L0rdix becomes the new Swiss Army knife of Windows hacking

The new tool combines data theft and cryptocurrency mining as a go-to product for attacking Windows machines.
Written by Charlie Osborne, Contributing Writer

A new hacking tool making the rounds in underground forums has been deemed the latest "go-to" universal offering for attackers targeting Microsoft Windows PCs.

The software is called L0rdix and according to cybersecurity researchers from enSilo is "aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, [and] can avoid malware analysis tools."

In a blog post on Tuesday, enSilo researcher Ben Hunter said the tool is relatively new and is available for purchase. There are, however, indicators that L0rdix is still undergoing development despite an array of different functions already implemented within the malware.

Written in .NET, L0rdix has been developed with stealth in mind. The malware is obfuscated using the standard ConfuserEx obfuscator, and some samples have been tweaked with the more sophisticated .NETGuard obfuscator.

The developers of L0rdix have made an effort when it comes to virtual environments and sandboxes, which are commonly used by researchers for the purposes of reverse engineering and malware analysis.

L0rdix not only performs a number of standard scans to detect these environments but also uses WMI queries and registry keys to search for strings which may indicate sandbox products.

"The less common checks made by L0rdix include searching processes that load sbiedll.dll which belongs to the sandboxie product, aspiring to increase its chances to avoid running in a simple free virtual environment tool," Hunter added.

The malware has been constructed with sales in mind, containing five core modules with configuration auto-update capabilities and a structure which allows future modules to be easily integrated within L0rdix.

CNET: Microsoft now lets you log into Outlook, Skype, Xbox Live without a password

Once a machine is infected, the malware pulls information including OS version, device ID, CPU model, installed antivirus products and current user privileges. This information is encrypted and sent to the command-and-control (C2) server, alongside a screenshot of the machine.

The malware's files and configuration settings are then updated based on this information, and it is at this point where L0rdix 'decides' whether or not cryptocurrency mining and data theft are appropriate.

L0rdix will then infect all removable drives, mapping itself to their icons and hiding the legitimate drive files and directories.

"All of this is done to make sure that the malware will execute by the user double-clicking it on another machine," the researcher says.

Another function is responsible for maintaining persistence. The malware will copy itself to a number of traditional areas, such as scheduled tasks -- but this is an area which is ripe for improvement in the future.

See also: Most antivirus programs fail to detect this cryptocurrency-stealing malware

L0rdix is also able to act as a botnet by enslaving the infected PC, with optional commands including opening specific URLs in a browser -- which potentially could be used for domain flooding in Distributed Denial-of-Service (DDoS) attacks -- killing specific processes, uploading and executing additional payloads, and executing cmd commands.

In addition, the malware is able to monitor Windows clipboards for signs of cryptocurrency wallets and strings. If found, this content is sent to the C2, and L0rdix will also aim to collect browser cookies and credentials.

TechRepublic: 85% of enterprises allow employees to access data from personal devices, security risks abound

When it comes to fraudulent cryptocurrency mining, some samples contain miner code -- but enSilo believes this was developed in one of the later stages of coding as in some samples, this functionality is absent.

"While it's very easy to notice that most of the effort was put into evading virtual environments and analysis tools along with implementing the stealing module, L0rdix still presents unfinished modules and weak implementation details such as simple encryption or simple data handling between the server and the client," Hunter says. "Those indicators might suggest that the tool is still under development."

enSilo expected to see more sophisticated versions of the multipurpose tool in the future as L0rdix undergoes further development to stay attractive to underground buyers.

Black Friday 2018: The best early US deals in tech

Previous and related coverage

Editorial standards