Versions of Psixbot Reading Time: 4 minutes

Introduction of PSIXBOT:

PsiXBot is data-stealing trojan capable of harvesting confidential data and passwords from a victim’s computer. It can steal cookies, extract logins/passwords from applications like Firefox and Microsoft Outlook, record the victim’s keystrokes, allow criminals to remotely view/interact with the victim’s desktop, and can even add the victim’s computer to a botnet. It is most often spread via infected email attachments, via online adverts which contain the bot, and via other social engineering methods.

The original PsixBot malware surfaced in November 2017 but underwent significant development before arriving in beta format in 2019.  It has since been developed further and currently stands at version 1.1.0.4 in February 2020:

PsixBot was generated in .NET framework. This blog takes you through the various iterations of PsixBot to illustrate how online criminals constantly update their malware to improve its performance and features.

Behaviour of PsixBot

PsixBot changes the system certificate settings, which gives it virtually unlimited user access rights on the host machine:

Keys added:

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\636D2838EB7A7F3A8E6B6F7CD035375E7E704248

Values added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\636D2838EB7A7F3A8E6B6F7CD035375E7E704248\Blob: 02 00 00 ……..

Files added:

C:\Documents and Settings\Administrator\Application Data\

Microsoft\SystemCertificates\My\Certificates\636D2838EB7A7F3A8E6B6F7CD035375E7E704248

Beta 1.0.0

The first version of PsixBot covered in this blog is Beta 1.0.0 with the core class 11. Each class has its individual task. The following basic classes are used in all versions of PsixBot:

  • Servertalk – used to initialize the global variable, create the connection with the mothership server, and send results back and forth.
  • RunInMemory – used to actually execute the file.
  • SysInfo – used to obtain information about the user’s system, including antivirus name, CPU, Windows version, user type and user permissions.
  • CatchEndSession – used to create hidden autoruns.
  • DeleteAttrib – used to kill the system’s antivirus software, Windows Explorer, and any system error alerts.
  • IsAdmin – used to assume membership of the admin group.
  • IsVm – detects the presence of any virtual machines.
  • ResolveBit – used to resolve DNS requests from the user.
  • RC4 – the algorithm used to encrypt and decrypt data.
  • Install – installs the bot file and sets up the file’s security and update modules.

Version 1.0.2

Beta 1.0.2 retained the basic class functionality of the first version, but renamed some of the classes as follows:

  • ServerTalk – renamed as CpWorker
  • RunInMemory – renamed as MemoryModulesWorker
  • SysInfo – renamed as SysHelper

… and added the following class:

  • DNSWorker – used to get the host entry and ping the host to check whether or not it is up.

Version 1.1

Version 1.1 again retained the same class structure as its predecessor but added the following task to the features list:

  • Forfg – used to obtain the path to the temp variable, set the DLL directory and write it to a .dat file:

Version 1.1.0.2

Version 1.1.0.2 saw an update whereby the FORFG feature was combined with the other feature list. All other classes and activities remained the same.

 

 

Version 1.1.0.4

Again, the basic classes remained the same as the previous version but with the addition of the following, important, class

  • GzipWebClient – used to decompress any Gzip files downloaded by the bot:

 

 

 

 

 

Feature List Updates

Threader – Invoke the thread function used to run the file and run it it memory (RunInMemory).

Image

Bot KeyPsixBot has a common, hard-coded key in all versions:

Bot Key

Network Activities– PsixBot initially uses Google DNS then later communicates with its own DNS:

Network Activities

Core Modules per Version

Core Modules

FeautersList per Version

FeautersList

Network Traffic

PsixBot initially connects to Google DNS then connects to its own DNS server at greentowns.hk:

PsixBot

193.32.188.136 (greentowns.hk)

185.98.87.59 (greentowns.hk)

IOC

 

a85e280e24099a2ffb5ea6efbe3fcb6fbc0c8cfa                   09-04-2019        Beta 1.0.0

0956cec17f1a8801042b8e6628f54e3156d05918              26-08-2019        1.0.2

4d3b1bd14ca92609fa8d1a536d814fd0d54c5666              03-02-2020        1.1

a16c7263a36a235db8c71477be3f2442a8a5f894              04-02-2020        1.1.0.2

1e29be939667354a8fe9477179c6851622118e23             12-02-2020        1.1.0.4

 

193.32.188.136(greentowns.hk)

185.98.87.59(greentowns.hk)

 

TEST YOUR EMAIL SECURITY GET YOUR INSTANT SECURITY SCORECARD FOR FREE