Trojan:Script/Phonzy.B!ml Overview

Trojan:Script/Phonzy.B!ml is a generic detection name that Windows Defender uses to mark small malware families. Such malicious programs may have similar behavior and code elements but belong to different groups.

For functionality, Phonzy.B!ml is a scripted dropper malware. Its main purpose is to download and launch the additional malware in a manner that does not require user interaction. However, Phonzy samples are able to collect some basic information regarding the system, like location, OS version, and things the like. A typical payload delivered in Phonzy malware attacks is banking trojans – a specific type of stealers, which aims precisely at online banking information.

Is Phonzy B!ml False Positive?

The deeper look at the naming convention Microsoft uses in its detection names shows that the “!ml” particle stands for “machine learning”, meaning their AI detection engine has detected the file. Despite being highly effective and promising, it requires the confirmation of a signature detection system. Without this confirmation, it is particularly easy to get a lot of false positive detections.

Unfortunately, there is barely a way to distinguish between real and false detections. Modern malware does its best in hiding among legitimate programs and files, so file locations are not informative. That is the reason why I recommend scanning your system with GridinSoft Anti-Malware.

Phonzy.B!ml Technical Analysis

Since Phonzy is a generic detection name, it is rather hard to find a well-known sample to analyze. For that reason, I’ve done a comprehensive analysis of several ones – to have a better understanding of what this malware is capable of. In short – a rather simple dropper that can make a huge mess in the system it infects.

Launch & Unpacking

The majority of Phonzy samples that I’ve encountered arrive in a packed form – encrypted and/or archived. This is usually done for 2 reasons – to avoid the static detection and complicate the analysis. In the case of Phonzy, I’m leaning toward the first option.

To perform the unpacking, Phonzy relies on the script that downloads it to the system. Usually, this is a PowerShell script that pulls the dropper from the intermediary server, and it is also responsible for launching one. A part of it is responsible for unpacking and launching the sample after downloading.

Gathering system information

Once launched, Trojan:Script/Phonzy.B!ml collects basic information about the target system. This may include the operating system version, hardware information, a list of installed programs and devices, and the device’s geolocation. Such information is mostly needed to fingerprint the system, i.e. give it a specific name corresponding to its internals. In addition to system info, some of the Phonzy.B!ml samples were able to take screenshots of the infected device’s screen.

Contacting Command & Control Server

The next step in the attack is contacting the command server. Malware sends an HTTP POST request to the C2, to notify about a new infection and send the collected data. Depending on the server response, malware may switch to idle or start downloading other malware. Overall, the C2 communications for Phonzy is simple and insignificant.

Delivering other malware

The key action of Phonzy Trojan is, obviously, deploying other malware samples to the infected system. It receives the instructions from the C2 in a form of IP address it should pull the payload from, and the way this payload should be launched. Usually, the said IP address corresponds to a compromised website that hackers use as an intermediary server.

For the ways to run the payload, the options are quite typical for droppers. All of the Phonzy samples I’ve analyzed were able to work with DLLs and executable files. The former can be launched through DLL hijacking and a hookup to the system DLL, while the latter is about the regular .exe run.

Self-Propagation to USB Drives

Some of the inspected variants are Phonzy.B!ml were capable of self-propagating via attached flash drives or other removable storage media. This is a rather unusual trick for modern malware, as security vendors elaborated the ways to detect virus-like spreading long ago. Nonetheless, you cannot deny effectiveness – a single infected USB drive is capable of infecting dozens of other systems without even a single click from malware masters.

How To Remove Trojan:Script/Phonzy.B!ml

To remove Phonzy B!ml, I’d recommend using GridinSoft Anti-Malware. The fact that dropper malware can spread a lot of other malware requires using advanced software to remove it all. GridinSoft Anti-Malware will check every little bit of the system and eliminate even the stealthiest malware. Launch a Full scan, wait for it to finish and remove the detections – that will clean up your system.

Safety Recommendations

To avoid infection of your system, it is sufficient to follow basic cyber hygiene. The first rule is to avoid pirated software and sites that distribute it. Cracked software is an ideal shell for malware delivery, so it is not just about being careful – it is about staying away.

Having an advanced protection tool, like Gridinsoft Anti-Malware, is another key to make your system secure. Proactive protection coupled with an AI detection engine will weed out all the attempts of malicious software to get in. Also, its Removable Device Protection feature will block the Phonzy trojan attempting to infect the system via an USB drive.

The post Trojan:Script/Phonzy.B!ml appeared first on Gridinsoft Blog.

Another Proof Collective member, nicknamed Dollar (@knownasdollar on Twitter,) hinted that the scammer had been identified as @DVincent_ through doxxing via an exchange. According to the tweet, the total value of the items stolen by him (her?) reached around $2M.

Dollar and other Proof Collective members have already filed a report to the FBI; however, in his tweet, Dollar gave the crook a chance to avoid jail by delivering the stolen NFTs back.

