Skip to main content

As cunning as a F0xy: The new ‘smart’ malware full of stealth and trickery

There's a new malware in town, and this one employs cunning stealth and trickery to use a victim’s computer for its own benefit.

The malware was noticed by Websense, and they named it ‘f0xy’. I’m guessing it’s because the malware is as cunning as a fox?

F0xy, as the Websense blog explains, “is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files”.

The malware’s tactics include leveraging the Russian social network VKontakte and employing Microsoft's Background Intelligent Transfer Service to download files.

The goal of the malware is to download a crypto-currency miner called CPUMiner, and then use the infected machine as a miner and potentially make the developer a rich, rich man.

“Websense Security Labs have observed f0xy downloading a 64-bit version of the crypto-currency miner CPUMiner. The miner is executed by f0xy”, writes Websense, and adds that the owner can assign ‘workers’ that can pool together and “mine on behalf of a user’s account”.

“The more machines infected by f0xy and mining under this worker name, the more potential crypto-currency can be mined for the cybercriminal.”

Principal Security Analyst at Websense, Carl Leonard, says this discovery highlights how sophisticated cybercriminals have become, when they want someone to download and execute files so they can get their hands on some cash.

In 2015 we will see more malware hiding in the noise of legitimate traffic, he added.

“The primary function of f0xy is to act as a downloader and potentially any virus could be dropped by the malicious code. Right now the malware is lying low, scouting out its surroundings and testing the weak barriers but it carries a serious malicious threat,” says Leonard.

“The nature of f0xy fits the Websense Security Labs prediction that this year we will see more malware hiding in the noise of legitimate traffic, with malware authors increasingly migrating to legitimate websites to hide their malicious activity and avoid detection.”

So far, Websense hasn’t seen any evidence in its customer base of an attempt to infect a machine with f0xy, but that doesn’t mean it won’t happen in the near future.