Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Phasebot, the fileless malware sold in the underground

Security experts at Trend Micro have discovered Phasebot malware, which also has fileless infection as part of its routine, is being sold online. Phasebot  is a strain of malware characterized by fileless infection that is being sold in the criminal underground. In August 2014, experts at GData discovered Poweliks, a persistent malware able to infect machines without installing […]

Phasebot, the fileless malware sold in the underground

Security experts at Trend Micro have discovered Phasebot malware, which also has fileless infection as part of its routine, is being sold online.

Phasebot  is a strain of malware characterized by fileless infection that is being sold in the criminal underground. In August 2014, experts at GData discovered Poweliks, a persistent malware able to infect machines without installing any files on the targeted machine, Phasebot is the demonstration that the infection method is having success in the criminal ecosystem.

The term “fileless infection” used for both Poweliks and Phasebot malware means that these Trojan have the ability to exist on a system without creating a file but relying on the memory of the infected machine to operate.

“Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive,”  explains Michael Marcos, Trend Micro Threat Response Engineer, in a blog post on Phasebot.

Phasebot is considered the successor of Solarbot, it detection evasion tactics includes numerous improvements like rootkit capabilities, encrypted communications, and virtual machine detection.

Phasebot malware fileless infection 2

Michael Marcos provided interesting details on the way Phasebot works:”Phasebot can execute routines, per the instruction of the

Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,”.

One of the most interesting features implemented by the author of the malware is the support for an external module loader, which means that functionalities can be added or removed in the infected system.

“We think Phasebot is interesting because of is its use of Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. It uses PowerShell to run its components that are hidden in the Windows registry,” he explained. “Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims.”

The future for Windows systems doesn’t look some bright, fileless malware it is difficult to detect and the combination with Powershell strategies can make the threat very effective and dangerous.

It’s expected that more and more malware will implement the same infection process in the near future, windows registry is the perfect place to hide “nasty stuff” without the knowledge of the common user.

As confirmed by the expert, the fact that a fileless malware it is hard to detect makes the life of security vendors and their clients hard, and if a company is just relaying on file-based detection they will be not able to mitigate the cyber threat, security vendors need to come up with new ideas and methods beyond the usual and tradition file-based detection.

About the Author Elsio Pinto

Elsio Pinto is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Pierluigi Paganini

(Security Affairs –  Phasebot, fileless malware)