A new keylogger dubbed Phoenix that had been put on sale on hacking forums over the summer is gaining popularity on the underground scene due to its extensive set of capabilities, ranging from simple keylogging functionality to multiple information-stealing features, according to a new report from cybersecurity firm Sybereason.
Released in July 2019, Phoenix operates under a malware-as-a-service model and already has targeted victims across North America, the United Kingdom, France, Germany and other parts of Europe and the Middle East. Apart from keylogging functionality, the malware also can steal personal data from almost 20 different browsers, including Chrome, Firefox, Opera, Vivaldi, and Brave, four different mail clients (Outlook, Thunderbird, Seamonkey, Foxmail), FTP clients (Filezilla), and chat clients, download additional malware and exfiltrate data via SMTP, FTP or even Telegram.
To steer clear of detection, the Phoenix keylogger attempts to disable the Windows Defender AntiSpyware module by changing the registry key and uses its anti-AV and anti-VM modules to terminate the process of over 80 of security products (the full list is provided in the Sybereason blog post).
By default, the Phoenix keylogger is offered to buyers as a stub and they must use their own means to deliver the stub to the target machine, the researchers said. In most cases, the malware was spread via phishing emails containing a weaponized rich text file (RTF) or Microsoft Office document leveraging known exploits, namely Equation Editor vulnerability (CVE-2017-11882), to compromise victims’ machines.
Once infecting the target system, Phoenix collects and stores in memory the info about operating system, hardware, running processes, users, and its external IP and then sends the harvested data to the attackers directly, without writing it to disk.
“After obtaining basic system information, Phoenix checks to see if it is running in a “hostile” environment. A hostile environment can take different forms: if Phoenix is deployed in a virtual machine, debugger, or on a machine with analysis tools or antivirus products installed. Phoenix has a set of features to disable different Windows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others,” the researchers found.
Cybereason believes that the Phoenix keylogger is an evolution of the Alpha keylogger, which mysteriously disappeared from cybercrime scene at the beginning of July this year, based on the similarities between functionality and the design of the admin panel for the Phoenix keylogger and the Alpha keylogger.
“We believe the Phoenix keylogger is not just an evolution of the Alpha keylogger, but also an attempt to rebrand and give the author a clean slate in the underground community,” the researchers said.
“Based on our analysis, Phoenix’s malware-as-a-service model appeals to a broad range of cybercriminals, particularly the less sophisticated who do not possess the technical know-how to develop their own successful malware infrastructure. This signals a continued trend of cybercriminals following the malware-as-a-service model to make malware accessible for any level user,” the research team concluded.