View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 8, 2019

“Sextortion” Malware Evolves to Actually Record Target’s Audio and Video

Hackers attempting to gather "evidence" before blackmailing...

By CBR Staff Writer

Security firm Proofpoint says it seen early evidence of new sextortion malware that drops a dedicated “pornmodule” onto a target’s computers.

The malware, PxiXBot – a Remote Access Trojan, or RAT – contains a dictionary with pornography-related keywords.

If an open window matches the text, it records audio and video on the infected machine, saves it with a “.avi” extension and sends it to command and control servers, Proofpoint said in a quarterly report.

The malware is a step up from typical sextortion scams, which really on social engineering to blackmail targets out of funds by threatening to release evidence of potentially embarrassing online activity.

“This module appears incomplete”, Proofpoint said however.

“[It] will likely be modified in future releases. We will continue to monitor this activity both in PsiXBot and in the broader landscape.”

Rise of both Sextortion Malware and URL-based Malware

Among Proofpoint’s other key finds: volumes of banking Remote Access Trojans (RATs) rose 55 percent on the previous quarter.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Ransomware remained “virtually absent” as a primary payload in malicious emails, the Sunnyvale, California-based company said, “with the exception of smaller campaigns generally distributing Troldesh and Sodinokibi”.

Read this: Highly Automated Phishing Campaign “Spreading Indiscriminately” Across the UK

Threat actors also increasingly used the Keitaro Traffic Distribution System (TDS) in both malvertising and URL-based email attacks, “building on the trend of more complex attack chains and redirections to hide their activities and exploit multiple vectors, including exploit kits.”

TDSs like Keitaro are software and service packages that intelligently route web traffic; while a legitimate service, Keitaro is widely abused by malvertisers, Proofpoint said, catching the service redirecting users to either Fallout or RIG EK, “ultimately leading to potential infections with malware strains including:

A typical sextortion email.

Also worryingly for users, Proofpoint notes a growing trend towards the use of secure certificates on fraudulent websites (used for URL attacks): “Over 26 percent used an SSL certificate, up from 20 percent at last report in Q1. This contributes dramatically to social engineering around these domains as users have been conditioned to look for the padlock icon as a sign of security and safety as they browse.”


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.