Poweliks malware caught hiding in Windows Registry

Hackers are using a malware, codenamed Poweliks, to steal information from Microsoft Windows customers, according to Trend Micro.

Trend Micro threat analyst Roddell Santos said in a blog post that the malware hides itself in Windows Registry code, making it difficult for traditional security services to detect and remove.

“Based on our analysis, TROJ_POWELIKS checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system. This will be used later to execute the encoded script file,” explained Santos.

“As such, PowerShell runs the encoded script containing the malware’s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application.”

Trend Micro vice president of cloud and emerging technologies Mark Nunnikhoven told V3 that while Poweliks only features basic data-stealing powers, its detection-dodging technique could be used to mount more dangerous follow-up cyber strikes.

“The danger here is that there is almost no footprint on the infected machine. It’s an effective mule for other types of malware and attacks that the cyber criminal might wish to use,” he said.

Nunnikhoven said there are ways businesses can protect themselves from Poweliks and recommended IT managers adopt them sooner rather than later.

“In this case, your defences must be able to conduct memory analysis in order to detect TROJ_POWELIKS.A. File-based scanning won’t catch it due to it’s extremely low footprint,” he explained.

“The key takeaway here is that cyber criminals continue to innovate and develop new types of attacks. We’re seeing a significant amount of effort put into evasion and stealth techniques in order to ensure successful attacks. Businesses need to ensure that they’ve deployed modern defences in order to stay safe.”

Information-stealing cyber attacks are a constant threat facing businesses. Research from PwC and the UK Department for Business, Innovation and Skills (BIS) estimated in April that cyber attacks are costing UK businesses as much as £1.15m per breach.



If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file despite its evasion tactics.


Via: v3

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *