In the case of L0rdix, its database contains seven tables shown in figure 4, indicating that this RAT is not particularly complex.įigure 4 – Tables in the MySQL database for the L0rdix panel. Unlike many other RATs, L0rdix’s login page is simple and does not advertise its namesake.įigure 3 – The main dashboard of the L0rdix panel.īy querying the panel’s MySQL database it was possible to understand the types of data L0rdix steals from its victims, its default configuration settings, and make an assessment about the sophistication of the malware. The admin panel consists of three components: a HTTP web server for the operator to administer their bots, a pre-made MySQL database for storing data from infected systems, and PHP scripts to send bot commands, process data received from bots and interface with the database.īy default, the URI of the L0rdix panel login page is webserver.tld/ admin_login. I was especially curious in the admin panel to see if an analysis of it would lead to a better understanding of L0rdix and potentially improve its detection in the wild.įigure 1 – Advert for a cracked copy of the L0rdix RAT panel and builder on an underground forum in June 2019. In June 2019, a cracked version of the RAT’s builder and admin panel began circulating through underground forums. Although L0rdix’s author set the price of the RAT at 4000 RUB (64 USD), for many cyber criminals even this was too high a price. Shortly after its discovery, Ben Hunter of enSilo analysed the RAT’s functionality.
L0rdix is a multipurpose remote access tool (RAT) that was first discovered being sold on underground criminal forums in November 2018.
0 kommentar(er)
