Posted on September 11, 2019 at 3:12 PM
PsiXBot is a form of malware that hackers use to steal information and cryptocurrencies. A new variant of it has been identified, and it targets Google’s DNS over HTTPS feature, potentially affecting a large user base.
The PsiXBot malware is relatively new in the online security landscape since it was initially spotted two years ago. The dangerous code is written in .NET and has evolved numerous times. Per Proofpoint researchers and specialists, the latest version has some interesting aspects, specifically alterations when compared to older versions.
Associated With Cryptocurrencies
The new cyber threat is usually delivered via spam botnet and, in addition, as a payload in the exploit kits like the Spleevo and RIG-v for example. The malware aims to affect non-Russian speakers.
The PsiXBot malware has been linked in the past with .bit sites linked with NameCoin, a cryptocurrency that needs very specific DNS server configurations. PsiXBot is also known for using tiny.cc links hex color codes to make DNS requests for different C2 servers. These command-and-control servers will prompt an infection by sending a command that starts with a system checking procedure.
A machine has to be able to get infected for the malware modules to be executed. Among them are clipboard monitoring process for login data used for crypto wallets that hold Monero, Bitcoin, Ripple, and Ethereum; and also keylogger, cookie stealer, and password stealer.
This security threat is, in addition, capable of stealing data and information that people submit via online forms and can also send spamming campaigns through the Microsoft Outlook resource, from the targeted user’s email address. The PsiXBot will also delete any possible clues or evidence of outgoing dangerous emails and can take itself out of an infected network.
Proofpoint explained via a publication in its site made in the past few days that the PsiXBot threat has some new features in its latest version, the v.1.0.3: it comes with Google’s DNS over HTTPS (DoH) feature, which is a protocol known around the industry for packaging DNS inquiries as protected HTTPS information and not as plaintext.
This new approach is being increasingly used by numerous entities covering themselves as payloads in the mentioned exploitable units. The new technique involves C2 domains under the hard-coding practice being solved with the mentioned DNS over HTTPS (DoH) service.
Hiding the DNS query to the C&C Domains Behind HTTPS
According to Proofpoint, implementing Google’s DoH service, cybercriminals and attackers can disguise the mentioned DNS query to the command-and-control domain behind the HTTPS. They added that DNS queries to the C&C server will not be noticed unless Secure Sockets Layer / Transport Layer Security is sniffed by Man in the Middle.
On top of all that, researchers discovered that new samples revealed a change in available resources to Fast Flux, which makes use of breached host networks to change DNS entries. The structure has been found in command-and-control domain replies via both types of queries; standard DNS and DoH.
The threat also has an innovative attacking resource. The software, dubbed “PornModule,” is probably being implemented for sexploitation purposes. According to researchers, PornModule can monitor windows that are currently open, comparing the keywords to an existing list and looking for matches. In the case it spots any, the mentioned malware starts to record data.
A Tool for Extortion and Sexploitation
The recorded material is possibly being used as resources to blackmail and extort people that, naturally under potentially compromising circumstances, don’t want the information to go public.
Hackers and cybercriminals are always looking for malware that can help them extort victims, gather and steal information, and gain access to the increasingly valuable “digital money,” cryptocurrencies. Those who created PsiXBot achieved a very powerful threat and will likely keep refining it to add more capabilities. Proofpoint explains that the malware is being developed and improved. Cybercriminals are looking to expand its features to have it gain more capabilities to threaten to make the Internet a much more dangerous place than ever before.