09 September 19, 19:44
Quote:The PsiXBot malware has made a few changes in recent weeks, including implementing Google’s DNS over HTTPS (DoH) and adding the blackmail-ready “PornModule” to its bag of tricks.
PsiXBot is a multi-use Windows malware that has a range of capabilities, including keylogging, stealing passwords and cookies, spreading spam, mining for cryptocurrency and fingerprinting infected machines.
According to an analysis from Proofpoint, recent samples contain hard-coded command-and-control (C2) domains with RC4 encryption, which the malware retrieves using Google’s DoH service. DoH is used to enhance privacy on behalf of the user by providing encrypted DNS sessions, and speed up DNS queries. Here, the PsiXBot operators are using it for anti-analysis and detection evasion.
“This update was a stark departure from the previous update, which utilized a more convoluted process involving a URL shortener service to gather the IP address for the C2 infrastructure,” according to a Friday writeup on the malware. “By using Google’s DoH service, it allows attackers to hide the DNS query to the C2 domain behind HTTPS. Unless SSL/TLS is being inspected by man-in-the-middle (MitM), DNS queries to the C2 server will go unnoticed.”
Read more here: https://threatpost.com/psixbot-pornmodul...ns/148142/