A new keylogger called Phoenix that started selling on hacking forums over the summer has now been linked to more than 10,000 infections, researchers from Cybereason said today in a report. Released in July on HackForums, the Phoenix keylogger is a new threat that has slowly gained a following with cybercriminals. Cybereason says Phoenix is the work of an experienced malware author. Over the past few months, Phoenix has evolved from a simple keystroke logger (keylogger) into a multi-functional information-stealing trojan (info stealer). While initial versions could log keystrokes, new versions come with the ability to dump user data such as passwords from over 20 different browsers, four different mail clients, FTP clients, and chat applications. Also, Phoenix has gained an anti-AV and anti-VM module that tries to avoid detection. Both modules work in the same way, coming with a list of preset process names that Phoenix will attempt to shut down before continuing to operate. The list includes the names of more than 80 well-known security products and virtual machine (VM) technologies, often used for malware reverse engineering and analysis. Professional security products come with protection systems in place to alert users when a local app tries to stop their process. However, if Phoenix is successful, the malware will collect the data it was configured to collect, and then exfiltrate it to a remote location. According to Cybereason, this can be a remote FTP server, a remote SMTP email account, or even a Telegram channel.
Analyst Notes
Even though Phoenix is designed to avoid anti-virus detection, the primary defense is through the use of an up-to-date antivirus program. Using multi-factor authentication (MFA) is another way to stop unauthorized access to accounts. If MFA is enabled, even if the attacker has login credentials, they will have a very difficult time obtaining the MFA token that is needed. Avoid phishing scams–phishing emails are still the primary distribution method for malicious programs.
Read more at ZDNet: https://www.zdnet.com/article/new-phoenix-keylogger-tries-to-stop-over-80-security-products-to-avoid-detection/
