Pierluigi Paganini April 23, 2015

Security experts at Trend Micro have discovered Phasebot malware, which also has fileless infection as part of its routine, is being sold online.

Phasebot  is a strain of malware characterized by fileless infection that is being sold in the criminal underground. In August 2014, experts at GData discovered Poweliks, a persistent malware able to infect machines without installing any files on the targeted machine, Phasebot is the demonstration that the infection method is having success in the criminal ecosystem.

The term “fileless infection” used for both Poweliks and Phasebot malware means that these Trojan have the ability to exist on a system without creating a file but relying on the memory of the infected machine to operate.

“Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive,”  explains Michael Marcos, Trend Micro Threat Response Engineer, in a blog post on Phasebot.

Phasebot is considered the successor of Solarbot, it detection evasion tactics includes numerous improvements like rootkit capabilities, encrypted communications, and virtual machine detection.

Michael Marcos provided interesting details on the way Phasebot works:”Phasebot can execute routines, per the instruction of the

“Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,”.

One of the most interesting features implemented by the author of the malware is the support for an external module loader, which means that functionalities can be added or removed in the infected system.

“We think Phasebot is interesting because of is its use of Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. It uses PowerShell to run its components that are hidden in the Windows registry,” he explained. “Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims.”

The future for Windows systems doesn’t look some bright, fileless malware it is difficult to detect and the combination with Powershell strategies can make the threat very effective and dangerous.

It’s expected that more and more malware will implement the same infection process in the near future, windows registry is the perfect place to hide “nasty stuff” without the knowledge of the common user.

As confirmed by the expert, the fact that a fileless malware it is hard to detect makes the life of security vendors and their clients hard, and if a company is just relaying on file-based detection they will be not able to mitigate the cyber threat, security vendors need to come up with new ideas and methods beyond the usual and tradition file-based detection.

About the Author Elsio Pinto

Pierluigi Paganini

(Security Affairs –  Phasebot, fileless malware)