In previous diaries we have talked about memory forensics and how important is it . Malware that does not exist in the file system are one of the reasons why memory forensics is important.
Michael Marcos from Trend Micro wrote about “Fileless malware”. POWELIKS is one of the example he talked about.
POWELIKS hides its malicious code inside Windows Registry Key and it is use Windows PowerShell to run additional encoded code.
Phasebot is the second malware that Marcos has talked about is Phasebot can be defined as a new variant of Solarbot.
The Phasebot has additional features such as Virtual Machine detection and an external module loader which give the malware the ability to add and remove features.
Phasebot encrypt the communication with its Command and Control server using a random password each time it connects to the C&C server.
The malware was designed to check for .Net Framework 3.5 and Windows PowerShell which are installed by default in recent versions of Windows.
Then it will creates the following registry key where the encrypted shell code will be written:
“If the programs are not found in the system, Phasebot drops a copy of itself in the %User Startup% folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks theNtQueryDirectoryFile API to hide the file and hooks NtReadVirtualMemory to hide the malware process
Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.”
Apr 24th 2015
4 years ago