- L0rdix targets Windows systems and is capable of stealing and mining cryptocurrencies.
- The malware is designed to be a “universal go-to tool” for cybercriminals.
A new hacking tool has emerged as the hottest new thing on the dark web. L0rdix is designed to be a “universal go-to tool” for cybercriminals. The malware is capable of stealing and mining cryptocurrencies, as well as avoid detection by anti-malware tools.
According to security researchers at enSilo, who discovered the new malware, L0rdix is still under development. Although the malware has yet to portray any never-before-seen capabilities, experts believe it to be a potent threat as it combines data-stealing and cryptomining.
“L0rdix goes to great lengths to avoid being executed in virtual environments and analyzed by common malware analysis tools,” enSilo researcher Ben Hunter wrote in a blog. “The less common checks made by L0rdix include searching processes that load sbiedll.dll which belongs to the sandboxie product, aspiring to increase its chances to avoid running in a simple free virtual environment tools.”
L0rdix is written in .NET and has been developed to operate stealthily. Although the malware’s authors opted for a simple code, the malware contains five separate components that allow its operators to conduct further developments with ease.
The malware is capable of exfiltrating system information such as device model, CPU model, GPU model, anti-virus software, RAM data, and more. All of the data stolen by the malware, as well as a screenshot of the system is sent to the malware’s C2.
L0rdix aims to steal three different catagories of data from a targeted system. The first pertains to saved browser credentials, the second is cookie data and the third is desktop and/or directory files that pertain to system configuration. The malware also sends this information to its C2.
“While it’s very easy to notice that most of the effort was put into evading virtual environments and analysis tools along with implementing the stealing module, L0rdix still presents unfinished modules and weak implementation details such as simple encryption or simple data handling between the server and the client,” Hunter added. “Those indicators might suggest that the tool is still under development. We can expect to see more sophisticated versions of L0rdix in the future or the indicators are evident of an inexperienced malware author.”