L0RDIX: Multipurpose Attack Tool
(Nov 21, 2018)
Ben Hunter, a researcher from enSilo, discovered a new multipurpose malware dubbed “L0rdix” that targets Windows-based machines to steal credentials and mine for cryptocurrency. The tool uses several checks to evade Virtual Machine (VM) environments and sandboxes. L0rdix contains five main embedded modules that can be executed depending on the intended goal and functionality the threat actors utilising it wants. The malware obtains information regarding the machine, once successfully infecting it, such as antivirus tools on the machine, current user privileges, disk hardware device ID, operating system product name, Graphics Controller Model, and RAM availability. Once obtaining that information, L0rdix will send that information to the Command and Control (C2) server, who will then respond with a JSON file containing parameters for the malware. These parameters will determine whether the tool should mine for cryptocurrency (the type of cryptocurrency is specified by the C2 based on the information is gains earlier on the machine) or steal credentials. L0rdix is available for threat actors to purchase in underground/black market forums.
Recommendation: Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.