Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Fauxpersky” Credential Stealer Spreads via USB Drives

A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.

A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.

Dubbed Fauxpersky, the keylogger was written in AutoIT or AutoHotKey, which are simple tools to write small programs for various automation tasks on Windows. AHK can be used to write code to send keystrokes to other applications, and to create a ‘compiled’ exe with their code in it.

On systems infected with Fauxpersky, the security researchers discovered four dropped files, each named similarly to Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

Once executed, the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives.

Furthermore, the keylogger renames the external drives to match its naming scheme. Specifically, the drive’s new name would include its original name, its size, and the string “(Secured by Kaspersky Internet Security 2017)”.The malware also creates an autorun.inf file to point to a batch script.

Explorers.exe includes a function called CheckRPath() designed to check the connected drives for the aforementioned files and to create them if they are not already present on the drive. The malware sets the attributes System and Hidden to the files and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.

The attackers use a fairly basic method to ensure that all the necessary files are present in the source directory (called Kaspersky Internet Security 2017) when it is copied to the new destination. A text file in the directory instructs users to disable their antivirus if execution fails and also includes a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).

To perform the keylogging activities, Fauxpersky (specifically, svhost.exe) monitors the currently active window using the AHK functions WinGetActiveTitle() and input() (monitors user keystrokes to the window). Keystrokes are appended to Log.txt, which is saved in %APPDATA%Kaspersky Internet Security 2017.

For persistence, the malware changes the working directory of the malware to %APPDATA% and creates the Kaspersky Internet Security 2017 folder. It also checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.

Spoolsvc.exe changes the values of registry keys to prevent the system from displaying hidden files and to hide system files (this explains why it sets the attributes of its own files to both System and Hidden). Next, it verifies if explorers.exe is running and launches it if not, thus ensuring persistent execution of the malware.

The keylogger also creates shortcuts to itself in the start menu startup directory to ensure persistence.

To exfiltrate the keylogged data, the malware uses a Google form, freeing the attackers from having to maintain an anonymized command and control server.

“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox,” Cybereason concludes.

Related: Keylogger, Bitcoin Stealer Dropped via Fake Bank Transfer Emails 

Related: Kelihos Spreads via USB Drives

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.