L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

There’s a new hacking tool circulating in the underground Dark Web forums that let cybercriminals target Microsoft Windows computers. It has become the newest universal go-to tool to attack a Windows machine because it presents an utterly lethal combination of data stealing, cryptomining, and snooping capabilities.

Discovered by Ben Hunter, a security researcher at ENSILO, the malware is currently being marketed quite persistently for 4000Ruble ($60.96) on the Dark Web forums. It’s written in .NET and comes with a dashboard that makes the job even easier for hackers to compromise a Windows machine.

The malware allows attackers to get full information about the targeted PC. After receiving the required information, the attackers can execute commands, upload files, and perform other malicious activities including uploading mining modules.

Dubbed as L0rdix Multipurpose malware, it is capable of evading malware scanning as well. ENSILO cybersecurity researchers explained in their official blog post that:

“[It is] aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, [and] can avoid malware analysis tools.”

It does so by employing the names of the common malware analysis tools and using WMI queries for checking the string. This way, the malware can determine if it’s running in a virtual environment.

Hunter discovered that this is a relatively new tool, and it seems as it is still undergoing development. However, many of its functions are implemented already. The primary objective behind designing this malware is to mine for cryptocurrency without getting detected. To remain obfuscated, the malware uses the ConfuserEX obfuscator while in some samples .NETGuard obfuscator was also identified.

Moreover, L0rdix can perform a variety of standard scans for detecting virtual environments and sandboxes, the main tools security researchers rely on for detecting malware.

“The less common checks made by L0rdix include searching processes that load sbiedll.dll which belongs to the Sandboxie product, aspiring to increase its chances to avoid running in a simple free virtual environment tool,” explains Hunter.

After infecting a machine, L0rdix can extract information about the OS version running on the machine, CPU model, device ID, antivirus products installed on the PC, and existing user privileges. The data is sent to the C&C server in encrypted form by the malware along with the computer’s screenshot. The files and configuration settings of L0rdix are then updated on the machine and it is determined whether cryptomining and data stealing can be performed on the device or not.

L0rdix also infects removable drives on the PC and maps itself to their icons while the original drive files and directories stay hidden. This is done to ensure that the malware gets executed when the user double-clicks it on any other machine. The malware also copied itself to different areas like the scheduled tasks to maintain persistence. It can act as a botnet by enslaving the targeted PC and use it for domain flooding in DDoS attacks.

L0rdix can execute cmd commands, kill specific processes, and upload/execute new payloads. That’s not all; it also looks for Windows clipboards to identify strings of cryptocurrency wallets and if found, it sends the information to the C&C server. Clipboard activities are monitored for Monero, Bitcoin, Litecoin, Ripple, Ethereum, and Doge while Chrome, Amigo, Opera, Orbitum, Comodo, and Torch are the main browsers that L0rdix is targeting for extracting cookie information.

You may also like...