Phoenix Keylogger Attempts to Disable More Than 80 security Products, Exfiltrates Data Direct from Memory
The Phoenix Keylogger, operating at the cusp of keylogger and infostealer, was launched in July 2019. It is sold as malware-as-a-service (MaaS), and appears to be gaining traction in the criminal underworld.
Nocturnus, the research team from Cybereason, has researched both the Phoenix malware and its source in the dark web. It appears to have been developed by the same team that produced the short-lived Alpha keylogger, which disappeared shortly before Phoenix began to be marketed. Code similarities suggest that the two products are related.
As a MaaS product, its future in the wild will depend on its take-up by the criminal fraternity. This will depend on the efficiency of both the product and its marketing/support services. The latter seems to be progressing well. It is provided as a subscription product, with prices starting at $14.99 for a month, going up to $78.99 for a lifetime subscription.
Chatter on the dark web shows it is well received. Existing reviews include comments such as ‘extremely user friendly’, ‘the best part is the Owner is an actual human being that helps you if needed’, and ‘the best in the market right now, always giving 101% support to customers’. The combination of low cost and good support for a good product is a winning formula for any software, whether legitimate or malware.
In malware terms, Phoenix seems to be a good product. The Nocturnus researchers say it is “packed with a myriad of information-stealing features. These features extend beyond solely logging keystrokes, to the point where we are inclined to classify it as an infostealer. Its main features include a keylogger and clipboard stealer, screen capture, password theft (from various browsers, mail clients, FTP clients and chat clients), data exfiltration via SMTP, FTP or Telegram, a downloader (able to download additional malware), and anti AV, anti-debugging and anti-VM features.
Most Phoenix infections so far seen by Cybereason have been delivered through phishing using a weaponized rich text file (RTF) or Office document employing the Equation Editor vulnerability CVE-2017-11882, rather than a malicious macro. However, since the malware is provided by the developers as a stub, delivery to the targets and method of infection will vary depending on how many criminals start to use it.
If installation is successful, Phoenix gathers system information and sends it straight back to the attacker. It does not write the data to disk, but sends it direct from memory — apparently in an attempt to maintain stealth.
Stealth and self-protection appear to be important to the Phoenix developers. Most of the critical code strings are encrypted and only decrypted in memory, while the stub is obfuscated, probably via the ConfuserEx .NET obfuscator. The developer, with the handle ‘Illusion’, recommends that his criminal users employ a third-party crypter to ‘make it FUD’ (fully undetectable).
After collecting the basic system information, Phoenix checks to see if it is running in a ‘hostile’ environment. It has a set of features to disable different Windows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others. It also attempts to disable more than 80 security products.
Interestingly, the Nocturnus researchers point out that support for a persistence feature is not currently used in the samples it has discovered. This seems reasonable for a basic infostealer — after stealing the required information, there is little need to persist. It may, however, be something to watch in the future. Phoenix has the ability to download additional malware. Since it is a new product, it is reasonable for users to employ the mainstream capabilities of stealing information. As they become more expert in its use, it is possible that they may wish to expand into leaving additional malware via the downloader — perhaps ransomware — where it will be important to persist long enough to deliver the extra payload. In other instances, the pure keylogging capability may be the primary reason for the attack — and again the malware will need to persist long enough to catch the required keyboard entry.
Information stealing occurs from several different modules that search for specific files or registry keys that contain sensitive information. It searches 18 browsers, four mail clients (Outlook, Thunderbird, Seamonkey, and Foxmail), Filezilla (FTP), and Pidgin (chat). Exfiltration is, in current samples, mostly done by email to an attacker-controlled email account using the Phoenix SMTP feature. It could alternatively be done via FTP, or — for increased stealth — via Telegram.
The method of exfiltration is not supplied as a command from a C2 server, but is predefined by the attacker in the configuration file before compilation. “At its current stage of development,” say the researchers, “Phoenix does not seem to use a standard, interactive C2 model. Specifically, it doesn’t expect to receive commands back from the C2 server. Phoenix’s various tasks like infostealing, downloading additional malware, and spreading via USB are predefined by the operators in the configuration file before compilation.”
For now, Phoenix is primarily used as a ‘set it and forget’ type of malware. However, it is an example of malware-as-a-service. One of the advantages of this business model is that continuous development is separated from any concern over existing users and existing infrastructure, and is funded by existing sales. Put simply, MaaS products can evolve with additional capabilities and intentions, dependent only upon the expertise of the developers. Less technical users can employ its basic functions, while more experienced users can already use it as a downloader.
“Moving into 2020,” says Nocturnus, “we expect a proliferation of less-technical cybercriminals to leverage MaaS to target, steal, and harm individuals, particularly as MaaS authors add additional features to their offerings.”