Home Articles Understanding the New Phoenix Keylogger

Understanding the New Phoenix Keylogger


Launched in July this year, the Phoenix keylogger is sold as malware-as-a-service in the black market. Read on to know more…

Launched in July this year, the Phoenix keylogger is sold as Malware-as-a-Service (MaaS) in the black market. The Phoenix keylogger is a new threat that has gradually gained popularity amongst the cyber criminals and have a following on the malware scene. As per the security researchers, the reason behind the malware’s rising popularity was the malware’s easy-to-use interface that enabled malicious buyers to configure it at will.

Nocturnus, the research team from Cybereason, has researched both the Phoenix malware and its source in the dark web. It appears to have been developed by the same team that produced the short-lived Alpha keylogger, which disappeared shortly before Phoenix began to be marketed. Code similarities suggest that the two products are related. A report from Cybereason — a cybersecurity firm, has linked more than 10,000 infections to a new keylogger called Phoenix which debuted on hacking forums in July. Researchers from the firm say this keylogger is the work of an experienced malware author.

Behavior Analysis
Phoenix keylogger is more like a ‘one-off’ information stealer, rather than a tool designed for long-term surveillance. Phoenix keylogger was observed to be deployed in various corners of the world, in different configurations, with varying goals of the attackers. This new keylogger malware attempts to disable the Defender AntiSpyware module by changing the registry key.

Research on Twitter revealed that malware distribution for the Phoenix keylogger campaigns was spotted every few weeks. The Phoenix malware has reportedly transformed from a simple keystroke logger into a multi-functional information-stealing trojan over the past few months.

Most Phoenix infections so far seen by Cybereason have been delivered through phishing using a weaponized rich text file (RTF) or Office document employing the Equation Editor vulnerability CVE-2017-11882, rather than a malicious macro. However, since the malware is provided by the developers as a stub, delivery to the targets and method of infection will vary depending on how many criminals start to use it.

Working Mechanism
Phoenix keylogger uses an aggressive anti-AV and anti-VM modules to terminate the process of over 80 well-known security products, keeping it from being detected. Generally, professional security products come with an alert feature to notify users when a local app tries to alter their process. However, a successful Phoenix keylogger collects the data it was configured to collect and drops it to a remote location. According to Cybereason, this can be a remote FTP server, a remote SMTP email account, or even a Telegram channel. Besides logging keystrokes, this newer version brings the ability to dump user data, such as passwords from 20 different browsers, four mail clients (Outlook, Thunderbird, Seamonkey, Foxmail), FTP clients, and chat applications.

“After obtaining basic system information, Phoenix checks to see if it is running in a “hostile” environment. A hostile environment can take different forms: if Phoenix is deployed in a virtual machine, debugger, or on a machine with analysis tools or antivirus products installed. Phoenix has a set of features to disable different Windows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others,” the researchers wrote.

Another important discovery was also made related to Phoenix’s ability to extract and steal usernames and passwords. Since this data could be extracted in seconds after the initial infection, the groups spreading the malware rarely bothered for establishing boot persistence.


Please enter your comment!
Please enter your name here

26 − = 21