A new keylogger called Phoenix that started selling on hacking forums over the summer has now been linked to more than 10,000 infections, researchers from Cybereason said today in a report. Released in July on HackForums, the Phoenix keylogger is a new threat that has slowly gained a following with cybercriminals. Cybereason says Phoenix is the work of an experienced malware author. Over the past few months, Phoenix has evolved from a simple keystroke logger (keylogger) into a multi-functional information-stealing trojan (info stealer). While initial versions could log keystrokes, new versions come with the ability to dump user data such as passwords from over 20 different browsers, four different mail clients, FTP clients, and chat applications. Also, Phoenix has gained an anti-AV and anti-VM module that tries to avoid detection. Both modules work in the same way, coming with a list of preset process names that Phoenix will attempt to shut down before continuing to operate. The list includes the names of more than 80 well-known security products and virtual machine (VM) technologies, often used for malware reverse engineering and analysis. Professional security products come with protection systems in place to alert users when a local app tries to stop their process. However, if Phoenix is successful, the malware will collect the data it was configured to collect, and then exfiltrate it to a remote location. According to Cybereason, this can be a remote FTP server, a remote SMTP email account, or even a Telegram channel.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in