Hackers have targeted almost 200,000 computers using a dangerous 'file-less' version of the Poweliks malware over the past six months, according to researchers at Symantec.
Liam O'Murchu and Fred Gutierrez reported the infections in a white paper entitled The evolution of the fileless click-fraud malware Poweliks (PDF).
"Over the past six months, we have seen Poweliks attempt to infect over 198,500 computers. More than 99.5 percent of these infections have been in the US," read the paper.
The researchers said that the Poweliks variant's success is owing to upgrades designed to improve its resilience against removal tools.
"As a file-less threat, Poweliks does not exist as a file on a disk but instead resides solely in the registry. This means that it cannot be deleted from the compromised computer in the traditional sense," read the advisory.
"The threat also uses several other novel techniques to compromise infected computers. Poweliks uses a special naming scheme to hide in the registry and has consistently used CLSID [Class ID] hijacking as runtime load points in the registry."
The Symantec team said that, despite the technical upgrade, the end goal of the malware remains basic click fraud.
"Once Poweliks is in place on a compromised computer, it acts as a click fraud botnet. It silently visits web pages in a hidden browser window and displays advertisements in that window," read the paper.
"The Poweliks controllers get paid for every advertisement shown and, although the amount earned per ad is small, the compromised computers are capable of showing thousands of ads per day."
Disturbingly, the researchers also observed Poweliks using some of the ads to mount a follow-up attack infecting machines with ransomware.
"An added complication for victims of Poweliks is that the advertisements can contain malicious content themselves," said the paper.
"This means that a computer compromised with Poweliks will often end up with numerous other threats, including ransomware, running on the computer."
Ransomware is a growing threat facing businesses and web users. McAfee, part of Intel Security, listed ransomware as one of the fastest growing threats in its McAfee Labs Threats Report May 2015.
The culprits behind Poweliks remain unknown, although Symantec did report uncovering circumstantial evidence linking it to the Bedep gang.
"This unusual link between Poweliks and Bedep may be tied to the fact that Bedep is an in-memory-only downloader and has a similar coding style," said the report.
"In fact Bedep has been observed downloading and installing Poweliks (along with other threats) on compromised computers. However, there is no conclusive evidence linking the authors of Poweliks and Bedep."
Poweliks is one of many recently discovered evolved threats. IBM Trusteer researchers reported uncovering an evolved version of the Tinba malware targeting customers of European banks in an effort to steal funds.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago