Cybercriminals are quite innovative, to be honest; they are always coming up with unique ways of exploiting Windows-based systems. According to the findings of Boston-based cyber-security firm Cybereason, one of their newly identified techniques involves using keylogger malware that exploits AutoIT or AutoHotKey (AHK).
Fauxpersky Malware Spreads via malicious USB drives
The malware, dubbed by Cybereason researchers as Fauxpersky, is though not as sophisticated as some of the recently discovered malware but it can efficiently steal passwords from Windows systems. It is spread via infected USB drives.
Cybereason researchers Amit Serper and Chris Black wrote in the company’s official blog post published on Wednesday: “This malware is by no means advanced or even very stealthy. However, this malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker’s mailbox.”
AutoIT or AHk are quite basic tools used to write small programs for performing a variety of GUI and keyboard automation functions on Windows systems. For instance, AHK uses its own scripting language to let users write code to interact with Windows and perform tasks like reading text or sending keystrokes to other applications. It also lets users create a compiled .exe file.
Fauxpersky is capable of impersonating Kaspersky, well-known Russian antivirus software, whereas the keylogger is created by abusing AHK app. The infection is distributed to the system via USB drives and manages to compromise PCs that run Windows by replicating files stored on the device’s listed drives.
Moreover, researchers also identified four droppers in the computer’s environment and each one had a dedicated name, which was quite similar to the names of Windows OS files. The names are as follows:
The method used by AHK keylogger is quite straightforward; it spreads through self-propagation technique. After being executed initially, the keylogger starts gathering information about all the listed drives on the computer and begins the replication process.
When the core files of the malware start running on the system, whatever the user types on the computer gets stored into a text file bearing the respective window’s name. This way, the attacker gets a better idea of the background context of the text that has been keylogged.
This text file’s contents are then exfiltrated from the device via a Google Form. The file then gets deleted from the system while the text file is transferred to the attacker via email. Google was notified of this form by Serper and Black, after which it was taken down in an hour. However, Google did not release any statement explaining who created the form.
From the way the malware has been designed, it is evident that the developers did not pay attention to key aspects to make it look authentic such as changing the executable’s icon from that of AHk’s default icon or creating a rather unconvincing splash screen, which is an exact replica of Kaspersky’s screen.
However, once the malware is spread onto the system, it remains persistent and gets booted up again after Windows system is restarted. It also creates a shortcut for itself in the startup directory of the Start menu.
Limited damage and how to get rid of Fauxpersky Malware
Currently, it is not clear how many computers have been infected but considering that the malware is distributed through sharing of USB drives, it can be assumed that it hasn’t been spread extensively as yet.
If you feel that your computer is also infected, simply access %appdata%\Roaming\ and delete the files related to Kaspersky Internet Security 2017\ directory and the directory itself from the startup directory located in the start menu.
Image credit: Depositphotos