- Cisco Talos finds a new malware frame called PS1bot
- The framework is distributed by Malvertling and SEO poisoning
- PS1bot can be used as infosteller, keylogger, screen screening and more
Cisco Talos security researchers have discovered a brand new executive of malicious software which, according to them, really makes an additional effort to infect a device.
PS1bot can record strikes, enter cryptocurrency data and persist on the compromised termination point, among others, indicates the company’s report.
The complement of PS1BOT is a MalVedian campaign, as well as SEO poisoning, which encourages the victims without distrust to download the malware. Cisco Talos did not say what is the theme of these malicious announcements and pages, which are the usual victims, or the success of the campaign.
Flexible and dangerous
They said that anyone download the zip file can expect a JavaScript payload which acts like a dropper and draws a script from an external server.
This script writes a PowerShell script in a record file and executes it. In turn, the PowerShell script contacts the control and control server (C2) of the threat actor, entering additional orders that transform malware into everything that is necessary for the moment.
There are many things in which the frame can be transformed. It can serve as a recognition tool, sharing with attackers details on antivirus programs operating on the computer, as well as basic system information.
It can serve as a screenshot or keylogger, to relay screenshots and strikes at C2. It can also operate as a wallet portfolio, steering wheel of cryptocurrency portfolio information. Finally, he can persist on the device via a PowerShell script which automatically launches during restart.
“The implementation of the information thief module uses integrated words of words in the thief to list the files containing passwords and seed sentences that can be used to access cryptocurrency wallets, which the thief also tries to exfiltrate from infected systems,” said Cisco Talos.
“The modular nature of the implementation of this malicious software provides flexibility and allows the rapid deployment of updates or new features if necessary.”
