The L0rdix malware is a newly detected hacking tool that is being offered on the hacker underground markets allowing prospective buyers to use it in attack campaigns against Windows computers. It allows individual hackers and groups to use it in various ways as it features many modules. At the moment at one of the locations it is being offered for about 60 US Dollars.
Anyone Can Become a Target of the L0rdix Malware
Information about L0rdix was published by Ben Hunter in a security report giving further details about it’s behavior. The malware is designed to infect Windows machines and is currently offered to prospective buyers on several underground markets. What sets it apart from other similar malware is that it combines various information and data stealing capabilities along with cryptocurrency mining modules.
It combines in itself a hybrid botnet infection approach — compromised machines can attempt to infiltrate other machines in an automated manner. As soon as as infection is made the threat may launch an anti-detection mechanism. This action will check if there are any active virtual machine, environments or other malware analysis tools. Their engines will be disabled which will counter any analysis or detection by them. Updated versions can utilize this approach to bypass security software such as anti-virus products, firewalls and etc.
Once the bypass has been complete the engine will contact a pre-configured server and download the latest updates and configuration files. At this point the hacker operators will have the ability to deploy all available modules according to their own strategy. All infected machines will be harvested for a group of data that is used to generate a unique machine ID. It is also sent to the main server as well. The information is sent alongside screenshots of the computer’s usage. The collected samples in the detected campaign have been found to hijack the following data:
- Hardware Components Information — This subset of information harvests information about the hard disk drives, processor and graphics card model names and specifications and the installed memory. Performance information is also included, this is done by executing a performance test and checking the results.
- Operating System Information — The collected data is related to the user privileges, operating system conditions and user privileges.
- Applications Data — Data from third-party installed applications and services is retrieved. This includes the presence of anti-virus products.
- Web Browser Data — If one of the supported web browsers is found it will kill their processes and extract sensitive data, including saved cookies, preferences and saved accounts.
It is speculated that the performance metrics are hijacked in order to optimize the delivery of a cryptocurrency miner which is one of the common effects of infection. Not only a miner infection is initiated, but any identified wallet files will be hijacked as well.
L0rdix Malware Post-Infection Capabilities
The analysis shows that once the infection has been able to penetrate the security of a single computer it will proceed into automatically infecting other hosts by infecting removable storage devices. Updated versions can use an even more dangerous approach by interacting with Windows network manager and looking out for accessible shares. What follows is a persistent installation which makes it very hard for active infections to be identified and removed using manual methods. The engine will automatically scan the local configuration files and edit them in a way to automatically start itself when the computer is powered on.
A botnet recruitment takes place following the virus’s deployment which is particularly worrying as it allows the hackers to semi-automatically create a large network of infected devices. Such constructions are particularly useful for carrying out complex DDoS attacks that can take out entire companies.
Due to the fact that the identified L0rdix malware samples are associated with a single attack campaign we presume that future attacks are going to use even more modules and attack scenarios.