Keylogger in Phishing Email Also Takes Screenshots

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A malicious email claiming to come from the HSBC financial institution has been found to deliver a keylogger that can not only intercept keystrokes and the name of the windows they are entered in, but also take pictures of the victim’s desktop screen.

Keylogger-In-Phishing-Email-Also-Takes-Screenshots.jpg


The malware is also equipped with the ability to steal passwords stored in the web browser, as well as several other programs, and sends all the data to the attackers in real time.
Malware author makes mistake, hard-codes email password
Ronnie Tokazowski of PhishMe caught a sample of the email and proceeded to dissect the malicious file in it.

After analyzing the keylogger, he determined that the piece was written in .NET and that the coder was ill-prepared for the task, since the researcher managed to easily intercept the data seeping out of the infected machine, as well as identify the communication method with the attacker.

Tokazowski observed that the malware was sending emails via SMTP (Simple Mail Transfer Protocol) over port 587, and that the attacker hard-coded the authentication password in the malware.

By including the credentials to their command and control email into the malware binary, the attackers run the risk of having someone break into their inbox and remove all the information received from the victims.

Not only this, but the researcher also allowed pictures of the screen to be taken when he was intercepting the traffic generated by the malware. In a “watching you watching me” scenario, he saw how screens with his analysis of the traffic were sent over.
Some phishing methods are more clever than others
This particular malicious sample is not new, and it has been found on Hack Forums, a platform used by both white hats and hacker wannabes for ready-made resources. Posters there referred to it as Dynasty Keylogger or as Predator Dynasty.

The email body is simple in construction and only informs the recipient that a payment file has been attached, as per the request of the owner of the banking account. This could be sufficient to fool numerous unsuspecting users to check deeper into the matter.

As soon as the attachment is deployed, the keylogger is installed on the computer and starts its activity.

Generally, keyloggers are integrated as a component of a malware package with different functionality, such as the one recently discovered by Kaspersky targeting machines running OS X. In that case, the attackers relied on an open-source tool to capture keystrokes.

A more interesting method to harvest log-in details was observed last week, when a phishing page for Dropbox was hosted in a Dropbox account, allowing the crooks to take advantage of the SSL connection to prevent ringing the alarm bells of the potential victim.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top