Off-the-shelf malware targeted nearly 10,000 victims over four-month period

A keylogger-infostealer hybrid with a raft of defensive capabilities is gaining traction on the cybercrime underground, researchers have uncovered.

Dubbed ‘Phoenix’, the malware package has been hailed by cybercriminals on underground forums for its intuitive interface and “super friendly” customer support.

Outlining their findings today (November 20), Cybereason’s Nocturnus research team said Phoenix was “more than just a keylogger,” as it boasted numerous additional information-stealing capabilities and “self-defense mechanisms”.

Assaf Dahan, Cybereason’s senior director of threat hunting, said the $14.99-a-month exploit kit was readily deployable by technically limited cybercriminals.

In just four months Phoenix has targeted almost 10,000 victims across the US, Europe, and the Middle East – a number Cybereason expects will soar in the coming months.

Phoenix, which is written in Visual Basic .NET, can steal passwords as well as data from clipboards and screen capture. It also features a downloader for downloading additional malware.

Data is exfiltrated via SMTP, FTP, and Telegram, the end-to-end encrypted messaging app.


A trawl of underground forums by Cybereason unearthed some glowing reviews from those in the cybercrime community, indicating that the developers of Phoenix are keen to emphasize the ‘service’ element of their Malware-as-a-Service (MaaS) enterprise.

“Keylogger works perfect [sic]… the owner is super friendly and he took the time to help me until I was happy,” gushed one reviewer. Another described it as the “best in the market right now”.

According to Cybereason, the malware bundle almost certainly evolved from the Alpha Keylogger, which shared naming conventions and parameter names and uncannily similar marketing materials.

Phoenix also emerged from the proverbial flames shortly after Alpha disappeared in late July – probably to give the author “a clean slate in the underground community”.

Read more of the latest malware news from The Daily Swig

Make it ‘FUD’

Most infections originate from phishing-borne Word and Excel files, most commonly targeting the Equation Editor vulnerability, Cybereason said.

Phoenix covers its tracks by storing stolen data in memory, without writing it to disk, and returning data to the attackers directly.

Illusion, a vendor selling Phoenix on the dark web, advised cybercriminals to use the malware in tandem with a third-party crypter to “make it FUD” (fully undetectable).

Exemplifying the adage that "the best defense is a good offense", Phoenix bundles an anti-antivirus module purporting to disable more than 80 security products and analysis tools.

Fortunately, although Phoenix-infected samples caught in the wild were often crypter-equipped, these were still being blocked by most antivirus vendors.

Credential stealing

Using a preconfigured exfiltration method, Phoenix is used mostly as “set it and forget it” malware, Dahan said.

The versatile exploit can also disable Windows admin tools like CMD, registry, task manager, and system restore.

Anti-VM and anti-debugging tools help detect hostile environments.

Once Phoenix has finished its checks, modules are deployed that hunt for credentials and other sensitive information stored locally on the target machine.

“Phoenix uses a common method of hooking keyboard events for its keylogging,” said Cybereason. “It uses a Windows API function SetWindowsHookExA to map the pressed keys, then matches them to the corresponding process.”

Chrome and Firefox are among the 20 web browsers that are susceptible to Phoenix’s credential-stealing efforts, along with the FileZilla FTP client, and email clients Outlook, Thunderbird, Seamonkey, and Foxmail.

As ever, “common sense and general awareness, as well as precautions, come in handy” when guarding against social engineering attacks, Dahan told The Daily Swig. “The best course of action is implementing multiple layers of defense.”

Noting that malware is also often “distributed using exploit kits that exploit browser vulnerabilities” he urged web users to keep their “browser updated to the latest version and apply recommended OS security updates.”

Cybereason has outlined full technical details of Phoenix in a blog post.

YOU MIGHT ALSO LIKE Spam campaign uses ‘double-loaded’ ZIP to smuggle malware onto Windows devices