In previous diaries we have talked about memory forensics and how important is it . Malware that does not exist in the file system are one of the reasons why memory forensics is important.

Michael Marcos from Trend Micro wrote about “Fileless malware”. POWELIKS is one of the example he talked about.

POWELIKS hides its malicious code inside Windows Registry Key and it is use Windows PowerShell to run additional encoded code.

Phasebot is the second malware that Marcos has talked about is Phasebot can be defined as a new variant of Solarbot.

The Phasebot has additional features such as Virtual Machine detection and an external module loader which give the malware the ability to add and remove features.

Phasebot encrypt the communication with its Command and Control server using a random password each time it connects to the C&C server.

The malware was designed to check for .Net Framework 3.5 and Windows PowerShell which are installed by default in recent versions of Windows.

Then it will creates the following registry key where the encrypted shell code will be written:

• HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}

It creates Rc4Encoded32 and Rc4Encoded64 registry values where it will save the encrypted 32-bit and 64-bit shell code. Lastly, it creates another registry value named JavaScript that will decrypt and execute the Rc4Encoded32/64 values.

“If the programs are not found in the system, Phasebot drops a copy of itself in the %User Startup% folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks theNtQueryDirectoryFile API to hide the file and hooks NtReadVirtualMemory to hide the malware process

http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/