Malware Distributed in the Guise of DDoS Tool Targeting Russia
Security researchers with Cisco Talos reported a new threat being distributed in disguise. The malicious package is being advertised through Telegram and is posing as a distributed denial of service toolkit intended to hit Russian targets. The targets are obviously pro-Ukrainian hackers and organizations who might attempt to launch cyber counter-attacks on Russia.
However, instead of a DDoS tool, the package contains the Phoenix infostealer malware.
Phoenix poses as DDoS tool
The Phoenix malware has been around for some time, first making headlines in 2019, when it started out as a humbler keylogger. The malicious toolset Phoenix has at its disposal currently has been significantly expanded since then. Detection evasion modules and anti-analysis capabilities have been bolted onto the initial keylogger platform to turn the keylogger into what it is today.
The malware is distributed using a message that advertises it as a tool to attack "Russian sites" and claims that the tool will automatically obtain its target websites from a server. The message used to spread the malware calls the archive "Disbalancer.zip".
This is done to mimic the original disBalancer tool launched by a pro-Ukrainian organization. The disBalancer tool is intended, according to its own description, to "target Russian propaganda websites". It's easy to see how someone looking for the original tool may end up downloading the Phoenix payload posing as disBalancer.
Old dog, new tricks
According to the researchers at Cisco, this campaign spreading Phoenix is not conducted by new hopeful hackers but is being run by an organized outfit of actors who have been around since late 2021.
The version of Phoenix used in this instance snags cryptocurrency information and credentials from the victim system, then siphons the scraped data to a Russian IP address using port 6666. The exact same pairing of IP and port was used back in November 2021.
The current situation in Ukraine, Russia, and Europe at large offers a lot of opportunities for clever social engineering stunts and the distribution of more malware using simple yet effective tricks and misdirection. Recent phishing campaigns launched by different threat actors targeted European entities dealing with the influx of Ukrainian refugees headed west.