With additional analysis from David Agni

Improvements in security file scanners are causing malware authors to deviate from the traditional malware installation routine. It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats.

A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive. POWELIKS is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry.

In August 2014, POWELIKS’s evasion techniques and use of Windows PowerShell were observed as a potentially dangerous tool for future attacks.

The success of the fileless infection technique—evident in the spike of POWELIKS infections in late 2014—has convinced other malware writers to jump on the bandwagon. In this entry, we discuss another notable malware that have fileless infection as part of their routines.

Phasebot, Arising From Solarbot

Another example of fileless malware is “Phasebot,” which we found being peddled in websites that sell malware and other malicious online tools by the supposed malware creator. We detect Phasebot as TROJ_PHASE.A. Phasebot contains both rootkit and fileless execution capabilities.

We noticed that this malware had the same features as Solarbot, an old bot that was first seen in the wild around late 2013. This is made more evident when we compared the sites that sold the two malware.



Figure 1. Comparison between the websites for Solarbot (top) and Phasebot (bottom)

Phasebot can be seen as the newer version of Solarbot. While it has the same features as Solarbot, it also comes with additional features like virtual machine (VM) detection and an external module loader. The latter feature gives the malware the capability to add and remove functionalities on the infected computer.

Compared to Solarbot, Phasebot places a distinct emphasis on stealth and evasion mechanisms. It encrypts its communications to its C&C server by using random passwords each time it connects to the server.

The malware was designed to check if the following programs are installed in the affected system:

.NET Framework Version 3.5

Windows PowerShell



Figure 2. Phasebot queries registry entries to find specific programs

Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written:

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}

It creates Rc4Encoded32 and Rc4Encoded64 registry values where it will save the encrypted 32-bit and 64-bit shell code. Lastly, it creates another registry value named JavaScript that will decrypt and execute the Rc4Encoded32/64 values.



Figure 3. Rc4Encoded32 and Rc4Encoded64 registry values

If the programs are not found in the system, Phasebot drops a copy of itself in the %User Startup% folder. It then hooks APIs to achieve a user-level rootkit that makes the file hidden from a typical end- user. It hooks the NtQueryDirectoryFile API to hide the file and hooks NtReadVirtualMemory to hide the malware process.

Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs.

Phasebot and PowerShell

We think Phasebot is interesting because of its use of Windows PowerShell, a legitimate, built-in Windows system administration tool, to evade detection from security software. It uses PowerShell to run its components that are hidden in the Windows registry.

Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims. (And not coincidentally, the targeted .NET framework version 3.5 is also found in Windows 7 and higher.)

The Future with Fileless Malware

We expect that more malware writers will soon be adopting and adapting the fileless concept. It’s highly possible that they will not limit themselves to simply using the Windows registry to hide their malware. They will also use other, sophisticated techniques to run malicious routines without having to drop a file into the affected system.

The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but not in places like the Windows registry, which is used for fileless infection.

The move to fileless malware also poses a challenge for security vendors, especially those that rely heavily on file-based detection. Security vendors will have to step up their game and go beyond the usual, traditional file-based detection and venture into other methods such as behavior monitoring.

Because fileless malware are hard to detect, they’re also difficult to remove. Much like rootkits, the location of the malware makes detection and deletion more difficult than the typical malware infection.

Trend Micro solutions

Fileless malware is designed to make detection by security solutions more difficult. To combat this, Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security include behavior monitoring to detect this type of malware; this watches out for malicious behavior and blocks the malware before the behavior is executed or performed. This protects users even before a new pattern is available.

Users need to keep themselves updated of the new technologies being used by malware writers to evade detection and to victimize users. Conventional wisdom is no longer sufficient if users want to truly protect themselves from the latest threats.

Of course, any information about the threat landscape should be complemented with safety practices. For example, users should always be cautious when dealing with emails, files, or URL links. It pays to double-check or confirm the safety of these items before opening or clicking them. Users can also opt to use the Trend Micro Site Safety Center to check if websites are safe before they visit them.

Hashes of the related files:

100d0d0286b536951af410116ec9de7bcb27bd8a

181a018652de15b862df4ccac4189ced00a4a35e

291528630bc5e69a0ea5ab23cd56c13da1780a22

3a9ebe71b21209335d094385f8845ec745a12177

3cec86976816e62f978572f22dd6692efda6e574

46d47ba7ad687527392304813a1ca68669ecfb5e

475a182e7ca538a697f76ff8031c2407e1f98824

4791067a88333f4b9ad67449152f168a29b4a684

52efb07af3a1c05d777000c8af2e2f71ae983041

592ac60ee3c3f34d7e77f3ff25a9216c461db169

6c6c443afc7b3d385aded4a75df680a62e9f6232

6cb74b4e309d80efbe674d3d48376ee1f7e2edda

76f934e162405ac4c39bcac2af998b00eaaee756

7b5eec8c1e3f08f3a54477a6a81b6bd5e8aa53b2

891989a3b78a52da247c8e2c33e88760c16b9113

8d54c588b1f199fcef28c4d6eba3c88421476565

b57288f641cc5f25d74ff45c06a5ff0e1114e627

bdc2d54e765802dc093a9ec37d53299f800b0b18

c184bbecee796cbf6f1f200ca37108aaf4397368

c4d2f6de337dc64be5fd5e09480ac4d6096ee5ed

d9a0f101bddb7e46e4dcff75ab93a8266b91a618

fe77578097fb5532a0702cae67a199a73480a218

Updated April 22, 2015, 2:06 PM PST

We have reworded some phrases to clarify the connection of the website used.