Home / Security & Virus / Malware / 'Fauxpersky' malware steals and sends passwords to an attacker's inbox – ZDNet

'Fauxpersky' malware steals and sends passwords to an attacker's inbox – ZDNet

(Image: CNET/CBS Interactive)

A newly-discovered keylogger malware has been found infecting computers in the wild. Though the malware is far from advanced, it’s efficient at stealing passwords.

Researchers at Cybereason, a Boston, Mass.-based security firm, call the malware “Fauxpersky,” as it impersonates the Russian antivirus software Kaspersky. The keylogger is built off a popular app, AutoHotKey, which lets users write small scripts for automating tasks, and compile the script into an executable file. In this case, the app was abused to build a keylogger, which spreads through USB drives and infects Windows PCs — and replicates on the computer’s listed drives.

“This malware is by no means advanced or even very stealthy,” said researchers Amit Serper and Chris Black, in a detailed blog post, published Wednesday.

“However, this malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker’s mailbox,” the researchers said.

That’s where the malware’s functionality gets interesting: Once the malware’s core files are all running, everything typed on the computer is recorded into a text file with the window’s name — giving the malware author a better idea of the context to the keylogged text.

The contents of that text file is exfiltrated from the computer through a Google Form. The file is then deleted from the disk. Each form response goes directly to the malware author’s email inbox.

Serper and Black reported the malicious form to Google, which took it down within an hour.

When contacted, Google — which may have insight into who built the form — did not comment. (If that changes, we’ll update.)

The write-up described how the malware author “didn’t put any effort” into making the malware look authentic, like changing the executable’s icon from the AutoHotKey default, and built an unconvincing Kaspersky-style splash screen. When Fauxpersky spreads, it also sticks and maintains persistence, so that it runs when Windows is booted up. The malware simply creates a shortcut to itself in the Start menu’s “startup” directory.

Cybereason didn’t say how many machines were infected, but given that the malware spreads through an antiquated method of sharing USB drives, it’s likely not to be widespread.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Source link

About Day Tech News

Day Tech News is a daily collection of important technology news across the globe. It intends to keep the public informed of some of the greatest technological changes happening in Business, Environment or Life of the average consumer.

Check Also

AutoHotKey Malware Is Now a Thing – BleepingComputer

AutoHotKey has now become one of the most trendy technologies for building malware, according to …

%d bloggers like this: