Take a Look at L0rdix, The Super Malware Toolkit of 2018
Hacking tools have been available for public download and consumption for many decades. Many of which are open source in nature, does not cost users a dime and can be learned by just trying the program. These so-called hacking tools are categorized, some used for network penetration, memory snapshots and others for extracting password hashes.
However, there are times that a super tool gets released publicly that covers many functions that were only featured in various tools combined. Named L0rdix, this malware-powered new tool written using .NET designed for the power user and the curious folks of the cybercriminal community is available for sale.
“L0rdix, currently available for purchase in underground forums, is aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, can avoid malware analysis tools and is designed to be a universal “go-to” tool for attackers. Indicators suggest the tool is still under development and we expect to encounter more sophisticated versions,” said Ben Hunter, EnSilo’s Malware Intelligence Analyst.
Compared to other malware similar to the nature of L0rdix, it is developed to behave as incompatible when running in a virtual machine. It has a functionality detect if it is running in a virtual machine and will terminate. “L0rdix goes to great lengths to avoid being executed in virtual environments and analyzed by common malware analysis tools. While employing simple checks such as scanning for common monitoring tool names, such as “procmon” , it also uses WMI queries and registry keys to search for strings that indicate being run under a virtual environment. The less common checks made by L0rdix include searching processes that load sbiedll.dll which belongs to the Sandboxie product, aspiring to increase its chances to avoid running in simple free virtual environment tools,” explained Hunter.
With this, researchers need to set up a spare machine, real hardware in order to test L0rdix’s behavior. Security researchers usually use virtual machines as their honeypots when it comes to testing malware, which is cleverly bypassed by the L0rdix malware, thanks to this new behavior. The malware uses fundamental Windows-based functionalities such as WMI (Windows Management Instrumentation) in order to interface and understand the hardware which it is currently running at. With a USB-infecting module, it can also propagate through USB flash drives, hence an air-gapped machine is not immune to infection.
“The USB infecting module, which maps all the connected removable devices and for each file and directory it changes their attributes to hidden and copies itself with their name and icon instead. All of this is done to make sure that the malware will execute by the user double-clicking it on another machine. The configurations file contains a list of tuples of (name, location) which L0rdix will copy itself to,” emphasized Hunter.
At the moment, here are the known sub-modules of L0rdix:
- USB Infecting Module
- Virtual Machine detection module
- Botnet module
- Crypto wallet theft module
- Password Logging module
- Cryptominer functionality
L0rdix is expected to be refined by its author, to hold more functionalities than the previous version. “While it’s very easy to notice that most of the effort was put into evading virtual environments and analysis tools along with implementing the stealing module, L0rdix still presents unfinished modules and weak implementation details such as simple encryption or simple data handling between the server and the client. Those indicators might suggest that the tool is still under development. We can expect to see more sophisticated versions of L0rdix in the future or the indicators are evidence of an inexperienced malware author,” concluded Hunter.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.