File-less Click Fraud Trojan

The Network: A financial services firm in the Midwest U.S. with a very well run network security team on site. Netsurion’s Managed Threat Protection supplements this team.

The Expectation: Robust and up-to-date (Anti-Virus, Next-Gen Firewall) prevention mechanisms thwart most common attacks, but since perfect protection is not practical, monitoring is also necessary.

The Catch: EventTracker Intrusion Detection Service (ETIDS) generated a red flag on suspicious traffic to/from a user workstation. Further investigation showed a possible infection by Poweliks, a Trojan that has gone file-less to prevent removal and evade detection. Poweliks resides only in the Microsoft Windows registry and uses several tricks to make it hard to remove.

Once installed, Trojan. Poweliks may contact its command and control (C&C) servers to download further instructions. The primary goal of Trojan.Poweliks is to perform click-fraud operations, which involves covertly downloading large numbers of online advertisements onto the compromised computer and then automatically clicking or interacting with them to earn fraudulent advertising revenue for the attacker. 

In certain cases, secondary infections by other threats may occur from downloading the malicious adverts (malvertisement), leading to the proliferation of other threats such as exploit kits. The ransomware Trojan.Cryptowall has also been detected on some compromised computers.

In order to perform its click-fraud operations, Poweliks disables browser security settings by modifying multiple registry key entries.   

It gets installed in the registry and this allows it to achieve persistence, since no files are stored directly on the file system.

It can load its code using class identifier (CLSID) hijacking. CLSID entries in the registry are required for windows process, like explorer, to run properly. Poweliks uses the below CLSIDs as load points:

  • {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
  • {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

The infection vector may have been an outdated Adobe Flash player or a java script file. This malware can abuse vulnerabilities like CVE-2013-7331 which allows remote-code executions.

The Find: Netsurion’s SOC analyst observed as many as 2,000 to 14,000 connections from multiple workstations going to random remote IP addresses within a short span of time, many of which were suspicious and had poor IP address reputations. They had been observed to support malware downloads. Other clues were excessive CPU and memory usage on the infected endpoint.

The Fix: While researching an insurance claim, the financial services employee visited websites of poor reputation, which is thought to have caused the infection. Once alerted of the possible infection, IT ran Anti-Virus, Malware, and Poweliks-specific removal tools to no avail. The user that noticed sluggish performance had rebooted, which – in this network – causes browser reset.

The Lesson: File-less attacks are prolific, hard to detect, and complex to evict even with enhanced controls/tools in place. Netsurion’s Managed Threat Protection succeeds with a combination of technology and trained analysts monitoring the entire attack surface.