New Phoenix Keylogger tries to stop over 80 security products to avoid detection

Researchers from Cybereason revealed today in a report that a new keylogger known as Phoenix, which started selling on hacking sites during the summer, has now been connected to more than 10,000 infections. The Phoenix Keylogger is a fresh threat that was first published in July on HackForums and has gradually grown in popularity among malware developers. According to threat intelligence provided on Twitter, new malware distribution schemes are discovered every few weeks.

Greater information thief than keylogger

Phoenix, according to Cybereason, was created by a skilled malware author. Phoenix has developed over the past few months from a straightforward keystroke logger (keylogger) into a multipurpose information-stealing trojan (infostealer). Newer versions had the capacity to dump user data, such as passwords, from 20 different browsers, four different mail clients, FTP clients, and chat programmes, researchers claimed. Earlier versions could track keystrokes. Phoenix now contains a tough anti-AV and anti-VM module that works to prevent malware from being found and examined while being used “in the field.” Both modules operate similarly and have a list of pre-defined process names that Phoenix will try to terminate before continuing to function. More than 80 well-known security solutions and virtual machine (VM) technologies are listed, which are frequently used for malware reverse engineering and analysis. The Phoenix author appears to have copied the list of VM processes from a blog post by the cyber-security firm Cyberbit, as seen by the list of security-related process names in the image below. When a local app tries to halt a user’s process, professional security products have warning systems in place to notify consumers. But if Phoenix is successful, the malware will gather the information it was set up to gather and then exfiltrate it to a distant location. This might be a remote FTP server, a remote SMTP email account, or even a Telegram channel, according to Cybereason.

Mostly employed for harvesting credentials

Researchers at Cybereason attribute the malware’s increased popularity to its user-friendly interface, which enables customers to customise it as they see fit. According to researchers, the virus has been used all over the world in a variety of forms, depending on the objectives of the attackers. One pattern, nevertheless, stood out: Phoenix was infrequently set up to obtain boot persistence on the Windows systems of infected hosts. Basically, after infecting users, the malware would extract and steal data from local programmes, then vanish after the first reboot. Phoenix has a persistence feature, however the majority of the infections that we examined lacked persistent behaviour, according to Assaf Dahan, Senior Director, Head of Threat Research at Cybereason, in an email to ZDNet yesterday. Phoenix is allegedly employed more as a “one-off” information thief than as a tool for ongoing surveillance, according to our opinion. As for the clientele, it appears that the majority of buyers are interested in obtaining sensitive data that they could later sell in the underground markets, mostly in the credential selling communities, Dahan told us, referring to Phoenix’s ability to extract and steal usernames and passwords stored inside browsers — data that can later be sold in the credential selling communities. This also explains why the cybercriminal gangs propagating Phoenix rarely bother with installing a boot persistence technique because this data can be collected within seconds of the initial infection. They just don’t require it, and a simple boot persistence mechanism would only leave behind forensic information that could serve as a warning to users that they had already been infected. Without expanded logging capabilities, which are typically only available in enterprise contexts, tracing Phoenix malware infestations is therefore nearly impossible due to the lack of this boot persistence system. This related Cybereason report investigates the creator of the Phoenix malware. A different commercial malware strain that died out a few months prior to Phoenix’s release, the Alpha Keylogger, is thought to have been created by the same person, according to researchers. Reused code, the use of the same style and font for promotional materials, and many other similarities between the two strains that were identified in the Cybereason report are examples of connections.

Here are some benefits of Spiral Linux for novice users.

In this article, Jack Wallen explains why he thinks Spiral Linux is the ideal Linux distribution for folks who have never used the open-source operating system There are tens of thousands of Linux distributions available, ranging from the simple (like Ubuntu and Linux Mint) to the extremely complex (such as Gentoo). Every distribution that makes the claim to be user-friendly isn’t precisely the same, and there are many factors that determine how user-friendly a distribution can be. Every Linux distribution that claims to be user-friendly must take into account package managers, desktop environments, and pre-installed programmes Therefore, the first thing I do when a new distribution that claims to be user-friendly is look at those three areas. I therefore did exactly that when the creator of GeckoLinux released a new distribution named Spiral Linux.

GNOME, KDE, and Xfce Plasma Mate

Budgie \sLXQt

The OS will be extremely stable, dependable, and performant because it is based on Debian, with the limitation that some of the programmes are always of the stable release (which means they can be a bit behind). This is OK because stability and dependability are key terms, and you don’t want cutting-edge applications on a production PC.

Sprial Linux has a number of distinctive features, including:

backing for more recent hardware (thanks to the 5.16 kernel and installed proprietary firmware). Simple to upgrade to the Testing or Unstable branches of Debian. Snapper snapshots and a Btrfs subvolume structure with transparent Zstd compression allow for simple rollbacks.

Extensive support for printers.

  1. TLP is pre-installed and has been optimised for power management.
  2. Automatic VirtualBox support is available.
  3. Improved performance through zRAM switch.
  4. The sudo group is automatically expanded to include regular users.

The design of a Linux distribution for new users has been considered by the developer. The absence of a Welcome app to speed up new user onboarding is the lone omission in this situation. Spiral Linux is a fantastic Linux distribution that anyone could use without feeling out of place, even with that error. The Budgie version of Spiral Linux was installed, and I was really satisfied.

Were there any more Linux distributions necessary, really?

The majority of Linux users will answer “Yes” emphatically if you ask them. Why? Considering that Linux has always been about choice and that having more options is frequently viewed as beneficial.

That does not imply that everybody agrees with that viewpoint. Some people think Linux’s strength has been diminished by the sheer number of distributions. I don’t think that. Having yet another distribution aimed at new users should be viewed as positive, even though I would prefer that there exist a “official” Linux distribution that major companies could support (because having to develop for and support hundreds or thousands of distributions is an absolute deal-breaker for some companies). And Spiral Linux checks every requirement for this use case.

Another Debian-based distribution is needed, says the creator, because “Debian itself provides a basic system that can be quite user-friendly when correctly configured. In this situation, SpiralLinux is useful. Using the Debian-provided packages and procedures, a lot of work has gone into perfecting the SpiralLinux default setup for all the major desktop environments. Therefore, a SpiralLinux installation is really just a genuine Debian installation that may keep its distinctive SpiralLinux configuration while receiving limitless upgrades from the official Debian repository. As a result, you receive a Linux distribution that is both user-friendly and reliable as well as one that will last as long as Debian does. Given how short-lived some projects can be, it’s encouraging to know that this new distribution has tethered itself to Debian in a way that will ensure its longevity.

Table of Contents