A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.
Dubbed Fauxpersky, the keylogger was written in AutoIT or AutoHotKey, which are simple tools to write small programs for various automation tasks on Windows. AHK can be used to write code to send keystrokes to other applications, and to create a ‘compiled’ exe with their code in it.
On systems infected with Fauxpersky, the security researchers discovered four dropped files, each named similarly to Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.
Once executed, the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives.
Furthermore, the keylogger renames the external drives to match its naming scheme. Specifically, the drive’s new name would include its original name, its size, and the string “(Secured by Kaspersky Internet Security 2017)”.The malware also creates an autorun.inf file to point to a batch script.
Explorers.exe includes a function called CheckRPath() designed to check the connected drives for the aforementioned files and to create them if they are not already present on the drive. The malware sets the attributes System and Hidden to the files and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.
The attackers use a fairly basic method to ensure that all the necessary files are present in the source directory (called Kaspersky Internet Security 2017) when it is copied to the new destination. A text file in the directory instructs users to disable their antivirus if execution fails and also includes a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).
To perform the keylogging activities, Fauxpersky (specifically, svhost.exe) monitors the currently active window using the AHK functions WinGetActiveTitle() and input() (monitors user keystrokes to the window). Keystrokes are appended to Log.txt, which is saved in %APPDATA%Kaspersky Internet Security 2017.
For persistence, the malware changes the working directory of the malware to %APPDATA% and creates the Kaspersky Internet Security 2017 folder. It also checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.
Spoolsvc.exe changes the values of registry keys to prevent the system from displaying hidden files and to hide system files (this explains why it sets the attributes of its own files to both System and Hidden). Next, it verifies if explorers.exe is running and launches it if not, thus ensuring persistent execution of the malware.
The keylogger also creates shortcuts to itself in the start menu startup directory to ensure persistence.
To exfiltrate the keylogged data, the malware uses a Google form, freeing the attackers from having to maintain an anonymized command and control server.
“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox,” Cybereason concludes.
Related: Kelihos Spreads via USB Drives