Phasebot Fileless Malware Employs Microsoft PowerShell Tool

Phasebot Fileless Malware Employs Microsoft PowerShell Tool

Fileless malware is described as malicious coding that can only be found in the memory of a computer rather than its hard drive. Several threats that fit the descriptions have been observed during the past couple of years. One example is Poweliks – the fileless Trojan horse that emerged last August. Similar threats have been expected to appear in the wild since then.

Phasebot Malware Currently For Sale

Researchers have just discovered another piece of fileless malware dubbed Phasebot that is currently offered for sale on the black market. Phasebot is very similar to Solarbot and is likely to be its successor. Phasebot’s capabilities include:

  • Rootkit access
  • Encrypted communication with the Command & Control server
  • Denial-of-service attacks
  • Information theft
  • URL access

The fileless threat can execute various malicious actions and is also known to employ an external module loader. The latter grants the attacker with the chance to add and remove functionalities on the affected machine.

What Makes Phasebot Interesting

Basically, researchers find the threat curious because it uses Windows PowerShell to escape detection by security software. Windows PowerShell is a legitimate task automation and configuration management tool that is employed by Phasebot to run its components.

Researchers believe that the employment of a legit Microsoft instrument is a strategic move. PowerShell is included in the installation packages of Windows 7 and higher. Attackers most probably have considered the fact that most users have the latter versions of the operational system.

Furthermore, most AV tools experience trouble detecting fileless malicious software. Once installed, Phasebot and its look-alikes are quite difficult to be removed. Researchers expect more versions of the fileless threat to appear in the wild in the near future.