Researchers stated in a report that a new keylogger called Phoenix, which started selling in summer piracy forums is now being linked to more than 10,000 infections.

Released at HackForums in July 2019, Phoenix Keylogger is a new threat that has gradually attracted followers in the malware community. Phoenix works under a malware-as – a-service model and has already targeted victims across North America, the UK France, Germany including those in Europe and the Middle East.

The malware can also steal personal data from nearly 20 different browsers, namely Chrome, Firefox, Opera, Vivaldi, and Brave, four different mail clients (Outlook, Thunderbird, Seamonkey, Foxmail), FTP clients (Filezilla), and chat clients, execute other malware, and exfiltrate data via SMTP, FTP, or even Telegram.

In order to evade the detection, the Phoenix keylogger manages to disable the Windows Defender AntiSpyware module by altering the registry key and using the anti-AV and anti-VM modules to interrupt the process of more than 80 security products.

The researchers said that by default, users are given the Phoenix keylogger as a stub and they have to use their own means to deliver the stub to the target machine. In several cases, the malware was circulated by phishing emails containing a Rich Text File (RTF) or Microsoft Office file exploiting known vulnerabilities, namely Vulnerability of Equation Editor (CVE-2017-11882), to compromise devices for victims.

As soon as your system gets infected, Phoenix begins collecting and storing memory information about the operating system, hardware, running processes, users and their external IP in memory and then sends the data collected directly to the attackers without writing it to the disk.

Once it gets basic information, it inspects to see whether it is operating in a hostile environment. Phoenix has a set of features in the admin panel to uninstall numerous Windows tools such as disabling CMD, registry, task manager, system recovery, and others as per researchers.

The malware-as – a-service model of Phoenix attempts to appeal to a wide range of cyber criminals, specially the less technologically advanced ones who lack the knowledge to understand-how to build their own effective malware infrastructure. Which indicates an emerging cybercrime phenomenon adopting the malware-as — a-service model to make malware accessible to any level user — concluded the research team.

Leave a Reply

Your email address will not be published. Required fields are marked *