What is Keylogger?
Keyloggers also called keystore logging, are software programs or hardware devices that record keys struck on the computer keyboard of an individual computer user or network of computers.It almost records every keystrokes that user typed and saved as a text file.
Ispy a powerful keylogger found almost in every attackers toolkit,this keylogger sold at a nominal price of $29.95 on flashcrest . It’s highly popular and too demand, because it’s quite powerful to steal password’s from browsers, Instant messengers, Mails, Skype, take screenshot from webcam and also have capability to fetch valid keys from application like MSoffice.
ISPY Keylogger infection and Distribution
Ispy distributed through spam mails through infected applications or documents.These key keloggers are digitally signed with an expired certificate. It comprises of crypter, that is responsible of delivering malicious payload. Furthermore, there are six components of the payload all equipped with diverse features such as clipboard monitoring, RuneScape( MMO game) PIN logging, keylogging, webcam logging, screen capturing and of course, accessing and stealing of passwords.
Malware was well analyzed and packed with VB6. The packer used XOR-based method to decrypt the payloads.
It creates an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU, based on configuration settings, to execute the malware on system startup. Additionally it also disable the antivirus software.
Other features of iSpy:
- Website blocking (based on host file modification)
- File downloading
- Bot killer
- Fake message (it displays this message every time malware starts execution)
- Disabler (Taskmgr, Regedit, CMD)
- Runescape PinLogger(RuneScape is a fantasy MMORPG developed and published by Jagex, A Bank PIN is a security feature provided in game that players can use to protect their, virtual in game, banks.)
- Run Bind file (file to run along with malware)
“The current sample… uses FTP for sending the stolen data to the attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the credentials are embedded in the file itself,” stated Singh.