skip to Main Content

Cybercrime: PsiXBot malware has evolved with a Porn Module

Cybercrime: PsiXBot Malware Has Evolved With A Porn Module

Proofpoint: Cybercrime updated again the PsiXBot malware with a really dangerous “Porn Module”

PsiXBot malware is evolving again, adding a very dangerous “Porn Module”. It has been discovered by Proofpoint cyber security experts, who are tracking the malicious code and the cybercrime actor behind it. According to the researchers, there is a change in the DNS resolution technique, implementing Google’s DNS over HTTPS (DoH) service. “We observed samples exhibiting this behavior as dropped payloads via the Spelevo Exploit Kit,” is written on the company blog. “These newer samples (later versions 1.0.2 and 1.0.3) now contain hard-coded C&C domains to be resolved with Google’s DoH service.” This allows attackers to hide the DNS query to the C&C domain behind HTTPS. Unless SSL/TLS is being inspected by Man in the Middle (MitM), DNS queries to the C&C server will go unnoticed. 

The cyber security experts: The Porn Module allows attackers to capture audio-video on the infected machine if a window match pornography-related keywords, contained in a dictionary inside the malware

According to the cyber security experts, The features for version 1.0.3 are largely the same as previously analyzed versions, but now contain a newly observed module called “PornModule”. It, assembly name “chouhero”, is a module likely designed for blackmail/sexploitation purposes. Similar to functionality observed recently in other malware campaigns, this module contains a dictionary with pornography-related keywords used to monitor open window titles. If a window matches the text, it will begin to record audio and video on the infected machine. Once recorded, the video is saved with a “.avi” extension and is sent to the C&C. Typically, these recordings are used for extortion purposes. Of note, the malware uses the Windows DirectShow library to capture audio and video. This cybercrime module appears incomplete and will likely be modified in future releases, but it’s already dangerous.

PsiXBot could led to a revolution in sextortions and blackmailing cyber attacks. Even if the cybercrime wouldn’t be able to reach sensitive content

The “Porn Module” could be a revolution in cybercrime attacks and sextortions. Until now, crooks sent tons of emails with malspam campaigns, threatening to publish private video if the victims wouldn’t pay a ransom. But they were scams, as the blackmailers don’t have any info or multimedia. In the next future things could change thanks to the new features of the PsiXBot malware, even if the attackers wouldn’t be able to steal any “for adult” info but just normal ones. Few frames of a user in front of the computer, would generate panic, and cyber criminals could exploit the leverage effect to boost the incomes and spread chaos over the Net.

Back To Top