Rare, aggressive Phoenix keylogger is on the hotlist of cybercrooks

• Research on Twitter reveals that malware distribution for the new keylogger campaigns was spotted every few weeks.
• It is more like a 'one-off' information stealer, rather than a tool designed for long-term surveillance.

A report from Cybereason—a cybersecurity firm, has linked more than 10,000 infections to a new keylogger called Phoenix which debuted on hacking forums in July. Researchers from the firm say this keylogger is the work of an experienced malware author.

What do we know about the keylogger?

The Phoenix keylogger, as a new threat, has gradually gained a following on the malware scene. The reason behind the malware's rising popularity, as per the researchers, was the malware's easy-to-use interface that enabled buyers to configure it at will.

• Research on Twitter revealed that malware distribution for the Phoenix keylogger campaigns was spotted every few weeks.
• The malware has reportedly transformed from a simple keystroke logger into a multi-functional information-stealing trojan over the past few months.
• Besides logging keystrokes, this newer version brings the ability to dump user data, such as passwords from 20 different browsers, four mail clients (Outlook, Thunderbird, Seamonkey, Foxmail), FTP clients, and chat applications.

The malware's behavior

Phoenix keylogger was observed to be deployed in various corners of the world, in different configurations, with varying goals of the attackers.

• This new keylogger malware attempts to disable the Defender AntiSpyware module by changing the registry key.
• It uses an aggressive anti-AV and anti-VM modules to terminate the process of over 80 well-known security products, keeping it from being detected.
• Generally, professional security products come with an alert feature to notify users when a local app tries to alter their process. However, a successful Phoenix keylogger collects the data it was configured to collect and drops it to a remote location.
• According to Cybereason, this can be a remote FTP server, a remote SMTP email account, or even a Telegram channel.

“After obtaining basic system information, Phoenix checks to see if it is running in a “hostile” environment. A hostile environment can take different forms: if Phoenix is deployed in a virtual machine, debugger, or on a machine with analysis tools or antivirus products installed. Phoenix has a set of features to disable different Windows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others,” the researchers wrote.

The rare attribute - Boot persistence

Phoenix’s rare ability to gain boot persistence on infected Windows systems did garner some attention from the researchers. "Phoenix does have a persistence feature, but [...] most of the infections that we analyzed did not exhibit persistence behavior," Assaf Dahan, the head of Threat Research at Cybereason, told ZDNet via email yesterday.

Another important discovery was also made related to Phoenix's ability to extract and steal usernames and passwords. Since this data could be extracted in seconds after the initial infection, the groups spreading the malware rarely bothered for establishing boot persistence.

Conclusion

"It is our estimation that Phoenix is used more like a 'one-off' information stealer, rather than a tool designed for long period surveillance," Dahan added. Also, the new malware, which is still under development, could go shift towards becoming a more robust surveillance tool in the future.