L0rdix Malware Available on DarkNet Forums

Delaware, USA – December 18, 2018 – Multifunctional malware for Windows, discovered last month, is actively advertised on underground forums and is available to anyone for as little as $60. For the first time, L0rdix was spotted by Ben Hunter, the security researcher from enSilo. He analyzed several samples and reported that its authors continue to modify the malware and add new features, but even now this malicious tool can cause a lot of trouble. L0rdix is written in .NET and has a modular structure, so its authors can easily add new functionality. Currently, malware is capable of stealing data, mining cryptocurrency, self-spreading via removable media and conducting DDoS attacks.

The main module performs scanning of the system for sandboxes and running tools for malware analysis. If they are not detected, L0rdix collects information about the system, takes a screenshot and sends them to the command and control server, from where it receives the configuration file and the necessary modules. First of all, the virus tries to infect all detected USB drives and uses schtasks util to ensure its persistence on the attacked system. The botnet module allows attackers to open URLs in a browser, execute commands, kill processes, upload a file and download additional payloads. This module also can be used to conduct DDoS attacks. The malware can steal credentials and cookies from browsers, as well as all files with specified extension (TXT files by default). The latest versions of L0rdix are armed with a cryptocurrency miner module and wallet stealing module.

Malicious software continues to acquire new features and capabilities to avoid detection by antivirus solutions. To uncover malware activity on your organization’s network with SIEM system, you can use File Hash Analytics rule pack that tracks hashes reported by Sysmon, AV tool or similar security solutions. It enables finding files with the same hash and displaying their directory, as well as checking hashes on VirusTotal directly from the Active channel: https://my.socprime.com/en/integrations/file-hash-analytics-arcsight