Hackers have been targeting the Windows OS since its inception. The operating systems vulnerabilities and its widespread use across continents. L0rdix is the new entrant among a slew of vulnerability scanning and exploiting applications that have become most hackers favourite on the dark web.
Its primary aim is to infect Windows machines and combines stealing and mining cryptocurrencies from host systems. It can easily bypass traditional malware analysis tools including some of the major ones from Malwarebytes and Windows own Defender.
The application, however, is still under development as features are continuously being added to the application. These features are making it even stronger than any of the previously built apps as they bypass traditional analysis through an array of methods that previously had to be manually implemented in the application. It uses the ConfuserEx obfuscator, and some others have been tweaked using the more robust NETGuard Obfuscator.
The application also targets virtual machines as they’re widely used by researchers to reverse engineer the program that helps in malware analysis and more sophisticated flows. It uses some algorithms to check sandbox environments and registry keys that help maintain its stealth.
The malware is built with an intention to make it auto upgradable through its internal applications and modules. Its five core modules can separately auto update and structure themselves to suit host environments. Once the malware enters a windows machine, it collects all information and sends them to a central server along with a screenshot of the machine. Then L0rdix infects itself to all irremovable drives so it can spread quietly without being noticed by malware analysis programs. Most of the commonly used icons are replaced by L0rdix’s malware ensuring that once the user clicks on any of the icons they automatically get executed while infecting the system as a whole.