Recently, the Websense Security Labs issued a blog post announcing the discovery of a new and emerging malware downloader that employs evasion techniques and downloads cryptocurrency miner.
The new malware, which the Websense Security Labs have named ‘f0xy’, is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files.
The Labs decided to name the malware ‘f0xy’ due to the strings found in the executables and the registry key it creates for persistence.
f0xy’s evasion tactics include leveraging the popular Russian social networking site VKontakte and employing Microsoft’s Background Intelligent Transfer Service to download files.
Free Cyber Security Training! Join the revolution today!
There are three distinctive features that allow the malware to fly under the radar:
– The malware employs very little in the way of code and string obfuscation in order to appear more legitimate and hide in plain sight.
– A request is made to the Russian social networking site VKontakte, where the address of the real C&C is hidden.
– Finally, the malware uses Microsoft’s Background Intelligent Transfer service to outsource its network traffic, to avoid detection from security products.
You can read the full blog post here.
Carl Leonard, Principal Security Analyst at Websense, had this to say about the discovery of f0xy:
“The emerging f0xy malware employs particularly advanced evasion techniques and utilises fox-like cunning and trickery in an attempt to hide in amongst the noise of legitimate traffic. Our discovery highlights the sophisticated techniques that cybercriminals are now deploying to download and execute arbitrary files for financial gain.
“The primary function of f0xy is to act as a downloader and potentially any virus could be dropped by the malicious code. Right now the malware is lying low, scouting out its surroundings and testing the weak barriers, but it carries a serious malicious threat. The nature of f0xy fits the Websense Security Labs prediction that this year we will see more malware hiding in the noise of legitimate traffic, with malware authors increasingly migrating to legitimate websites to hide their malicious activity and avoid detection.
“We have not yet seen any evidence in our customer base of an attempt to infect machines, but we are closely monitoring f0xy.”
About Websense
Websense TRITON stops more threats; visit www.websense.com/proveit to see proof. To access the latest Websense security insights and connect through social media, please visit www.websense.com/smc. For more information, visit www.websense.com and www.websense.com/triton.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.