Phoenix Worm goes unnoticed by antivirus scanners
Phoenix Worm acts as a so-called “stager” and is designed to nest in the system unnoticed. The infected computer is assigned a unique identifier. It transfers initial system data to a control server and prepares everything for further downloading of additional malware. The tool itself is initially rather harmless, but paves the way for far-reaching attacks. Mosyle also points out that antivirus programs on macOS and Linux have so far failed when it comes to identifying the software. Detection was only possible to a limited extent under Windows.
ShadeStager primarily wants to find out cloud access data
ShadeStager, on the other hand, works differently: The malicious program extracts valuable data from systems that have already been compromised. However, Mosyle emphasizes that Phoenix Worm and ShadeStager are not related. The latter focuses on developer and cloud environments and, among other things, collects SSH keys and cloud access data from providers such as Amazon Web Services, Azure and Google Cloud. ShadeStager doesn’t stop at full browser profiles, exposing saved login details and active sessions.
Take precautionary measures
Since many infections require that software is running locally, special care must be taken with every installation: programs should of course only come from trustworthy sources. Scripts that require extensive permissions must be checked thoroughly before execution. Access rights require strict control. It is also recommended to keep the system up to date.