Hackers have targeted almost 200,000 computers using a dangerous 'file-less' version of the Poweliks malware over the past six months, according to researchers at Symantec.
Liam O'Murchu and Fred Gutierrez reported the infections in a white paper entitled The evolution of the fileless click-fraud malware Poweliks (PDF).
"Over the past six months, we have seen Poweliks attempt to infect over 198,500 computers. More than 99.5 percent of these infections have been in the US," read the paper.
The researchers said that the Poweliks variant's success is owing to upgrades designed to improve its resilience against removal tools.
"As a file-less threat, Poweliks does not exist as a file on a disk but instead resides solely in the registry. This means that it cannot be deleted from the compromised computer in the traditional sense," read the advisory.
"The threat also uses several other novel techniques to compromise infected computers. Poweliks uses a special naming scheme to hide in the registry and has consistently used CLSID [Class ID] hijacking as runtime load points in the registry."
The Symantec team said that, despite the technical upgrade, the end goal of the malware remains basic click fraud.
"Once Poweliks is in place on a compromised computer, it acts as a click fraud botnet. It silently visits web pages in a hidden browser window and displays advertisements in that window," read the paper.
"The Poweliks controllers get paid for every advertisement shown and, although the amount earned per ad is small, the compromised computers are capable of showing thousands of ads per day."
Disturbingly, the researchers also observed Poweliks using some of the ads to mount a follow-up attack infecting machines with ransomware.
"An added complication for victims of Poweliks is that the advertisements can contain malicious content themselves," said the paper.
"This means that a computer compromised with Poweliks will often end up with numerous other threats, including ransomware, running on the computer."
Ransomware is a growing threat facing businesses and web users. McAfee, part of Intel Security, listed ransomware as one of the fastest growing threats in its McAfee Labs Threats Report May 2015.
The culprits behind Poweliks remain unknown, although Symantec did report uncovering circumstantial evidence linking it to the Bedep gang.
"This unusual link between Poweliks and Bedep may be tied to the fact that Bedep is an in-memory-only downloader and has a similar coding style," said the report.
"In fact Bedep has been observed downloading and installing Poweliks (along with other threats) on compromised computers. However, there is no conclusive evidence linking the authors of Poweliks and Bedep."
Poweliks is one of many recently discovered evolved threats. IBM Trusteer researchers reported uncovering an evolved version of the Tinba malware targeting customers of European banks in an effort to steal funds.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment