“Since the discovery of the Poweliks fileless Trojan in August 2014, researchers have been expecting other similar malware to pop up.
The wait over: Phasebot malware, which also has fileless infection as part of its routine, is being sold online.
“Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computers hard drive,” Trend Micro Threat Response Engineer Michael Marcos explains.
Phasebot seems to be a direct successor of Solarbot.
Its detection evasion tactics include rootkit capabilities, encryption of communications with its C&C server by using random passwords, virtual machine detection.
“Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,” Marcos shared.
The malware also sports an external module loader, which allows it to add and remove functionalities on the infected computer.
“We think Phasebot is interesting because of is its use of Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. It uses PowerShell to run its components that are hidden in the Windows registry,” he explained.
“Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims.”
The fact that most security solutions have trouble detecting fileless malware, and that it’s also difficult to remove, means that malware writers will surely pursue development of Powerliks and Phasebot copycats soon.
“Its highly possible that they will not limit themselves to simply using the Windows registry to hide their malware. They will also use other, sophisticated techniques to run malicious routines without having to drop a file into the affected system,” Marcos noted.”