Security firm Proofpoint says it seen early evidence of new sextortion malware that drops a dedicated “pornmodule” onto a target’s computers.
The malware, PxiXBot – a Remote Access Trojan, or RAT – contains a dictionary with pornography-related keywords.
If an open window matches the text, it records audio and video on the infected machine, saves it with a “.avi” extension and sends it to command and control servers, Proofpoint said in a quarterly report.
The malware is a step up from typical sextortion scams, which really on social engineering to blackmail targets out of funds by threatening to release evidence of potentially embarrassing online activity.
“This module appears incomplete”, Proofpoint said however.
“[It] will likely be modified in future releases. We will continue to monitor this activity both in PsiXBot and in the broader landscape.”
Rise of both Sextortion Malware and URL-based Malware
Among Proofpoint’s other key finds: volumes of banking Remote Access Trojans (RATs) rose 55 percent on the previous quarter.
Content from our partners
Ransomware remained “virtually absent” as a primary payload in malicious emails, the Sunnyvale, California-based company said, “with the exception of smaller campaigns generally distributing Troldesh and Sodinokibi”.
Read this: Highly Automated Phishing Campaign “Spreading Indiscriminately” Across the UK
Threat actors also increasingly used the Keitaro Traffic Distribution System (TDS) in both malvertising and URL-based email attacks, “building on the trend of more complex attack chains and redirections to hide their activities and exploit multiple vectors, including exploit kits.”
TDSs like Keitaro are software and service packages that intelligently route web traffic; while a legitimate service, Keitaro is widely abused by malvertisers, Proofpoint said, catching the service redirecting users to either Fallout or RIG EK, “ultimately leading to potential infections with malware strains including:
- “AZORult (sometimes downloading ServHelper)
- Predator the Thief downloading some CoinMiner
- KPOT
- SystemBC
- Osiris
- Chthonic
- Vidar Stealer
- Amadey downloading Danabot “40”
- Amadey downloading Vidar
- Gootkit
- Onliner
A typical sextortion email.
Also worryingly for users, Proofpoint notes a growing trend towards the use of secure certificates on fraudulent websites (used for URL attacks): “Over 26 percent used an SSL certificate, up from 20 percent at last report in Q1. This contributes dramatically to social engineering around these domains as users have been conditioned to look for the padlock icon as a sign of security and safety as they browse.”
