New Phoenix Keylogger tries to stop over 80 security products to avoid detection

Phoenix linked to more than 10,000 infections since the malware's launch on a hacking forum in July.

Phoenix Keylogger

Screengrab of the Phoenix Keylogger logo, as it appears in an online ad.

Image via HackForums

A new keylogger called Phoenix that started selling on hacking forums over the summer has now been linked to more than 10,000 infections, researchers from Cybereason said today in a report.

Released in July on HackForums, the Phoenix Keylogger is a new threat that has slowly gained a following on the malware scene.

New malware distribution campaigns are being spotted every few weeks, according to threat intelligence shared on Twitter.

More of an infostealer than keylogger

Cybereason says Phoenix is the work of an experienced malware author. Over the past few months, Phoenix has evolved from a simple keystroke logger (keylogger) into a multi-functional information-stealing trojan (infostealer).

While initial versions included the ability to log keystrokes, newer versions come with the ability to dump user data, such as passwords, from 20 different browsers, four different mail clients, FTP clients, and chat applications, researchers said.

In addition, Phoenix has also gained an aggressive anti-AV and anti-VM module that tries to keep the malware from being detected and analyzed while deployed "in the field."

Both modules work in the same way, coming with a list of preset process names that Phoenix will attempt to shut down before continuing to operate.

The list includes the names of more than 80 well-known security products and virtual machine (VM) technologies, often used for malware reverse engineering and analysis.

The list of security-related process names is listed in the image below, while the Phoenix author appears to have copy-pasted the list of VM processes from a blog post by cyber-security company Cyberbit.

phoenix-anti-av.png

Image: Cybereason

Professional security products come with protection systems in place to alert users when a local app tries to stop their process. However, if Phoenix is successful, the malware will collect the data it was configured to collect, and then exfiltrate it to a remote location.

According to Cybereason, this can be a remote FTP server, a remote SMTP email account, or even a Telegram channel.

Mostly used for credentials harvesting

Cybereason researchers attribute the malware's rising popularity on its easy to use interface that allows buyers to configure it at will. Researchers say they've seen the malware deployed all over the world, in different configurations, depending on the goals attackers were trying to achieve.

However, one trend stood out, namely the fact that Phoenix was rarely configured to gain boot persistence on the Windows systems of infected hosts.

Basically, the malware would infect users, extract and steal data from local apps, and then disappear after the first reboot.

"Phoenix does have a persistence feature, but [...] most of the infections that we analyzed did not exhibit persistence behavior," Assaf Dahan, Cybereason, Senior Director, Head of Threat Research, told ZDNet via email yesterday.

"It is our estimation that Phoenix is used more like a 'one-off' information stealer, rather than a tool designed for long period surveillance," he added.

"Since it's a completely new malware, and still under development, there might be a shift towards a more robust surveillance tool in the future.

"As for the clientele, it seems that most of the purchasers are interested in obtaining sensitive data that they could later sell in the underground markets, mostly in the credential selling communities," Dahan told us, referring to Phoenix's ability to extract and steal usernames and passwords stored inside browsers -- data that can be very valuable for malware authors.

Since this data can be extracted within seconds after the initial infection, this also explains why the cybercriminal groups spreading Phoenix rarely bother with configuring a boot persistence method. They simply don't need it and just a boot persistence mechanism would only leave forensic evidence behind that may alert users that they've been infected in the past.

The lack of this boot persistence system also makes tracking Phoenix malware infections nigh impossible without extended logging capabilities, usually found in enterprise environments only.

This linked Cybereason report also looks into the Phoenix malware's author. Researchers believe the Phoenix creator is also the author of the Alpha Keylogger, another commercial malware strain that went dead a few months before Phoenix's launch. Connections between the two strains highlighted in the Cybereason report include everything from reused code to the use of the same layout and font for promotional materials.

phoenix-keylogger-compare.png

Image: Cybereason