Immensely Powerful iSpy Keylogger Targets Skype, Webcams and Passwords

iSpy keylogger records skype chats, steal passwords stored in the browser and take pictures through device webcam.

A keylogger dubbed as iSpy is being monitored quite ferociously by researchers primarily because it is very much in demand on the Dark Web. Reportedly, the keylogger is being sold at a meager rate of $25 to $35.

The reason why this keylogger is so much in demand is that it is quite powerful software that can capture keystrokes, steals passwords stored in web browsers and Skype conversation records, takes pictures via webcam and stores the license keys of software like Microsoft Office and Adobe Photoshop.

Related: New ‘Trojan T9000’ Targets Skype Users, Saves Screenshots, Records Chats

Zscaler ThreatLabZ states that iSpy is being distributed through infected JavaScripts and/or document attachments in phish emails and scam campaigns. The fact that iSpy versions are signed and used in expired digital certificates to make it appear authentic while being checked by security software, makes this keylogger so dangerous.

iSpy comprises of a loader that is responsible for delivering an encrypted payload, which is compressed through .Net, AutoIT and Visual Basic 6.0 languages. Furthermore, there are six components of the payload all equipped with diverse features such as clipboard monitoring, RuneScape( MMO game) PIN logging, keylogging, webcam logging, screen capturing and of course, accessing and stealing of passwords.

According to Zscaler ThreatLabZ’s analyst Atinderpal Singh, the company has come across a new and improved version of this keylogger in the past 24 hours. This new version some other added features including erasing the Skype chat recorder. The keylogger uses various techniques for deceiving users such as it removes the “Zone.Identifier” flag from the ADS (Alternate Data Stream) of the host computer to deactivate the security warning message that pops up whenever the malware file is run.

Additionally, the keylogger has the feature of disabling antivirus software, which is done by creating a Sub-Key of the same program in the registry key: ‘Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\’

Then it sets “rundll32.exe” as the “Debugger” value in that key. The local data obtained by iSpy is sent to its command and control servers through FTP, HTTP, and/or SMTP protocols. Prior to transferring the data, the malware uses its custom encryption.

“The current sample… uses FTP for sending the stolen data to the attacker. The FTP account – ftp://ftpbhikacomxacom –was active at the time of analysis and the FTP credentials are embedded in the file itself,” stated Singh.

Must Read: The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive

Zscaler further noted that iSpy is sold on the Dark Web in three models of subscription ranging from 1 to 6 months and annual subscriptions. The price range varies between $25, $35 and $45.

Threat Post
Related Posts