Hackers have targeted almost 200,000 computers using a dangerous 'file-less' version of the Poweliks malware over the past six months, according to researchers at Symantec.
Liam O'Murchu and Fred Gutierrez reported the infections in a white paper entitled The evolution of the fileless click-fraud malware Poweliks (PDF).
"Over the past six months, we have seen Poweliks attempt to infect over 198,500 computers. More than 99.5 percent of these infections have been in the US," read the paper.
The researchers said that the Poweliks variant's success is owing to upgrades designed to improve its resilience against removal tools.
"As a file-less threat, Poweliks does not exist as a file on a disk but instead resides solely in the registry. This means that it cannot be deleted from the compromised computer in the traditional sense," read the advisory.
"The threat also uses several other novel techniques to compromise infected computers. Poweliks uses a special naming scheme to hide in the registry and has consistently used CLSID [Class ID] hijacking as runtime load points in the registry."
The Symantec team said that, despite the technical upgrade, the end goal of the malware remains basic click fraud.
"Once Poweliks is in place on a compromised computer, it acts as a click fraud botnet. It silently visits web pages in a hidden browser window and displays advertisements in that window," read the paper.
"The Poweliks controllers get paid for every advertisement shown and, although the amount earned per ad is small, the compromised computers are capable of showing thousands of ads per day."
Disturbingly, the researchers also observed Poweliks using some of the ads to mount a follow-up attack infecting machines with ransomware.
"An added complication for victims of Poweliks is that the advertisements can contain malicious content themselves," said the paper.
"This means that a computer compromised with Poweliks will often end up with numerous other threats, including ransomware, running on the computer."
Ransomware is a growing threat facing businesses and web users. McAfee, part of Intel Security, listed ransomware as one of the fastest growing threats in its McAfee Labs Threats Report May 2015.
The culprits behind Poweliks remain unknown, although Symantec did report uncovering circumstantial evidence linking it to the Bedep gang.
"This unusual link between Poweliks and Bedep may be tied to the fact that Bedep is an in-memory-only downloader and has a similar coding style," said the report.
"In fact Bedep has been observed downloading and installing Poweliks (along with other threats) on compromised computers. However, there is no conclusive evidence linking the authors of Poweliks and Bedep."
Poweliks is one of many recently discovered evolved threats. IBM Trusteer researchers reported uncovering an evolved version of the Tinba malware targeting customers of European banks in an effort to steal funds.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers