New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. 

Delivered as attachments disguised as archives or Microsoft 365 files, it employs malicious Microsoft Office documents to spread through command-and-control (C2) infrastructure. 

It targets sensitive data, including login credentials, financial information, system data, and personally identifiable information, posing a significant threat to compromised systems.

The analysis reveals that the malicious document, initially appearing as a file related to CVE-2017-11882, is an RTF file. Dissecting the file uncovers encoded content within the objdata section. 

While extracting and analyzing this data reveals further object references, ultimately resolving to a URL, which serves as the download source for a malicious executable, indicating that the RTF document acts as a delivery mechanism for the malware.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Removing blank lines and whitespaces from an object within the “InfoStealers-wild-image-8” artifact allowed for the recovery of a URL: “http[:]//87[.]120.84.39/txt/xXdqUOrM1vD3An[.]exe,” which  was used to download a malicious .NET compiled file. 

Upon further inspection with DnSpy, it was discovered that this file, regardless of its actual filename, dynamically loads with the name “skkV[.]exe,” which indicates potential obfuscation techniques employed by the malware.

This malware, disguised as a seemingly harmless image file (“vmGP”), utilizes steganography to conceal malicious code within the image data. 

Upon execution, the code within the MainForm() class extracts and decodes the hidden payload and then proceeds to collect sensitive information from the infected system, including system details, clipboard content, screenshots, browsing history, and cookies. 

The information that has been gathered is then transferred to a Telegram bot, which is then transmitted to DuckDNS servers that are randomly generated.

A keylogger, delivered via phishing emails with malicious attachments, exploits user interaction to infiltrate a system. Upon execution, it establishes persistence by dropping files in system folders. 

The malware then exfiltrates sensitive data, including keystrokes, clipboard content, screenshots, browsing history, cookies, and email credentials, which is transmitted to a Command & Control (C2) server hosted on Dynamic DuckDNS via Telegram, enabling attackers to remotely monitor and control the compromised system.

Forcepoint protects customers against this threat by blocking malicious attachments at the lure stage, and suspicious URLs that attempt to download further payloads are also blocked during the redirect phase. 

It identifies and blocks dropper files by adding them to its malicious database, and the platform effectively mitigates command-and-control communication by blocking associated credentials, hindering the attacker’s ability to maintain persistent control over compromised systems.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free