The PsiXBot malware is an advanced threat that contains several dangerous modules that set it apart from other similar malware of its type. Among them is a sextortion blackmail component that can be very effective against its intended victims. The security analysis of the captured samples shows that it is distributed via several high-impact campaigns, including the Spelevo Exploit Kit.
Sextortion Campaigns Launched By PsiXBot Malware
The PsiXBot malware is a very dangerous threat in an ongoing campaign campaign made by an unknown hacking group. They are using an updated version of the malware engine and use a sophisticated infection technique. A large part of the attacks are performed by using the Spelevo Exploit Kit. This is a hacking tool that allows the hackers to coordinate mass e-mail based campaigns and the creation of fake phishing sites.
What’s dangerous about this particular threat is that the newer versions use a DNS Resolution that is carried out over a secure HTTPS connection. This means that the local client module will safeguard its connection and impersonate safe traffic. This makes it significantly harder to detect running infections. The addresses of the command and control servers are hardcoded and in the samples and encoded using a special algorithm. In order not to raise any awareness the servers are not probed by a network “ping” — this is the most common technique used to check if a server is operating. As soon as the infection is done and the hacker-controlled server connection is initiated the local client will allow the remote attackers to trigger the available modules. In the last few versions the following have been found:
Download and Execution, Execute, Get Installed Software, Get Outlook Credentials, Get List of Running Processes, Get Stealler Cookies, Get Stealler Passwords, Self-Deletion, Start Complex Module, Start Cryptocurrency Module, Start FG Module, Start Keylogger, Start New Complex Module, Start Porn Module and the Start Scheduler Module.
The Porn Module is a specially designed component which will monitor the users activity and see if they are accessing any porn-related sites or content. This is done by surveying the users activity and comparing it to a built-in dictionary of terms. This will lead to a triggering of user recording (both audio and video). The collected data will be sent to the hackers. With the material available the criminals will blackmail the victims for financial gain.
These attacks are rated as very dangerous and all computer users are urged to protect themselves by employing advanced anti-malware solutions.