An emerging malware downloader that employs various evasion techniques and downloads a cryptocurrency miner has been uncovered. Dubbed 'F0xy' thanks to its tricky nature, the new malware is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files.
Websense Security Labs has discovered three distinctive features that allow the malware to fly under the radar. First, the malware employs very little in the way of code and string obfuscation, in order to appear more legitimate and hide in plain sight, the firm said. But a request is made to the Russian social networking site VKontakte, where the address of the real C&C is hidden. And, the malware uses Microsoft's Background Intelligent Transfer service to outsource its network traffic in order to avoid detection from security products.
“The behavior of F0xy backs up our 2015 security predictions that cybercriminals will continue to hide their C2 infrastructure within legitimate websites,” said Websense researcher Nick Griffin, in a blog. “We believe that this will be a growing trend in 2015, as malware authors realize that detecting malicious intent on legitimate websites can be difficult for security vendors.”
Upon investigating the C&C infrastructure, further samples were found dating back to 13 January 2015. Analysis suggests that the malware author has been changing and improving the code for reliability and efficiency, and to arrive at a version that works on most operating systems. First versions of the malware will run only on Windows 6.0 (Vista) and above, while the newer versions will also run on Windows XP.
“Just as a real fox is known in many cultures for its cunning and trickery, so is the malware,” Griffin said.
As far as payload, Websense said that F0xy has been seen downloading a 64-bit version of the cryptocurrency miner CPUMiner/CoinMine.
“[CoinMine] is a cryptocurrency mining service for multiple currencies, and allows a user to name 'workers' that can pool together to mine on behalf of a user's account,” Griffin explained. Therefore, the more machines infected by F0xy and mining under the worker’s name, the more potential cryptocurrency can be mined for the cyber-criminal.
“It is clear that financial motivations remain at the forefront of cyber-criminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” added Griffin.