Phase Bot – A Fileless Rootkit (Part 2)

As I said in the last part of the analysis the sample I had was just a test binary, but now I have some real ones thanks to some help from @Xylit0l. The new binaries incorporate some much more interesting features which I’ll go over in this article.

Reverse Connection

Although Phase is not a banking Trojan as it only supports standard form grabbing, it does have some banking Trojan features such as Reverse RDP  and Reverse SOCKS. The idea behind this is that the RDP or SOCKS daemon on the infected machine connects to the client (the bot master or command and control server), as opposed to the other way round, allowing infected machines behind NAT/Firewalls to still be used as servers. 
Interestingly, the RDP interface is built into the C&C panel and only allows basic mouse / keyboard input; As you’d expect this is very slow and incredibly demanding on the HTTP server.
Embedded Reverse RDP

Module Loader

The module loader allows the bot functionality to be extended via paid or 3rd party modules. These modules are uploaded to the panel ready to be installed by the bot, which supports storing modules on disk or in a registry key (registry stored modules are manually loaded into memory and executed by the bot, thus bypassing anti-virus scanners).
Options specifying how the bot should handle the module.

Modules

The modules themselves are 32-bit or 64-bit DLLs (depending on the system architecture), they’re downloaded from the panel and stored in an RC4 encrypted format either on the disk or in the registry. Even with RC4 encryption, they are very easy to identify and dump due to a static encryption key and format. 
In the wild we’ve only found 3 modules (all of which are made by the same developer as Phase).
  • vnc32 – reverse VNC daemon (32-bit).
  • vnc64 – reverse VNC daemon (64-bit).
  • scan32 – Point of Sales Track1/Track2 stealer (32-bit).
As of writing this both the encrypted and decrypted versions of each module have absolutely no detections on virustotal:
Win32/Phase
MD5: 5767b9bf9cb6f2b5259f29dd8b873e36
SHA1: 6cb74b4e309d80efbe674d3d48376ee1f7e2edda
SHA256: 3a9f8f9dc215be8bc8d278ab99f5e6bdac2d1732d4a3b536d55696dfe766491a
scan32 (Decrypted)
MD5: 1fa781b2ece5dfa36d51704c81e61e19
SHA1: d379bf330153c1bf742f59013ea6636e02ff28b4
SHA256: e1988a1876263837ca18b58d69028c3678dc3df51baf1721535df3204481e6a1
vnc32 (Decrypted)
MD5: 94eefdce643a084f95dd4c91289c3cf0
SHA1: 0bbd15c31782a23b1252544221c564866975ea7e
SHA256: c33f2fdd945d053991e178fa12ab9ffea18f751313a8888c74004cbd680bbd75
vnc64 (Decrypted)
MD5: d7da422a3d23de95a9c3c969a31430e9
SHA1: 32bcf2adafc5b189c04619c7c484d77a21861aba
SHA256: f88d5320b3882108f50d3c234313fe604956c0fc057c75b85cdfc3b8e6e9bfd1