New fileless malware found in the wild

April 21, 2015 – 5:24 AM

Since the discovery of the Poweliks fileless Trojan in August 2014, researchers have been expecting other similar malware to pop up.

The wait is over: Phasebot malware, which also has fileless infection as part of its routine, is being sold online.

“Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive,” Trend Micro Threat Response Engineer Michael Marcos explains.

Phasebot seems to be a direct successor of Solarbot.

Its detection evasion tactics include rootkit capabilities, encryption of communications with its C&C server by using random passwords, virtual machine detection.

“Phasebot can execute routines, per the instruction of the bot administrator, such as steal information via formgrabbers, perform distributed denial-of-service (DDoS) attacks, update itself, download and execute files, and access URLs,” Marcos shared.

The malware also sports an external module loader, which allows it to add and remove functionalities on the infected computer.


You must be logged in to post a comment.