Threat Management, Malware

Fauxpersky spyware impersonates Kaspersky AV software, abuses AutoHotKey tools


Researchers have discovered a Windows-based keylogger and information stealer that falsely poses as Kaspersky antivirus software and spreads via infected USB devices. 

The malware, named Fauxpersky, is also written using AutoHotKey (AHK) tools that under normal circumstances would be used to create keyboard shortcuts.

According to a blog post from Cybereason, Fauxperksy takes advantage of AHK's abilities to read texts from Windows and send keystrokes to other applications. It is made up of for four executables placed inside a directory labeled "Kaspersky Internet Security 2017." This directory also contains a Readme.txt file and a PNG image that displays a Kaspersky logo as a splash screen when an infected machine logs into Windows. This image is meant to fool users into thinking that Kaspersky antivirus is actively running.

The Readme.txt file, meanwhile presents instructors for users to disable their antivirus program if they are unable to launch their folders or files correctly, followed by a long list of security products that supposedly are incompatible with the Kaspersky product that users think has been installed.

The four core executables are each given a name that looks similar to a Windows system file: Explorers.exe, Svhost.exe, Taskhost.exe, and Spoolsvc.exe. The first component, Explorers.exe, is responsible for self-propagation and persistence, spreading from host machines to connected external drives through file replication.

Svhost.exe uses AHK functions to monitor the currently active window an infected user person is in, and then log any keystrokes they input into that window. Taskhost.exe is responsible for creating the malicious directly and handles persistence, while Spoolsvc.exe also provides some persistence and performs data exfiltration of the keylogged data into a Google form.

"Exfiltrating data to a Google form is a very simple and clever way to overcome a lot of the logistics involved in data exfiltration," states the blog post, authored by the Cybereason Nocturus Research team. "Using this technique means there's no need to maintain an anonymized command and control server plus data transmissions to is encrypted and doesn't look suspicious in various traffic monitoring solutions."

Cybereason further reports that Google's security team took down the malicious Google form almost immediately after it was disclosed to them.

"This malware is by no means advanced or even very stealthy. Its authors didn't put any effort into changing even the most trivial things, such as the AHK icon that's attached to the file," the blog post concludes. "However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker's inbox."

It is unknown how many machines have been infected by the threat.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.