Ongoing Infostealer Campaign - KcozApp/RoxiApp

Incident Report for Rapid Response Status Page

Resolved

RoxiApp is an emerging threat campaign that initially appears as adware but has significant potential to operate as an info-stealer. Masked as a legitimate application, it is delivered through a ZIP file containing an MSI installer. Once installed, RoxiApp uses a heavily obfuscated PowerShell script to bypass detection and deploy a malicious browser extension.

When RoxiApp successfully executes, it leverages PowerShell to install a browser extension with potent info-stealing capabilities, including

- Screen Capture
- Clipboard Manipulation - Accesses and alters clipboard data.
- Browsing Activity Tracking - Monitors user browsing behavior, with the potential for further data exfiltration.

The use of PowerShell to create the malicious browser extension demonstrates RoxiApp’s advanced capabilities and highlights its potential to escalate into a highly critical threat.

IOCs And hunting queries are available in the Axon reports
Posted Oct 31, 2024 - 12:53 UTC

Investigating

Team Axon has identified an ongoing infostealer campaign, known by multiple names including "KcozApp,", "RoxiApp", during a recent threat-hunting campaign.
This infostealer functions as a loader, distributing malware such as browser hijackers, data stealers, and keyloggers.
Once installed, it can compromise system integrity and data security.

Customers affected have already been notified, and we are closely monitoring this activity.
Team Axon will continue to assess and analyze the campaign, and we will provide further updates, including potential deliverables, as findings emerge.

For any immediate concerns or further assistance, please reach out to us.

Sincerely,
Team Axon
Posted Oct 29, 2024 - 09:27 UTC
This incident affected: Rapid Response.