More than just a keylogger: A powerful info-stealer is actively marketed in the form of MaaS
A malware called Phoenix, released this year in July, with extremely broad information-stealing capabilities and sophisticated mechanisms of self-defense is now actively advertised in cybercriminals’ community.
Since this summer, Phoenix turned from a keystroke logger into a multi-functional software aimed at information stealing. Its powerful anti-AV module aimed at blocking more than 80 security products, and the stolen data can be exfiltrated through Telegram.
The security researchers from Cybereason report that malware distribution campaigns take place every few weeks. Over the summer it has been linked to more than 10,000 infections already, the report says.
According to Cybereason, Phoenix was created by a skilled malware author. The keylogger is written in VB.NET language.
This malware first emerged at the end of July 2019 on HackForums. The keylogger was introduced by a community member nicknamed Illusion, who joined the community at the end of July 2019 and started marketing Phoenix at once.
Phoenix is much more than just a keystroke logger: in addition to keylogging, and clipboard capturing, it’s capable of screen capturing, stealing passwords (from Browsers, FTP clients, Mail Clients, Chat Clients), exfiltration of data via FTP, SMTP or Telegram. Also, Phoenix can download additional malware by means of built-in downloader. Its features aimed at protection of this malware from anti-viruses and other security software, are also impressive, which worries security experts a lot.
Judging from Phoenix’s set of functions, it is clear that this malware is created specially for stealing credentials and other sensitive information. Phoenix steals info stored locally on the target computer by searching for specific files or registry keys that contain sensitive information. Phoenix searches in browsers, FTP clients, mail clients, and chat clients.
As for the delivery method, the Phoenix keylogger by default, is supplied as a stub. The buyer is expected to care for delivering the stub to the target machine on their own. Researchers note that most of Phoenix infections originated from phishing attempts using weaponized Microsoft Office document or RTF file. These deliveries used known exploits; most commonly, they exploited the Equation Editor vulnerability (CVE-2017-11882).
The experts warn that in the future Phoenix can become widespread, which is of great concern.