Phoenix Malware Evolves from Keylogger to Infostealer

Delaware, USA – November 20, 2019 – Phoenix keylogger, which appeared this summer and is actively promoted on hacker forums, in four months has turned into a full-fledged infostealer, which has powerful anti-detection and anti-analysis modules. Cybereason researchers tracked this malware to its predecessor, Alfa keylogger which disappeared in a few months before Phoenix emerges. Malware authors promote their keylogger as a tool “that is easy for any user to operate and comes bundled with customer support and a competitive price point.” Since the end of July, researchers have recorded over 10,000 infections and waves of infections occur approximately every two weeks. As popularity grows, so does the number of regions in which this malware is actively distributed. So far, attacks have been seen in North America, Europe, and the Middle East, but researchers predict extension in the geography of attacks. Infostealer is distributed under a malware-as-a-service model, it is capable of stealing personal data from popular browsers, mail clients, FTP clients, and chat clients. Phoenix is ​​armed with Anti-AV and Anti-VM modules that try to disable 80+ different security products and analysis tools. The malware supports data exfiltration via SMTP and FTP protocols and is also capable of sending stolen info into a Telegram channel.

The infostelaer can be configured to achieve persistence on an infected system, but most clients do not leverage this feature. Phoenix is ​​used to collect and exfiltrate data in a few seconds, after that the malware continues to “live” until the system reboots. Malware authors continue to add features and fix bugs, infostealer is inexpensive, so more and more hackers use it in malicious campaigns. You can use the Sysmon Framework rule pack to spot traces of the malware activity, it contains 26 scenarios which are recommended for monitoring in SOC and early detection of APT activity: