A new variant of PsiXBot, malware configured for the theft of information and cryptocurrency, has been spotted in the wild which abuses Google's DNS over HTTPS service.
PsiXBot is a relatively new strain of malware, having first been discovered in 2017. Written in .NET, the malicious code has undergone an array of changes and evolutions, and according to Proofpoint researchers, the latest upgrade includes some very interesting alterations.
The malware, delivered through spam campaigns and as a payload in the Spleevo and RIG-v exploit kits, targets users as long as they are not Russian language speakers.
PsiXBot has previously been connected to .bit domains associated with the NameCoin cryptocurrency, which require special DNS server settings. The malware also uses hex-coded tiny.cc links to perform DNS requests for separate command-and-control (C2) servers which send infection commands that begin with a system check.
If a machine is deemed suitable for infection, malware modules are executed, including a password stealer, cookie stealer, keylogger, and a process that monitors the clipboard for credentials used for wallets for cryptocurrency such as Bitcoin, Etherium, Monero, and Ripple.
PsiXBot is also able to grab information submitted to online forms, send outgoing spam via Microsoft Outlook from the victim's email address, covertly delete any traces of malicious emails sent, and remove itself from an infected system.
In a blog post last week, Proofpoint said the malware now includes several new features. Notably, the latest version -- v.1.0.3 -- includes the introduction of Google's DNS over HTTPS (DoH) service, a protocol that packages DNS queries as encrypted HTTPS traffic rather than plaintext.
Some samples acting as payloads in exploit kits utilize the new technique, in which hardcoded C2 domains are resolved with DoH.
"By using Google's DoH service, it allows attackers to hide the DNS query to the C&C domain behind HTTPS," Proofpoint says. "Unless SSL/TLS is being inspected by Man in the Middle (MitM), DNS queries to the C&C server will go unnoticed."
In addition, new samples have also revealed a shift in infrastructure to Fast Flux, a method for changing DNS entries using compromised host networks. This structure has been found in C2 domain responses, both via standard DNS queries and DoH.
PsiXBot has also been equipped with a new attack module. Coded as "PornModule," the software is most likely used for sexploitation. The researchers say that PornModule will monitor open windows and compares keywords to a list stored in a dictionary format. If matches are found, the malware will begin recording audio and visual information.
Armed with these recordings, it is possible that the malware's operators could then attempt to extort and blackmail victims.
TechRepublic: Top 5 password alternatives
Malware able to maintain persistence, extort victims, and steal a variety of information -- including data related to the lucrative cryptocurrency industry -- is in hot demand and, as such, we may expect PsiXBot's operators to continue to refine their creation.
"This malware is under active development and continues to evolve," Proofpoint says. "By expanding the feature set of the included modules and the overall capabilities of this malware, the actor or team behind its development appears to be seeking feature parity with other similar malware on the market."
Previous and related coverage
- Cybersecurity: 99% of email attacks rely on victims clicking links
- Malicious Android apps containing Joker malware set up shop on Google Play
- Newly discovered cyber-espionage malware abuses Windows BITS service
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0