A new keylogger called Phoenix which was on sale on hacking forums are now been linked to more than 10,000 infections. The keylogger which was released in July on HackForums is a new threat that has slowly gained a following on the malware scene.
According to the researchers at Cybereason, Phoenix has been done by an experienced malware author. Phoenix has evolved from a simple keystroke logger into a multi-functional information-stealing trojan (infostealer).
The earlier versions had the ability to log keystrokes while the newer versions have the ability to dump user data, such as passwords, from 20 different browsers, four different mail clients, FTP clients, and chat applications.
Besides, Phoenix has also gained an aggressive anti-AV and anti-VM module that tries to keep the malware from being detected and analyzed while deployed in the field.
The two modules work in the same way, having a list of preset process names that Phoenix will attempt to shut down before continuing to operate.
The list includes more than 80 well-known security products and virtual machine (VM) technologies, often used for malware reverse engineering and analysis.
Professional security products come with protection systems to alert users when a local app tries to stop their process. But if Phoenix is successful, the malware will collect the data it was configured to collect, and then exfiltrate it to a remote location.
This can be either a remote FTP server, a remote SMTP email account, or even a Telegram channel.
The malware has gained much popularity mainly due to its easy to use interface that permits the buyers to configure it at their ease. The malware was found to be deployed all over the world, in different configurations, depending on the needs of the attackers.
But all has one trend, as the Phoenix was rarely configured to gain boot persistence on the Windows systems of infected hosts.
Basically, the malware would infect users, extract and steal data from local apps, and then disappear after the first reboot.
Phoenix have a persistence feature, but most of the infections which was analyzed did not have persistence behavior. It is estimated that Phoenix is used like a ‘one-off’ information stealer, rather than a tool designed for long period surveillance.
Most of the buyers are more interested in obtaining sensitive data which could be later sold in the underground markets, mostly in the credential selling communities.
Phoenix has the ability to extract and steal usernames and passwords stored inside browsers, these data are very much valuable for malware authors. The data can be extracted within seconds after the initial infection. This is also one of the reasons why the cybercriminals spreading Phoenix do not bother with configuring a boot persistence method.
It is not required and a boot persistence mechanism would leave the forensic evidence behind that may alert users that they have infected in the past.