A newly-discovered keylogger malware has been found infecting computers in the wild. Though the malware is far from advanced, it’s efficient at stealing passwords.
Researchers at Cybereason, a Boston, Mass.-based security firm, call the malware “Fauxpersky,” as it impersonates the Russian antivirus software Kaspersky. The keylogger is built off a popular app, AutoHotKey, which lets users write small scripts for automating tasks, and compile the script into an executable file. In this case, the app was abused to build a keylogger, which spreads through USB drives and infects Windows PCs — and replicates on the computer’s listed drives.
“This malware is by no means advanced or even very stealthy,” said researchers Amit Serper and Chris Black, in a detailed blog post, published Wednesday.
“However, this malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker’s mailbox,” the researchers said.
That’s where the malware’s functionality gets interesting: Once the malware’s core files are all running, everything typed on the computer is recorded into a text file with the window’s name — giving the malware author a better idea of the context to the keylogged text.
The contents of that text file is exfiltrated from the computer through a Google Form. The file is then deleted from the disk. Each form response goes directly to the malware author’s email inbox.
Serper and Black reported the malicious form to Google, which took it down within an hour.
When contacted, Google — which may have insight into who built the form — did not comment. (If that changes, we’ll update.)
The write-up described how the malware author “didn’t put any effort” into making the malware look authentic, like changing the executable’s icon from the AutoHotKey default, and built an unconvincing Kaspersky-style splash screen. When Fauxpersky spreads, it also sticks and maintains persistence, so that it runs when Windows is booted up. The malware simply creates a shortcut to itself in the Start menu’s “startup” directory.
Cybereason didn’t say how many machines were infected, but given that the malware spreads through an antiquated method of sharing USB drives, it’s likely not to be widespread.