What is Keylogger?

Keyloggers also called keystore logging, are software programs or hardware devices that record keys struck on the computer keyboard of an individual computer user or network of computers.It almost records every keystrokes that user typed and saved as a text file.

Ispy Monitoring

Ispy a powerful keylogger found almost in every attackers toolkit,this keylogger sold at a nominal price of $29.95 on flashcrest .  It’s highly popular and too demand, because it’s quite powerful to steal password’s from browsers, Instant messengers, Mails, Skype, take screenshot from webcam and also have capability to fetch valid keys from application like MSoffice.

ISPY Keylogger infection and Distribution

Ispy distributed through spam mails through infected applications or documents.These key keloggers are digitally signed with an expired certificate. It comprises of crypter, that is responsible of delivering malicious payload. Furthermore, there are six components of the payload all equipped with diverse features such as clipboard monitoring, RuneScape( MMO game) PIN logging, keylogging, webcam logging, screen capturing and of course, accessing and stealing of passwords.

Installation:

Malware was well analyzed and packed with VB6. The packer used XOR-based method to decrypt the payloads.

 

 

Persistence
It creates an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU, based on configuration settings, to execute the malware on system startup. Additionally it also disable the antivirus software.

Other features of iSpy:

  • Website blocking (based on host file modification)
  • File downloading
  • Bot killer
  • Fake message (it displays this message every time malware starts execution)
  • Disabler (Taskmgr, Regedit, CMD)
  • Runescape PinLogger(RuneScape is a fantasy MMORPG developed and published by Jagex, A Bank PIN is a security feature provided in game that players can use to protect their, virtual in game, banks.)
  • Run Bind file (file to run along with malware)

ISPY Interface 

 

“The current sample… uses FTP for sending the stolen data to the attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the credentials are embedded in the file itself,” stated Singh.

 

 

Guru Baran

Recent Posts

Dell, HP, & Lenovo System Found Using Outdated OpenSSL Cryptographic Library

The cybersecurity researchers at Binarly recently discovered that outdated versions of the OpenSSL cryptographic library…

1 day ago

Chrome Zero-Day Bug Actively Exploited in the Wild – Google Emergency Update!

The eighth zero-day vulnerability used in attacks this year has been fixed by Google in…

2 days ago

Operation HAECHI III – INTERPOL Arrested 1000 Cyber Criminals & Seized $130 Million

Recently, there have been almost 1000 arrests made as a result of a police operation…

4 days ago

Hackers Rewritten The RansomExx Ransomware in Rust Language To Evade Detection

There has recently been a discovery made by IBM Security X-Force Threat Researchers regarding a…

5 days ago

Web Application Penetration Testing Checklist – A Detailed Cheat Sheet

Web Application Pentesting is a method of identifying, analyzing and Report the vulnerabilities which are…

6 days ago

Chrome Extension Deploy Windows Malware to Steal Cryptocurrency and Clipboard Contents

In order to steal cryptocurrency and clipboard contents, ViperSoftX was detected by the security analysts…

7 days ago