In the commentaries to Dollar’s message, other users confirmed that the alleged scammer has also tried to lure them into selling NFTs while insisting that the deal had to be stricken on a questionable peer-to-peer exchange.

The Twitter page of @DVincent_ is already inaccessible. Well, of course!

Proof Collective is a mysterious private club of non-fungible tokens collectors founded by Kevin Rose. To become a member, one must own a Proof Collective NFT. The membership fee is high enough to scare off random passers-by: 88 ETC which is more than $200 000, at least it was so in May 2022. Proof Collective is most famous for Moonbirds, a highly-hyped NFT campaign (selling 10 000 owl avatars for 2.5ETC each) launched on April 16, 2022.

The post 29 Moonbirds Stolen via Link Click from a Proof Collective Member appeared first on Gridinsoft Blog.

Security News: Greta Thunberg became the most popular character in phishing campaigns.

What is script-based malware?

To understand how someone can run a script-based attack on a computer, we must know what scripts are. They are sets of commands for a system to execute. Users employ them to automatize processes that they would otherwise perform manually. Programmers and advanced users create scripts in scripting languages. Those can be, roughly speaking, general-purpose (such as JavaScript, Python, and PHP), OS-oriented (like PowerShell and AppleScript), and there are also special script languages for particular applications and environments.

The scripts are neither malicious files nor the main content of files they inhabit. Instead, they are the documents’ allowable components, legal and, in theory, beneficial to the user. Scripts are not compiled. That means they are interpreted and executed by the software environment ad hoc without previous translation into machine code. For AppleScript, for example, such an environment is an Apple operating system. And for cross-system JavaScript (if it is about website construction), any modern web browser can serve as an interpreting environment.

The script-based hacker attacks are obviously the cyber-crimes that use scripts as a primary tool.

Related: “Malware” vs. “virus”.

What is so worrying about the script-based attacks?

First of all, scripts are not files, as we already mentioned. Antivirus programs have a hard time detecting them, or better to say: they are useless against scripts. It is so because modern security software focuses on detecting and removing malicious files. Thus, in the case of script-based attacks, we are dealing with ghostly malware, invisible to antivirus programs.

Another important thing is that scripts are generally hard to detect. They exist in primary memory, soon to be overwritten or erased. It is actually possible to find the origin of a script if criminals inaccurately leave traces, but why would they do that.

How can an attacker execute malware through a script?

Let’s make it clear: we are not talking about malicious scripts tied to websites (Cross-Site Scripting), which are more or less studied and covered by browser and antivirus security systems. Files fitted with simple yet treacherous scripts constitute a new problem. These are the files whose formats antivirus software lets through by default, not regarding as dangerous: PDF, Word, e-books, HTML applications, and others.

Simple JavaScript code usually employed in files like these can add various practical functions, like making PDF documents signable or featuring a fillable questionnaire. But the script can have a malicious purpose as well. In case of a script-based attack, it most likely will be a set of commands to download any other malware that harms for real. Ransomware, for instance, is the most lucrative type of attack for hackers. The crooks only expect a user to open a file to run the script or, in some cases, to allow macros therefor.

Script-stuffed files can also be downloaded items you are trusty about since they update programs you already have. At least, you believe so. These can be plug-ins, add-ons, and so on. Yes, the UAC will ask whether you really want to download this file, but this always happens, and we tend to ignore such warnings. If the criminals manage to cheat you – consider they also cheated your security software. By the way, various untrustworthy PDF-readers and their plug-ins are one of the most dangerous programs in terms of script-based attack menace.

The script-based attacks mostly endanger Windows systems exploiting vulnerabilities of Command Prompt and PowerShell, the in-built automation tools. However, neither Android, iOS, nor even Linux is safe.

How to protect yourself and your workgroup?

The weakness of script-based malware is that it has to be run by the user. Therefore, the best protection is to be cautious and avoid unknown downloads. Remember that PDF, Word, and other data files can contain a malicious script. These bogus files are most likely to arrive via e-mail or messengers in letters sent seemingly by someone you trust – usually services-providing organizations. Be especially wary of reports from delivery companies like FedEx. Since a postal delivery is pretty believable to be unexpected, hackers often use this disguise for their phishing mail. Before downloading any attachments from suspicious senders, triple-check the source and the message itself. If you are attentive enough, you will find a mistake in the address line, your name, or the text itself.

In workgroups, it makes sense to separate those computers that need to run scripts from those that can do without them. The former should maintain extreme vigilance and advisably deploy zero-trust policy antivirus software, which is for the moment presented by Windows 11 Defender. It has many issues, but it seriously jeopardizes the plans of malefactors who go in for script-based attacks.

Script-fitted files can spread rapidly via the injured network using the same vulnerabilities of Windows elements they use to deliver their malicious payload. General security measures, such as file backup and network separation, are also a must to minimize the destructive effect of any successful cyber-attack.

Consider reading: Slow PC. Possible causes and how to fix them.

The post Script-based malware. How to stay protected? appeared first on Gridinsoft Blog.