Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Fileless Malware

Published: 2015-04-24
Last Updated: 2015-04-24 16:55:59 UTC
by Basil Alawi S.Taher (Version: 1)
0 comment(s)

In previous diaries we have talked about memory forensics and how important is it . Malware that does not exist in the file system are one of the reasons why memory forensics is important.

Michael Marcos from Trend Micro wrote about “Fileless malware”. POWELIKS is one of the example he talked about.

POWELIKS hides its malicious code inside Windows Registry Key and it is use Windows PowerShell to run additional encoded code.

 

Phasebot is the second malware that Marcos has talked about is Phasebot can be defined as a new variant of Solarbot.

The Phasebot has additional features such as Virtual Machine detection and an external module loader which give the malware the ability to add and remove features.

Phasebot encrypt the communication with its Command and Control server using a random password each time it connects to the C&C server.

The malware was designed to check for .Net Framework 3.5 and Windows PowerShell which are installed by default in recent versions of Windows.

Then it will creates the following registry key where the encrypted shell code will be written:

  • HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}

It creates Rc4Encoded32 and Rc4Encoded64 registry values where it will save the encrypted 32-bit and 64-bit shell code. Lastly, it creates another registry value named JavaScript that will decrypt and execute the Rc4Encoded32/64 values.

“If the programs are not found in the system, Phasebot drops a copy of itself in the %User Startup% folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks theNtQueryDirectoryFile API to hide the file and hooks NtReadVirtualMemory to hide the malware process

Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.”

===========================================================

http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/

 

 

 

 

0 comment(s)
ISC StormCast for Friday, April 24th 2015 http://isc.sans.edu/podcastdetail.html?id=4455

If you have more information or corrections regarding our diary, please share.

Recent Diaries

When automation does not help
1 day ago by Bojan (0 comments)

Dridex Redirecting to Malicious Dropbox Hosted File Via Google
1 day ago by Dr. J. (4 comments)

Logging Complete Requests in Apache 2.2 and 2.4
3 days ago by Dr. J. (1 comment)

Reminder: Secure Your Tomcat Admin Interface
4 days ago by Dr. J. (0 comments)

Handling Special PDF Compression Methods
5 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Need help with Framing and masking
created 7 hours ago by Anonymous (0 replies)

Packet numbers different in various Dshield reports
created 5 days ago by Telserv (0 replies)

Disruption of Simda botnet
created 1 week ago by Brad Duncan (0 replies)

STUN traffic
created 1 week ago by Tom (2 replies)

DMZ Server dual NIC design
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →