L0rdix Trojan

A new multi-functional trojan, named L0rdix, has been observed being distributed on underground or dark web forums. Based on the .NET framework, it appears that the malware is currently under active development, with the developers aiming to add more capabilities.

At the time of publication, it is unclear how L0rdix is distributed, although it is likely that purchasers of the malware will deliver it via several vectors, including spam or phishing campaigns, drive-by downloads or watering hole attacks. Current versions of L0rdix contain a module for loading itself onto removable devices, providing a means of propagation once a device is infected.

L0rdix has several distinct capabilities including cryptocurrency mining, botnet creation, browser code injection and information theft. Once installed, it will collect a fingerprint of the affected system and connect to a command and control server, at which point it will initiate the removable drive infection module.

Once the L0rdix executed in the victim’s machine it gathers complete system information and transfers to the server by encrypting data using the AES algorithm.

The malware contains Botnet, Crypto wallet stealing and stealer functionality. It monitors clipboard activities for specific wallet types such as Bitcoin, Ethereum, Litecoin, Monero, Ripple and Doge.

L0rdix targets following browsers Chrome, Kometa, Orbitum, Comodo, Amigo, Torch and Opera and extracts login details, also it extracts cookie information from browsers.

Affected Platforms:

  • Google Android – All versions
  • Linux Distributions
  • Microsoft Windows – All versions

Indicators Of Compromise

MUTEXS

BGalmDZCHNOGlJUELRV

UBoyGhYLSOiRMCNupRu

xpGTKJUSVbjDqCEPMek

CONTACTED DOMAIN PREFIXES

comcast.net

test.net

DROPPED PROCESS’S DETAILS

\ProgramData\syscall.exe

\Microsoft\Network\srcc.exe

\Microsoft\Windows\audiohq.exe

\Windows Component\defender.exe

HASHES

6acf9095e1f5725380bdac7fd7d1d9f07fdb44daa4682c2c8ef001094252d699

504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11

9c4780fa358ee65ac1f2361e1e2757f475674145977bfb8a43870538dd6f85ca

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: