When L0rdix slithers in silently, it stays silent to ensure that all commands are performed successfully. The infection constantly communicates with a remote server to transfer data, as well as to receive commands, and these commands are pretty devious. The main task, it seems, is to record personal and sensitive information, which, unfortunately, could help remote attackers hijack your accounts and impersonate you for various reasons. These could include spreading malware further (e.g., from your email account), boosting traffic to certain websites, and even jeopardizing your financial security. However, that is not all that the malicious Trojan is capable of. According to our malware experts, the threat also can use the infected machine for crypto-currency mining. Because your operating system could slow down or even crash during the process, this is when you might start suspecting the invasion of malware. Whether or not you already know that you need to delete L0rdix, continue reading to learn more.
A legitimate malware scanner should help you find out if L0rdix is the threat that requires removal, but do not be surprised if other threats are found to run alongside with this malware. It is not clear how this malware spreads, but it is possible that it could be downloaded by other threats. Once in place, the threat does not waste any time. Before receiving and executing any commands, L0rdix records computer-related data, including the username, the version of the Windows OS, or hardware data. It also can scan the system for antivirus tools, as well as the so-called “anti-analysis” tools. Gathered information – which might include screenshots – is encrypted using AES and then sent to a C&C server. If the environment is right (for example, the threat evades malware analysts’ systems), commands are received, and the real attack begins. The Trojan can add the infected system to a botnet, and our research team warns that this could be used for massive DDoS attacks. Ultimately, because the code of this malicious Trojan is sold on underground forums, it could be used, built, and developed by anyone, and that means that various different versions of L0rdix could exist. That not only complicates the removal of the threat but also its analysis.
It is known that L0rdix has the functionality to download and execute files, capture screenshots, start and end processes, execute commands, and open URLs without the victim’s knowledge. Besides this being used to add the system to a botnet, it could also help the attackers behind it to steal highly sensitive data. For example, the Trojan could steal web cookies and stored data to obtain login information. If that is done successfully, the attackers could, potentially, hijack victims’ accounts and impersonate them. In our case, the recorded data was transferred onto a %TEMP% folder and added to a ZIP archive file before being sent to a remote server. L0rdix functionality might also allow it to monitor the clipboard to look for content related to crypto-currency wallets (e.g., Bitcoin or Monero), and it can mine crypto-currency using the system’s CPU power. According to our research, the file called “attrib.exe” (in %WINDIR%\System32) is employed to facilitate crypto-currency mining. All in all, the Trojan can be built to act in various kinds of ways, and that is what makes it an incredibly malicious and dangerous threat.
During our research, L0rdix created three different copies of itself with three different points of execution in the Task Scheduler. Now, the situation could be completely different in your case, and so you might be unable to remove L0rdix using the instructions below. Hopefully, you are able to identify and delete every single malicious component that belongs to this dangerous malware all by yourself, but do not panic if you are not able to do that. In fact, even experienced users are advised to implement anti-malware software. It will automatically eliminate malware components, and you will not need to look for them yourself. After that, keep the tool installed and updated for it to guarantee full-time protection against dangerous threats that might try to attack in the future. As for which software you should install, remember that the Trojan can circumvent detection, and so you want to employ a tool that will serve you right.
|#||File Name||File Size (Bytes)||File Hash|
|1||syscall.exe||106496 bytes||MD5: 16ecd9a45b27c86ff8f6b84aa722c8ce|
|2||audiohq.exe||106496 bytes||MD5: 16ecd9a45b27c86ff8f6b84aa722c8ce|
|3||srcc.exe||106496 bytes||MD5: 16ecd9a45b27c86ff8f6b84aa722c8ce|
|#||Process Name||Process Filename||Main module size|