Cybereason Specialists studied malware Phoenix, which appeared in the summer of this year and is a hybrid of a keylogger and an infosteeler. The malware spreads according to the MaaS model (malware-as-a-service, “malware as a service”) and is already responsible for 10,000 infections.
Since Phoenix is sold as a subscription product, prices range from $ 14.99 a month to $ 78.99 for a lifetime subscription.
Cybereason analysts write that Phoenix is a development by an experienced malware author. Apparently, the author of the malvari Alpha Keylogger, who died earlier this year, was originally behind his creation.
Over the past few months, Phoenix has evolved from a simple keylogger into a multi-functional trojan designed to steal information (infostiller). If in the first version of the malware it was only possible to intercept keystrokes, then newer versions of malware steal passwords from almost twenty different browsers, four email clients, FTP clients and instant messengers. In addition, the malware can steal data from the clipboard, take screenshots and download additional malware.
Information stolen from victims is transmitted to malware operators via SMTP, FTP or Telegram.
Phoenix also acquired aggressive modules against anti-viruses and VMs that try to prevent detection and analysis of malware. Both modules work the same way: they try to shut down a number of processes before the malware continues to work, for this, referring to a predefined list of names. This list includes the names of more than 80 well-known security products and virtual machines, which are often used for reverse engineering and analysis of malware.
Analysts say that Phoenix could use its capabilities to achieve a permanent presence in the system, but its operators are of little interest. According to the researchers, more often malware is used as a one-time solution for data theft and is not used for long-term monitoring of victims. A few seconds after infection, Phoenix steals all the necessary confidential data and this is its function. Criminals most often sell information stolen in this way on the darknet.