VERSIONS OF PSIXBOT

Reading Time: 4 minutes

Introduction of PSIXBOT:

PsiXBot is data-stealing trojan capable of harvesting confidential data and passwords from a victim’s computer. It can steal cookies, extract logins/passwords from applications like Firefox and Microsoft Outlook, record the victim’s keystrokes, allow criminals to remotely view/interact with the victim’s desktop, and can even add the victim’s computer to a botnet. It is most often spread via infected email attachments, via online adverts which contain the bot, and via other social engineering methods.

The original PsixBot malware surfaced in November 2017 but underwent significant development before arriving in beta format in 2019. It has since been developed further and currently stands at version 1.1.0.4 in February 2020:

PsixBot was generated in .NET framework. This blog takes you through the various iterations of PsixBot to illustrate how online criminals constantly update their malware to improve its performance and features.

Behaviour of PsixBot

PsixBot changes the system certificate settings, which gives it virtually unlimited user access rights on the host machine:

Keys added:

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\636D2838EB7A7F3A8E6B6F7CD035375E7E704248

Values added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\636D2838EB7A7F3A8E6B6F7CD035375E7E704248\Blob: 02 00 00 ……..

Files added:

C:\Documents and Settings\Administrator\Application Data\

Microsoft\SystemCertificates\My\Certificates\636D2838EB7A7F3A8E6B6F7CD035375E7E704248

Beta 1.0.0

The first version of PsixBot covered in this blog is Beta 1.0.0 with the core class 11. Each class has its individual task. The following basic classes are used in all versions of PsixBot:

Servertalk – used to initialize the global variable, create the connection with the mothership server, and send results back and forth.
RunInMemory – used to actually execute the file.
SysInfo – used to obtain information about the user’s system, including antivirus name, CPU, Windows version, user type and user permissions.
CatchEndSession – used to create hidden autoruns.
DeleteAttrib – used to kill the system’s antivirus software, Windows Explorer, and any system error alerts.
IsAdmin – used to assume membership of the admin group.
IsVm – detects the presence of any virtual machines.
ResolveBit – used to resolve DNS requests from the user.
RC4 – the algorithm used to encrypt and decrypt data.
Install – installs the bot file and sets up the file’s security and update modules.

Version 1.0.2

Beta 1.0.2 retained the basic class functionality of the first version, but renamed some of the classes as follows:

ServerTalk – renamed as CpWorker
RunInMemory – renamed as MemoryModulesWorker
SysInfo – renamed as SysHelper

… and added the following class:

DNSWorker – used to get the host entry and ping the host to check whether or not it is up.

Version 1.1

Version 1.1 again retained the same class structure as its predecessor but added the following task to the features list:

Forfg – used to obtain the path to the temp variable, set the DLL directory and write it to a .dat file:

Version 1.1.0.2

Version 1.1.0.2 saw an update whereby the FORFG feature was combined with the other feature list. All other classes and activities remained the same.