I had a look on it with MalwareTech who wrote several stories, it was shown that Phase is in reality a 'new' version of Solar bot, at least not so new, the code is so copy/pasted that even Antivirus such as Avast do false positives and now detect Napolar (Solar) as PhaseBot.
Advert:
Phase support website:
So weak that this is even vulnerable to xss.
Master balance ? less than < 1k
Phase seem not so popular, and got also rapidly lynched by other actors on forums.
Anyway let's have a look on the web panel.
Login:
Dashboard:
Commands:
Botlist:
Credentials:
Socks5:
Browsers:
Modules:
Analyzer detector:
RDP:
Settings:
FAQ:
Structure:
In the wild panel, having Ram scrapper plugin + VNC:
Ram scrapper plugin:
Another botnet with hacked point of sale remote controlled:
Wallet stealer:
Phase samples:
ae7a56b3adf6f7684ba14a77c017904d
12dccdec47928e5298055996415a94f2
d1446326bf1c69ea9df6e65bd472f358
1f3e808a3ccd981f3e61de227dae93b8
6ce0bb4cd86295f915160d7207a07a47
5767b9bf9cb6f2b5259f29dd8b873e36
a10f84153dba7b73980f0ff50d8cc8e6
f8ffcab3324561598ce5c375c07066be
e4574fbc1014d27e1b6906bfc5351e0e
d2ed20b1996e7e5bad2b91fd255732ef
f89b4e626c7a81544ca7395be3262cf6
ef69575e14fa965380242db26675d2df
fc586c3ec37e51668e905d0acfc913f6
eb9b56d829c3951b6e9cb5e4a651f7c8
6f53d3cd1acb7541bcc7399c4af001b1
19fa3927577571c51428f6eee2b5f52f
4ec84f1aa91e4cdc12118002244ca582
20e3a9ec396ad8b57a36ea3c6b9f151a
fe5dfa53204a65eca741ceab352c3b00
ace0a059dc2264c847d4e6c91f829dfd
f01c1ea73e968c2309391dcf3f0a2848
Unencrypted Ram scrapper plugin: 1e18ee52d6f0322d065b07ec7bfcbbe8
Unencrypted VNC plugin: 94eefdce643a084f95dd4c91289c3cf0
Panel: c43933e7c8b9d4c95703f798b515b384 (With a small trendMicro signature fail "PHP_SORAYA.A" no this is not the Soraya panel.
Needless to say the panel was also vulnerable.
Pretty sure that my first comment didn't go through since i left browser open and idled on this page ( i can seriously crack out on these posts for days they're fucking hilarious ). My favorite part had to be one of the links above though that led me to malware tech:
ReplyDelete"Both Xylitol and I individually exploited this vulnerability, so I've posted both of our exploits.
SQL Injection (MalwareTech)
SQL Injection (Xylitol)
Test Panel (Vulnerabilities Intact)
Phase Samples"
As a former blackhat myself (well not so much blackhat as just curious as i never profited off my experimenting); I find it fucking awesome how skillful you are at reversing and even obtaining access to the bad guys' sloppy code for investigation. On that note I must add it makes me scared to think of what would happen if someone as good as you ever went back to the scene and started doing hardcore blackhat development. You don't see many stories about those guys because they usually don't get caught...