According to researchers at Trend Micro, a threat dubbed “TROJ.POWELIKS.A.” can open users to additional malware downloads and steal system data, like universally unique identifiers (UUIDs), to deliver the information to attackers.
On Friday, the security firm detailed the malware in a blog post, revealing that it hides its malicious code in Windows Registry to make it difficult for researchers to analyze “because there are no file references.” Roddell Santos, a Trend Micro analyst and author of the post, explained that the malware “checks if Windows PowerShell is installed on the affected system.” If PowerShell is not present, it installs the program in order to abuse its functionalities and run the malware's executable code, a malicious DLL (dynamic link library) file, Santos wrote.
A number of new malware variants have recently been discovered as leveraging PowerShell to hide malicious activity, including ransomware called “PoshCoder.”