SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
29 Mar 2018

'Fauxpersky' malware steals and sends passwords to an attacker's inbox

A newly-discovered keylogger malware has been found infecting computers in the wild. Though the malware is far from advanced, it's efficient at stealing passwords.

Researchers at Cybereason, a Boston, Mass.-based security firm, call the malware "Fauxpersky," as it impersonates the Russian antivirus software Kaspersky.

The keylogger is built off a popular app, AutoHotKey, which lets users write small scripts for automating tasks, and compile the script into an executable file. In this case, the app was abused to build a keylogger, which spreads through USB drives and infects Windows PCs -- and replicates on the computer's listed drives. "This malware is by no means advanced or even very stealthy," said researchers Amit Serper and Chris Black, in a detailed blog post, published Wednesday. "However, this malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker's mailbox," the researchers said.

That's where the malware's functionality gets interesting: Once the malware's core files are all running, everything typed on the computer is recorded into a text file with the window's name -- giving the malware author a better idea of the context to the keylogged text.

The contents of that text file is exfiltrated from the computer through a Google Form. The file is then deleted from the disk. Each form response goes directly to the malware author's email inbox. Serper and Black reported the malicious form to Google, which took it down within an hour. When contacted, Google -- which may have insight into who built the form -- did not comment. (If that changes, we'll update.)

The write-up described how the malware author "didn't put any effort" into making the malware look authentic, like changing the executable's icon from the AutoHotKey default, and built an unconvincing Kaspersky-style splash screen. When Fauxpersky spreads, it also sticks and maintains persistence, so that it runs when Windows is booted up.

The malware simply creates a shortcut to itself in the Start menu's "startup" directory. Cybereason didn't say how many machines were infected, but given that the malware spreads through an antiquated method of sharing USB drives, it's likely not to be widespread.

Tags:
information leaks
Source:
ZDNet
1780
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015