It would be tough to prove that NexusLogger is legally culpable if the product is used maliciously because the keylogger can also be used for legit purposes, said technology lawyer Michael Overly.
It would be tough to prove that NexusLogger is legally culpable if the product is used maliciously because the keylogger can also be used for legit purposes, said technology lawyer Michael Overly.

A new, but unsophisticated cloud-based keylogger has hit the market, resulting in a small number of cybercriminals attempting to infect businesses and collect keystrokes, system information, stored passwords, screenshots, and game credentials.

Known as NexusLogger, the tool was analyzed by Palo Alto Networks' Unit 42 threat intelligence team, whose researchers as of Wednesday, March 15 have observed 134 unique samples of the spyware and about 400 unique (and decidedly unsuccessful) attacks against its clients. The company has estimated that roughly 275 unique users have purchased the program, based on incremental "attacker ID" numbers that were observed during the malware's analysis.

"The total number of attacks witnessed using NexusLogger is quite low when compared with other commodity malware families," Palo Alto reported in a recent blog post. "...This is likely due to slow adoption by criminals. The keylogging market is quite saturated with numerous malware families, and it can be difficult for new players to enter the market."

The vast majority of NexusLogger samples, 94 percent, were found distributed via phishing emails, while six percent of infection attempts were executed via download requests over HTTP. Targets of this campaign have included businesses operating in the wholesale, high tech, and aerospace and defense sectors, Unit 42 reported.

Released in late December 2016 or early January 2017, NexusLogger is billed on www.nexuslogger.com as a "parental monitoring tool," yet the spyware includes anti-VM and anti-debug tools that would typically be used by actors with malicious intent, Palo Alto explained. The product costs anywhere from $7 to $199, depending upon whether the user wants to subscribe to the tool for a week, a month or a year.

Michael Overly, an information technology lawyer and partner with Foley & Lardner LLP, told SC Media that one of his business clients very recently requested to pursue a legal case against NexusLogger, after an employee at the company allegedly used the keylogger in unauthorized fashion to spy on a coworker with whom he was romantically interested.

However, Overly told the client that developers of these tools are rarely held legally responsible for the malicious actions of their users, especially when the product can also serve a legitimate function, such as monitoring your child's or employee's cyber activity. "...This has a legal purpose, so the possibility that the provider would be held responsible is difficult in today's environment," said Overly.

Overly called NexusLogger "an extreme case, but if you think about it, there are many tools that are... used by [legitimate] security professionals that could easily be exploited for malicious purposes." In that sense, Overly compared NexusLogger to gun manufacturers, who are not held liable when a criminal uses a firearm in a felony act.

All of the NexusLogger samples that Palo Alto identified communicate with the same domain via HTTPS, "which makes it trivial for defenders to block," the blog post reported. Programmed via Microsoft's .NET framework, the tool's code is obfuscated using the ConfuserEx 1.0.0 open-source protector tool. After it installs itself, the tool has the option of performing a User Account Control bypass. The tool downloads the Python-based open-source LaZagne project to collect stored passwords, and uploads all gathered data via FTP. Its ability to collect gaming credentials applies to the UPlay, Minecraft, Steam and Origin platforms.

"Overall, NexusLogger certainly isn't a terribly sophisticated threat. A number of shortcuts were made by the author to increase the number of features it touts. Additionally, adoption of this malware family is relatively low, and it is being distributed to victims using very common channels," the blog post concludes.