- Cisco Talos finds a new malware frame called PS1Bot
- The frame is distributed through evil and poisoning by SEO
- PS1Bot can serve as an infator, Keylogger, screen capturer and more
Cisco Talos Security Researchers have discovered a new malware frame that they really make an additional effort to infect a device.
PS1Bot can record the keys keys, take cryptocurrency data and persist at the final point committed, among other things, according to the company’s report.
Complementing PS1Bot is a evil campaign, as well as in SEO poisoning, which cheats on unsuspecting victims to download the malware. Cisco Talos did not say what is the issue of these ads and malicious pages, who are the usual victims or how successful the campaign is.
Flexible and dangerous
They said that whoever downloads the ZIP file can expect a JavaScript payload that acts as a dropper and extracts a scriptle from an external server.
That scriptlet writes a Powershell script in a file on the disc and executes it. In turn, the Powershell script contacts the control and control server of the threat actor (C2), obtaining additional commands that transform malware into what is necessary at this time.
There are many things in which the frame can be converted. It can serve as a recognition tool, sharing with the details of the attackers about the antivirus programs that are executed on the computer, as well as the basic information of the system.
It can serve as a screen capture tool or keylogger, transmitting screenshots and key pulsations to C2. It can also function as a wallet grip, stealing cryptocurrency wallet information. Finally, you can persist on the device through a Powershell script that automatically launches when restarting.
“The implementation of the information robber module takes advantage of the words lists integrated in the robber to list files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the robber also tries to exfiltrate infected systems,” said Cisco Talos.
“The modular nature of the implementation of this malware provides flexibility and allows the rapid implementation of updates or a new functionality as necessary.”
