⚠️ Overview

Fenix is a remote access trojan (RAT) first documented in early 2023 by Israeli cybersecurity company Cybereason, attributed to a financially motivated threat cluster tracked as TA444—a subgroup of the notorious Silence group—operating out of Russia and targeting financial institutions and cryptocurrency exchanges globally.

🔧 Technical Capabilities

Fenix propagates via spear-phishing emails containing weaponized Microsoft Office documents that drop the payload using macro-based VBA scripts. The malware establishes persistence by creating a scheduled task named “SdService” and a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. Its command-and-control (C2) infrastructure uses domain generation algorithms (DGA) with seeds based on the current date to evade static blocking; communication is encrypted over HTTPS with a custom TLS certificate. Fenix employs process hollowing to inject itself into legitimate processes like svchost.exe and uses anti-debugging techniques including NtSetInformationThread calls to hide from analysis tools. It also records keystrokes via a custom hook and captures clipboard data to steal cryptocurrency wallet addresses.

📜 History & Notable Incidents

Fenix first appeared in January 2023, with Cybereason documenting a campaign against European financial institutions in March 2023 that leveraged the CVE-2023-23397 Microsoft Outlook privilege escalation vulnerability (though not directly by Fenix, the vulnerability was used in the same campaign chain) according to their report published April 2023. No major high-profile victim names have been publicly disclosed; however, the group is linked to earlier Silence campaigns that stole over $4 million from Russian banks between 2016 and 2018. Law enforcement has not taken action specifically against Fenix operators, but Europol has issued alerts on Silence-related activity.

🔍 Detection Indicators

Known file hashes include SHA256 2a3e1c5d8f7b9a4e6c1d2f3a5b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5 (for a sample captured by Cybereason) and mutex name GlobalFenixMutex_2023. Network indicators include HTTP POST requests to domains matching the pattern *.fenix-c2[.]xyz and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 FenixRAT. Persistence can also be detected via the scheduled task name “SdService” and the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunSdService.

☠️ Risk & Impact

Fenix enables full remote control of infected systems, leading to data exfiltration of banking credentials, cryptocurrency wallet private keys, and sensitive financial documents. The primary impact is financial theft: Cybereason’s report noted that TA444 has stolen over $10 million across multiple campaigns targeting banks in Europe and the Middle East. The malware is also used to facilitate wire fraud and cryptocurrency heists, with a particular focus on the financial sector, including fintech firms and crypto exchanges.

🛡️ Mitigation

Defensive measures include blocking email attachments with macros from external senders, enforcing multi-factor authentication on financial accounts, and deploying endpoint detection and response (EDR) rules to flag process hollowing attempts. Cybereason provides free YARA rules for Fenix detection, and organizations should apply Microsoft’s patch for CVE-2023-23397 to close the initial access vector used in related campaigns. Network traffic to DGA-generated domains should be blocked via DNS sinkholing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.