techniques allow Poweliks to stay active on the computer without writing a common file on disk, which would expose it to detection from traditional security tools. The PowerShell loads a watchdog DLL and other payloads. The JavaScript uses a WScript object to decrypt a PowerShell script from another registry key and runs it. The registry entry uses the legitimate rundll32.exe to execute a small JavaScript embedded in the registry key. The threat also modifies access rights, making the key difficult to remove. This prevents normal tools from being able to display this value. Poweliks creates a registry run key with a non-ASCII character as a name. After this, Trojan.Kotver started to use similar tricks and it is one of the most active threats today. One of the most prominent examples of registry run key persistence is Trojan.Poweliks from 2014, which uses PowerShell to create a fileless persistent load point. Poweliks What makes Poweliks one of the most persistent threats in the current times?
0 kommentar(er)
