A report from Cybereason—a cybersecurity firm, has linked more than 10,000 infections to a new keylogger called Phoenix which debuted on hacking forums in July. Researchers from the firm say this keylogger is the work of an experienced malware author.
What do we know about the keylogger?
The Phoenix keylogger, as a new threat, has gradually gained a following on the malware scene. The reason behind the malware's rising popularity, as per the researchers, was the malware's easy-to-use interface that enabled buyers to configure it at will.
The malware's behavior
Phoenix keylogger was observed to be deployed in various corners of the world, in different configurations, with varying goals of the attackers.
“After obtaining basic system information, Phoenix checks to see if it is running in a “hostile” environment. A hostile environment can take different forms: if Phoenix is deployed in a virtual machine, debugger, or on a machine with analysis tools or antivirus products installed. Phoenix has a set of features to disable different Windows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others,” the researchers wrote.
The rare attribute - Boot persistence
Phoenix’s rare ability to gain boot persistence on infected Windows systems did garner some attention from the researchers. "Phoenix does have a persistence feature, but [...] most of the infections that we analyzed did not exhibit persistence behavior," Assaf Dahan, the head of Threat Research at Cybereason, told ZDNet via email yesterday.
Another important discovery was also made related to Phoenix's ability to extract and steal usernames and passwords. Since this data could be extracted in seconds after the initial infection, the groups spreading the malware rarely bothered for establishing boot persistence.
Conclusion
"It is our estimation that Phoenix is used more like a 'one-off' information stealer, rather than a tool designed for long period surveillance," Dahan added. Also, the new malware, which is still under development, could go shift towards becoming a more robust surveillance tool in the future.
Publisher