Phase Bot – A Fileless Rootkit (Part 1)

Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), despite the fact that both binaries operate in exactly the same way.

The first thing you notice when opening it up in IDA is that the AddressOfEntryPoint is 0, this may seem like an error, but it actually isn’t. Setting the entry point to 0 means the start of the DOS header is used as the entry point, this is possible because most of the fields following the MZ signature aren’t required, and the M (0x4D) Z (0x5A) are actually valid instructions (dec ebp and pop edx respectively). I’m not sure the actual purpose of this trick, but it’s interesting nonetheless.

Cancels out the MZ instructions then jumps to real entry point.

The real entry point is contained within the first 560 bytes of the only section in the executable, this code is designed to get data stored within the non-essential NT header fields and use it to RC4 decrypt the rest of the section, which contains the 2nd stage (shellcode).

Most initialization happens is what appears to be the world longest function; the executable doesn’t have an import table so functions are resolved by hash. All the initialized data such as offsets, strings, and function addresses is stored within a large structure which is passed to all functions.

but does anyone truly know what loops are?

Once initialization is done the bot then check that PowerShell and version 2 of the .net framework is installed: if it is, normal installation continues, if not, it writes the bot code to a file in the startup folder.

The malware first creates the registry key “hkcusoftwaremicrosoftactive setupinstalled components{<GUID_STRING>}”, then RC4 encrypts the 2nd stage’s shellcode with the key “Phase” and writes it under the subkey “Rc4Encoded32”, afterward the 64-bit shellcode is extracted and written to Rc4Encoded64 subkey, also encrypted with “Phase” as the key, a 3rd subkey is created named “JavaScript” which contains some JavaScript code.

The full JavaScript is a bit long to post here, so I’ve uploaded it to pastebin. It simply base64 decodes a PowerShell script designed to read and decrypt the shellcode from the Rc4Encoded subkey, then runs; you can find the decoded PowerShell script here (the comments were left in by the author).

For the bot to start with the system, a subkey named “Windows Host Process (RunDll)” is created under “hkcusoftwaremicrosoftwindowscurrentVersionrun”, with the following value:

rundll32.exe javascript:”..mshtml,RunHTMLApplication “;eval((new%20ActiveXObject(“WScript.Shell”)).RegRead(“HKCUSoftwareMicrosoftActive%20SetupInstalled%20Components{72507C54-3577-4830-815B-310007F6135A}JavaScript”));close();

This is a trick used by Win32/Poweliks to get rundll32 to run the code from the JavaScript subkey, which then base64 decode the PowerShell script and runs it with PowerShell.exe, you can read more about this trick here.

The final stage, which runs from within PowerShell hooks the following functions by overwriting the first instruction with 0xF4 (HLT).

  • ntdll!NtResumeThread (Inject new processes)
  • ntdll!NtReadVirtualMemory (Hide malware’s memory)
  • ntdll!NtQueryDirectoryFile (Hide file, only if failed fileless installation)
  • ws2_32!send (Data stealer)
  • wininet!HttpSendRequest (Internet Explorer formgrabber)
  • nss3!PR_Write (Firefox formgrabber)

The HLT instruction is a privileged instruction which cannot be executed from ring 3, as a result it generates an 0xC0000096 Privileged Instruction exception, which the bot picks up and handles using a vectored exception handler. This is the same as standard software breakpoint hooking, but using an invalid instruction instead of int 3.

As you can imagine, the executable shows all sorts of malicious signs.

NULL AddressOfEntryPoint, missing all data directories, invalid section name.

It should be noted that some of the features advertised appear to be missing and the comments in the PowerShell code suggest that this sample is an early/testing version. I’ll update if I can get hold of a newer version. 

Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …