As I said in the last part of the analysis the sample I had was just a test binary, but now I have some real ones thanks to some help from @Xylit0l
. The new binaries incorporate some much more interesting features which I’ll go over in this article.
Although Phase is not a banking Trojan as it only supports standard form grabbing, it does have some banking Trojan features such as Reverse RDP and Reverse SOCKS. The idea behind this is that the RDP or SOCKS daemon on the infected machine connects to the client (the bot master or command and control server), as opposed to the other way round, allowing infected machines behind NAT/Firewalls to still be used as servers.
Interestingly, the RDP interface is built into the C&C panel and only allows basic mouse / keyboard input; As you’d expect this is very slow and incredibly demanding on the HTTP server.
|Embedded Reverse RDP
The module loader allows the bot functionality to be extended via paid or 3rd party modules. These modules are uploaded to the panel ready to be installed by the bot, which supports storing modules on disk or in a registry key (registry stored modules are manually loaded into memory and executed by the bot, thus bypassing anti-virus scanners).
|Options specifying how the bot should handle the module.
The modules themselves are 32-bit or 64-bit DLLs (depending on the system architecture), they’re downloaded from the panel and stored in an RC4 encrypted format either on the disk or in the registry. Even with RC4 encryption, they are very easy to identify and dump due to a static encryption key and format.
In the wild we’ve only found 3 modules (all of which are made by the same developer as Phase).
- vnc32 – reverse VNC daemon (32-bit).
- vnc64 – reverse VNC daemon (64-bit).
- scan32 – Point of Sales Track1/Track2 stealer (32-bit).
As of writing this both the encrypted and decrypted versions of each module have absolutely no detections on virustotal: