Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Fauxpersky” Credential Stealer Spreads via USB Drives

A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.

A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.

Dubbed Fauxpersky, the keylogger was written in AutoIT or AutoHotKey, which are simple tools to write small programs for various automation tasks on Windows. AHK can be used to write code to send keystrokes to other applications, and to create a ‘compiled’ exe with their code in it.

On systems infected with Fauxpersky, the security researchers discovered four dropped files, each named similarly to Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

Once executed, the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives.

Furthermore, the keylogger renames the external drives to match its naming scheme. Specifically, the drive’s new name would include its original name, its size, and the string “(Secured by Kaspersky Internet Security 2017)”.The malware also creates an autorun.inf file to point to a batch script.

Explorers.exe includes a function called CheckRPath() designed to check the connected drives for the aforementioned files and to create them if they are not already present on the drive. The malware sets the attributes System and Hidden to the files and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.

The attackers use a fairly basic method to ensure that all the necessary files are present in the source directory (called Kaspersky Internet Security 2017) when it is copied to the new destination. A text file in the directory instructs users to disable their antivirus if execution fails and also includes a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).

Advertisement. Scroll to continue reading.

To perform the keylogging activities, Fauxpersky (specifically, svhost.exe) monitors the currently active window using the AHK functions WinGetActiveTitle() and input() (monitors user keystrokes to the window). Keystrokes are appended to Log.txt, which is saved in %APPDATA%Kaspersky Internet Security 2017.

For persistence, the malware changes the working directory of the malware to %APPDATA% and creates the Kaspersky Internet Security 2017 folder. It also checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.

Spoolsvc.exe changes the values of registry keys to prevent the system from displaying hidden files and to hide system files (this explains why it sets the attributes of its own files to both System and Hidden). Next, it verifies if explorers.exe is running and launches it if not, thus ensuring persistent execution of the malware.

The keylogger also creates shortcuts to itself in the start menu startup directory to ensure persistence.

To exfiltrate the keylogged data, the malware uses a Google form, freeing the attackers from having to maintain an anonymized command and control server.

“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox,” Cybereason concludes.

Related: Keylogger, Bitcoin Stealer Dropped via Fake Bank Transfer Emails 

Related: Kelihos Spreads via USB Drives

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...