Phoenix: The Tale Of The Resurrected Keylogger


Phoenix: The Tale Of The Resurrected Keylogger (Nov 20, 2019)

A new keylogger called “Phoenix” is being tracked by the Cybereason’s Nocturnus team and is becoming popular among cybercriminals. The keylogger has a range of information stealing capabilities. Phoenix keylogger is offered as Malware-as-a-Service. It has the ability to steal passwords, capture input, exfiltrate data and has anti-VM capabilities. It can kill processes in over 80 different security products and steal information from 20 different browsers. It can exfiltrate data through the Telegram messaging App and has the same author as Alpha keylogger, according to the research.

Recommendation: The Phoenix keylogger is providing an information stealing capability to anyone who can pay for the service. Like other Malware-as-a-Service products, this makes the attribution and potential targeting of the malware difficult to pinpoint. The capability affords even the most novice of users with the means to attack and steal information from a target of interest. Like most other malware however, the delivery methods for this keylogger are likely to be phishing of some kind and therefore organisations can do much to protect themselves by training staff to recognise malicious emails, links and texts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.