A new kind of keylogger malware has been detected infecting computers, specifically Windows PCs, in the wild via USB drives. Cybereason, a Boston, Mass.-based security firm, discovered the malware and named it Fauxpersky as it impersonates the popular Russian antivirus software Kaspersky.
On Fauxpersky-infected systems, the Cybereason researchers found four dropped files, each carefully named to emulate Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.
AutoID or AutoHotKey, a simple developer tool used to write small scripts for various automation tasks on Windows, is the route via which the malware spreads. The tool is abused to build a keylogger, which can then be put to use to write code to send keystrokes to other applications, and to develop a ‘compiled’ exe with their code embedded.
Once executed, Fauxpersky gathers a list of drives on the machine and begins to replicate itself onto them, allowing it to spread to any connected external drive. In order to gain persistence, the malware modifies its working directory to %APPDATA% and creates a folder titled Kaspersky Internet Security 2017 instead. Spoolsvc.exe alters the values of registry keys to stop the system from presenting hidden files and to conceal system filed. Then it verifies whether explorers.exe is running and if not, launches it, thus guaranteeing persistent execution of the malware.
Cybereason said the “malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox.”
In other words, after the malware’s core files are running, then everything typed onto the computer is recorded into a text file with the window’s name. Its contents are exfiltrated from the computer via a Google Form. Then the file is deleted from the disk to erase any trace of it. Each form response goes straight to the malware author’s email.
The company contacted Google to report the malicious form; Google took it down within an hour. They advised users who are infected with the malware to take the following steps: (i) navigate to %appdata%\Roaming\ (ii) remove the Kaspersky Internet Security 2017 directory (iii) remove any related files from the startup directory within the start menu.
Cybereason is not yet certain of the number of infected machines, but said it would be issuing updates as they find out more. It is unlikely that the damage is widespread given that it travels via USB drives, which are increasingly out of general use.