Small write-up about 'Phase' a malware who appeared and vanished very rapidly.
I had a look on it with MalwareTech who wrote several stories, it was shown that Phase is in reality a 'new' version of Solar bot, at least not so new, the code is so copy/pasted that even Antivirus such as Avast do false positives and now detect Napolar (Solar) as PhaseBot.
Phase support website:
The coder is using public snippet for chatting with customers:
Master balance ? less than < 1k
Anyway let's have a look on the web panel.
In the wild panel, having Ram scrapper plugin + VNC:
Ram scrapper plugin:
Point-of-sale remote controlled:
Another botnet with hacked point of sale remote controlled:
Unencrypted Ram scrapper plugin: 1e18ee52d6f0322d065b07ec7bfcbbe8
Unencrypted VNC plugin: 94eefdce643a084f95dd4c91289c3cf0
Panel: c43933e7c8b9d4c95703f798b515b384 (With a small trendMicro signature fail "PHP_SORAYA.A" no this is not the Soraya panel.
Needless to say the panel was also vulnerable.