Detection Content: PsiXBot Malware Behavior

As Google and Mozilla bring the widespread use of DNS over HTTPS protocol, more malware authors also adopt this perfect opportunity to hide malicious traffic. The recently discovered versions of PsiXBot abuse Google’s DoH service to retrieve the IPs for the command-and-control infrastructure. The malware appeared in 2017 as a simple infostealer that is capable of collecting cookies and credentials, as well as downloading and executing additional tools, but over time it acquired extra modules. One of the key features of PsiXBot is the use of .bit domains as C&C servers. To access them, malware previously reached a specific DNS server, but now C&C domains are hardcoded into it and the malware hides the DNS query to the C&C infrastructure behind HTTPS by placing addresses into GET requests to Google’s service as a variable. In response, it receives a JSON blob with further instructions and modifications to its modules, which will almost certainly avoid detection by traffic analysis solutions.

PsixBot is distributed via spam emails or by Exploit kits (one of the malware versions was distributed via the Spelevo exploit kit). Attackers actively modify their ‘offspring’ and add new modules: PsiXBot can also replace cryptocurrency addresses ​​on the clipboard, send spam emails via Outlook and track when a victim visits ‘adult’ websites to start recording video and audio, which can be used for further blackmail. The community threat hunting rule by Ariel Millahuel helps to discover the behavior of newly discovered samples of PsiXBot malware:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint


Tactics: Initial Access

Techniques:  Install Root Certificate (T1130)