A new multi-functional trojan, named L0rdix, has been observed being distributed on underground or dark web forums. Based on the .NET framework, it appears that the malware is currently under active development, with the developers aiming to add more capabilities.
At the time of publication, it is unclear how L0rdix is distributed, although it is likely that purchasers of the malware will deliver it via several vectors, including spam or phishing campaigns, drive-by downloads or watering hole attacks. Current versions of L0rdix contain a module for loading itself onto removable devices, providing a means of propagation once a device is infected.
L0rdix has several distinct capabilities including cryptocurrency mining, botnet creation, browser code injection and information theft. Once installed, it will collect a fingerprint of the affected system and connect to a command and control server, at which point it will initiate the removable drive infection module.
Once the L0rdix executed in the victim’s machine it gathers complete system information and transfers to the server by encrypting data using the AES algorithm.
The malware contains Botnet, Crypto wallet stealing and stealer functionality. It monitors clipboard activities for specific wallet types such as Bitcoin, Ethereum, Litecoin, Monero, Ripple and Doge.
L0rdix targets following browsers Chrome, Kometa, Orbitum, Comodo, Amigo, Torch and Opera and extracts login details, also it extracts cookie information from browsers.
- Google Android – All versions
- Linux Distributions
- Microsoft Windows – All versions
Indicators Of Compromise
CONTACTED DOMAIN PREFIXES
DROPPED PROCESS’S DETAILS
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.