The malware also creates an autorun.inf file that points to a batch script with the following content: This is currently a valuable IOC in the wild. The USB drive’s new name would be "Pendrive 8GB (Secured by Kaspersky Internet Security 2017)". If the keylogger is propagating to an external drive, it will rename the drive to match it's naming scheme.įor example, if a machine executed the keylogger while it had an 8GB USB drive called "Pendrive" mounted, the name would be altered after the files completed replicating to match the naming scheme. This allows the keylogger to spread from a host machine to any connected external drives. Let’s examine the process:Ĭopying the files to the removable drive: After the initial execution, the keylogger gathers the listed drives on the machine and begins to replicate itself to them. This AHK keylogger utilizes a fairly straightforward method of self propagation to spread. Suspicious files in our customer's environment Explorers.exe: Self propagation and persistence Each file had a name that was similar to Windows system files: We found four dropped files in a customer’s environment. And what do you know? We found a credstealer written with AHK that masquerades as Kaspersky Antivirus and spreads through infected USB drives. Now if you’re an attacker reading this, you probably realize that AHK is great to use for writing simple and highly efficient credential stealers. AHK also allows users to create a ‘compiled’ exe with their code in it.Ĭheck out some live webinars on our research. For example, AutoHotKey (AHK) allows users to write code (in its own scripting language) that interacts with Windows, reads text from Windows and sends keystrokes to other applications, among other tasks. One trick involves using either AutoIT or AutoHotKey, simple tools that allow users to write small programs for all sorts of GUI and keyboard automation tasks on Windows. Attackers are always looking for new ways to execute files on Windows systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |