Security researchers discovered a new variant of the PsiXBot modular malware with a new sextortion module and designed to use Google’s DNS over HTTPS (DoH) service to get command and control (C2) IP addresses.
The new PsiXBot version comes with hardcoded C2 domains which get resolved using DNS queries delivered over Google's DoH service, making it possible to hide all the queries behind HTTPS encryption granted by Let's-Encrypt certificates.
The resulting IP addresses are delivered to the infected machines as a JSON blob using Google's JSON API for DNS over HTTPS format instead of the default DNS wire format described by RFC 8484 as discovered by security researcher Daniel Stirnimann.
Proofpoint researchers observed two different PsiXBot variants (1.0.2 and 1.0.3) exhibiting this behavior during August and September, both of them being delivered on their unsuspecting targets' devices via the Spelevo Exploit Kit.
Incoming PsiXBot-powered sextortion campaign
StartSpam, one of the modules examined and designed to deliver spam messages from compromised devices has been updated in recent versions to also deliver PsiXBot payloads with the help of malicious macros bundled within Microsoft Office documents.
The rest of the modules found in PsiXBot version 1.0.3 are almost identical with those found in previous samples, with an important difference: the addition of a StartPorn module which seems to be designed for recording blackmail material once the users of infected machines visit sites containing porn-related keywords.
This type of behavior was also observed by researchers at ESET during early August with the discovery of the new Varenyky Spambot Trojan targeting French people that can record its victims' screens when they visit adult sites.
Just like the Varenyky Trojan, the PsiXbot malware also comes with a built-in dictionary of keywords that would trigger a new video recording when found.
"If a window matches the text, it will begin to record audio and video on the infected machine. Once recorded, the video is saved with a ".avi" extension and is sent to the C&C. Typically, these recordings are used for extortion purposes," found the researchers.
While this StartPorn module powered by the Windows DirectShow library still seems to be incomplete, given the rapid successions of updates PsiXBot's developers seem to release, a fully-functional one is expected to arrive sooner rather than later.
Even though Proofpoint found no indication of what the recorded videos would be used for when analyzing the malware, given the keywords used to trigger the recordings there is a high probability that they will be used as part of future sextortion campaigns PsiXBot's operators are planning.
Modules for everything
The PsiXBot modular bot malware has been active since at least November 2017 according to Proofpoint's Matthew Mesa and it is known to come with a wide range of modules per Fox-IT researchers including but not limited to a keylogger, password and cookie stealers, a QuasarRAT module, a clipper one designed to switch cryptocurrency addresses detected in the clipboard, as well as a scheduler to run itself every 60 seconds.
"By expanding the feature set of the included modules and the overall capabilities of this malware, the actor or team behind its development appears to be seeking feature parity with other similar malware on the market," concludes Proofpoint.
More details on the newly discovered variants, indicators of compromised (IOCs) including malware sample hashes and command-and-control, as well as ET and ETPRO Suricata/Snort signatures are available at the end of Proofpoint's PsiXBot analysis.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now