Researchers have discovered a Windows-based keylogger and information stealer that falsely poses as Kaspersky antivirus software and spreads via infected USB devices.
The malware, named Fauxpersky, is also written using AutoHotKey (AHK) tools that under normal circumstances would be used to create keyboard shortcuts.
According to a blog post from Cybereason, Fauxperksy takes advantage of AHK’s abilities to read texts from Windows and send keystrokes to other applications. It is made up of for four executables placed inside a directory labeled “Kaspersky Internet Security 2017.” This directory also contains a Readme.txt file and a PNG image that displays a Kaspersky logo as a splash screen when an infected machine logs into Windows. This image is meant to fool users into thinking that Kaspersky antivirus is actively running.
The Readme.txt file, meanwhile presents instructors for users to disable their antivirus program if they are unable to launch their folders or files correctly, followed by a long list of security products that supposedly are incompatible with the Kaspersky product that users think has been installed.
The four core executables are each given a name that looks similar to a Windows system file: Explorers.exe, Svhost.exe, Taskhost.exe, and Spoolsvc.exe. The first component, Explorers.exe, is responsible for self-propagation and persistence, spreading from host machines to connected external drives through file replication.
Svhost.exe uses AHK functions to monitor the currently active window an infected user person is in, and then log any keystrokes they input into that window. Taskhost.exe is responsible for creating the malicious directly and handles persistence, while Spoolsvc.exe also provides some persistence and performs data exfiltration of the keylogged data into a Google form.
“Exfiltrating data to a Google form is a very simple and clever way to overcome a lot of the logistics involved in data exfiltration,” states the blog post, authored by the Cybereason Nocturus Research team. “Using this technique means there’s no need to maintain an anonymized command and control server plus data transmissions to docs.google.com is encrypted and doesn’t look suspicious in various traffic monitoring solutions.”
Cybereason further reports that Google’s security team took down the malicious Google form almost immediately after it was disclosed to them.
“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file,” the blog post concludes. “However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox.”
It is unknown how many machines have been infected by the threat.