News

Phoenix keylogger disables more than 80 security products

Cybereason specialists studied the Phoenix malware, which arrived this summer and presents a hybrid of a keylogger and an infostealer. Researchers have found that Phoenix can disable more than 80 security products.

The malware spreads according to the MaaS model (“malware as a service”) and is already responsible for 10,000 infections.

Since Phoenix is sold as a subscription product, prices range from $14.99 a month to $78.99 for a lifetime subscription. Cybereason analysts write that Phoenix is a development of an experienced malware author. Apparently, the author of the Alpha Keylogger malware, who died earlier this year, was originally behind his creation.

“Phoenix is more than just a keylogger, it has broad information-stealing capabilities and self-defense mechanisms, which include an anti-AV module that attempts to stop over 80 security products, and the ability to exfiltrate data through Telegram”, — write Cybereason specialists.

Indeed, over the past few months, Phoenix has evolved from a simple keylogger into a multifunctional trojan designed to steal information (infostealer). If in the first version the malicious version was provided only for the ability to intercept keystrokes, then newer versions of the malware steal passwords from almost twenty different browsers, four email clients, FTP clients and instant messengers. In addition, the malware can steal data from the clipboard, take screenshots and download additional malware.

Information stolen from victims is transmitted to malware operators via SMTP, FTP or Telegram.

Read also: Criminals give links to RAT trojan in WebEx invitations

Phoenix also acquired aggressive modules against anti-viruses and VMs that try to prevent detection and analysis of malware. Both modules work the same way: they try to shut down a number of processes before the malware continues to work, for this, referring to a predefined list of names. This list includes the names of more than 80 well-known security products and virtual machines, which are often used for reverse engineering and analysis of malware.

Phoenix Keylogger Admin Panel

Analysts say that Phoenix could use its capabilities to achieve a permanent presence in the system, but its operators have little interest in it. According to the researchers, more often malware is used as a one-time solution for data theft and is not used for long-term monitoring of victims. A few seconds after infection, Phoenix steals all the necessary confidential data, and on this its function finishes. Criminals most often sale information stolen in this way on the darknet.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Chernars.com Pop-up Ads

About Chernars.com Chernars.com pop-ups can not open out of nowhere. If you have actually clicked…

5 hours ago

Remove Eclipse-adblocker.pro Pop-up Ads

About Eclipse-adblocker.pro Eclipse-adblocker.pro pop-ups can not open out of nowhere. If you have actually clicked…

5 hours ago

Remove Initiateadvancedcompletelythe-file.top Pop-up Ads

About Initiateadvancedcompletelythe-file.top Initiateadvancedcompletelythe-file.top pop-ups can not open out of nowhere. If you have actually clicked…

5 hours ago

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

3 days ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

3 days ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

3 days ago