New PsiXBot variant spotted with sextortion module and other updates

• A new variant of the PsiXBot malware with a newly added sextortion module has been discovered by security researchers.
• This malware version tracked as 1.0.3, is spreading via the Spelevo exploit kit. It displays a new infrastructure that lets the bot change DNS entries to hide malicious activities.

Background

The first version of the PsiXBot malware was spotted in mid-2017, after which it has evolved significantly. This malware is notorious for logging keystrokes and harvesting browser credentials.

Version 1.0.3, the latest known PsiXBot malware has been observed to host a sextortion module and a new fast-flux infrastructure. This version uses Google’s DNS over HTTPS (DoH) service to obtain IP addresses for the command and control domains.

This malware is currently being dropped as a payload from the Spelevo exploit kit. It is also known to spread via phishing emails.

How does it attack?

The latest PsiXBot version has a module called ‘StartPorn’ that records material from infected devices.

• The recording is done when the infected machines browse websites that contain porn-related keywords.
• PsiXBot has a built-in dictionary of keywords. If any of these keywords are detected on the infected device, it begins recording audio and video.
• The recorded file is saved with ‘.avi’ extension and is sent to command and control domains.
• These videos and audios are said to be used for extortion purposes.
• The malware campaign has updated itself to send convincing emails with attachments from the infected host. These attachments contain malicious macros that retrieve the PsiXBot payload.

What to expect

The StartPorn module seems incomplete and is expected to evolve with time. Proofpoint published a detailed analysis of this malware.

• This malware is continuously updating module features and overall capability.
• It is speculated that the threat actors behind PsiXBot are aiming to be on par with other similar malware.