The PsiXBot malware has made a few changes in recent weeks, including implementing Google’s DNS over HTTPS (DoH) and adding the blackmail-ready “PornModule” to its bag of tricks.
PsiXBot is a multi-use Windows malware that has a range of capabilities, including keylogging, stealing passwords and cookies, spreading spam, mining for cryptocurrency and fingerprinting infected machines.
According to an analysis from Proofpoint, recent samples contain hard-coded command-and-control (C2) domains with RC4 encryption, which the malware retrieves using Google’s DoH service. DoH is used to enhance privacy on behalf of the user by providing encrypted DNS sessions, and speed up DNS queries. Here, the PsiXBot operators are using it for anti-analysis and detection evasion.
“This update was a stark departure from the previous update, which utilized a more convoluted process involving a URL shortener service to gather the IP address for the C2 infrastructure,” according to a Friday writeup on the malware. “By using Google’s DoH service, it allows attackers to hide the DNS query to the C2 domain behind HTTPS. Unless SSL/TLS is being inspected by man-in-the-middle (MitM), DNS queries to the C2 server will go unnoticed.”
The Proofpoint analysis shows that hardcoded domains are placed into the GET request to https://dns.google[.]com as a variable. This returns the C2 addresses in the JSON API format, provided by Google. Also, all of the servers observed by Proofpoint researchers utilized HTTPS provided by Let’s-Encrypt certificates.
Version 1.0.3 of the bot, which is spreading via the Spelevo exploit kit, also sports a new fast-flux infrastructure. This technique uses a botnet of compromised hosts to rapidly change DNS entries, in order to hide malicious activities like phishing and malware distribution.
The features for version 1.0.3 are largely the same as previously-analyzed versions, Proofpoint noted, with the exception of a module that monitors open windows on an infected device; if certain keywords are detected, it begins recording audio and video.
“The PornModule, assembly name ‘chouhero,’ is a module likely designed for blackmail/sexploitation purposes,” researchers said. “Similar to functionality observed recently in other malware campaigns, this module contains a dictionary containing pornography-related keywords used to monitor open window titles. If a window matches the text, it will begin to record audio and video on the infected machine. Once recorded, the video is saved with a .AVI extension and is sent to the C2.”
The researchers added that PsiXBot uses the Windows DirectShow library to capture audio and video, and that the module appears to be incomplete.
The research also shows that PsiXBot’s spam module has been delivering more robust spam campaigns for replication. An infected host will send out malicious emails with an attachment; the document itself contains malicious macros that will retrieve the PsiXBot payload. In the newer version, the operators have updated their message verbiage and attachment information to be more convincing, according to Proofpoint.
“This malware is under active development and continues to evolve,” researchers said. “By expanding the feature set of the included modules and the overall capabilities of this malware, the actor or team behind its development appears to be seeking feature parity with other similar malware on the market.”
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insights about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.