Security researchers have identified an emerging keylogger known as Phoenix which not only steals personal data from 20 different browsers, but also uses evasive mechanisms against 80 security products, targets organisations across the world, and exploits old Microsoft OS flaws.
A new blog from security firm Cybereason has detailed how Phoenix is quickly transforming itself from being a mere keylogger to a powerful tool that can steal personal data from twenty different browsers, can defend itself from 80 security products, can take screenshots, and can exfiltrate data over Telegram.
Even though security researchers have found Phoenix to be a descendant of the orphaned Alpha keylogger, the new malware is relatively new, having arrived on Dark Web forums in July this year and being marketed by a relatively unknown hacker named Illusion. Nevertheless, the malware has attracted positive reviews on major hacker forums and based on its rising popularity, could be a major malware that organisations will have to contend with in the future.
According to Cybereason, Phoenix is being sold on Dark Web forums as a Malware-as-a-service (MaaS) and hackers can either get it on a one-month subscription that costs $14.99, on a three-month subscription that costs $34.99 or on a lifetime subscription that costs $78.99.
Phoenix leverages old Windows flaws & scans for VM tools to stay alive
“The Phoenix keylogger is advanced and production quality. It can not only log keystrokes, but also capture screenshots. This could be used to defeat multi-factor authentication schemes,” says Eoin Keary, CEO and cofounder of edgescan.
“It leverages a CVE CVE-2017-11882, which is a Microsoft office vulnerability relating to Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016, and allows an attacker to run arbitrary code. The risks posed by this vulnerability make a good argument for patching and maintaining current versions of internal systems and software,” he adds.
A detailed research into Phoenix’ capabilities revealed that the malware is capable of many tasks such as keylogging, clipboard stealing, screen capturing, data exfiltration via SMTP, FTP or Telegram, and stealing paswords from almost 20 different browsers, four different mail clients, FTP clients, and chat clients.
In addition to these, Phoenix can also serve as a downloader to allow its masters to download additional malware into targeted systems, and also features anti-debugging, anti-analysis, anti-detection, and anti-VM features for added protection.
Once Phoenix enters a machine or a network, it gathers information such as the operating system, hardware, running processes, users, and its external IP and can disable Windows tools within the admin panel such as CMD, the registry, task manager, system restore, and others. The malware also checks if it has been deployed in a hostile environment like a virtual machine, a debugger, or on a machine with analysis tools or antivirus products installed.
Its anti-VM checks include searching its host system for processes such as SandboxieRpcSs, Vmtoolsd, Vmwaretrat, Vmwareuser, Vmacthlp, Vboxservice, Vboxtray, and other VM files and terminating itself if any of such processes are discovered in order to prevent its detection or analysis. The malware also attempts to disable the Windows Defender AntiSpyware module by changing a registry key.
Phoenix could become a popular malware-as-a-service in the future
“Phoenix’s various tasks like infostealing, downloading additional malware, and spreading via USB are predefined by the operators in the configuration file before compilation. Phoenix uses a predefined exfiltration method from the configuration file to steal any collected data on execution,” said researchers at Cybereason.
“Based on our analysis, Phoenix’s malware-as-a-service model appeals to a broad range of cybercriminals, particularly the less sophisticated who do not possess the technical know-how to develop their own successful malware infrastructure. This signals a continued trend of cybercriminals following the malware-as-a-service model to make malware accessible for any level user.
“Malware authors are starting to use many of the same methodologies as legitimate software-as-a-service businesses, including marketing their software, personalised customer support, and an easy user interface to continuously profit off of other, less technical cybercriminals,” they added.