Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.
The malware resides in the computer registry only and is therefore not easy to detect.
It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.
"All activities are stored in the registry. No file is ever created," Rascagneres said in a post.
"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.
"To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."
Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual 'stacked' execution of code.
The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked.
Security kit can alternatively detect the software exploit, or as a final step monitor the registry for unusual behaviour, he said.
Deviants distributed the malware under the guise of Canada Post and UPS emails purportedly carrying tracking information.
"This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful," Rascagneres said.
Rascagneres has made a name ripping malware and bots to uncover and undermine black hat operations. He won last years' Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1. ®