Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Simple Powershell Keyloggers are Back

Published: 2019-02-21
Last Updated: 2019-02-21 07:39:33 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad!

While hunting, I found a bunch of malicious Powershell scripts that implement a basic (but efficient) keylogger. The base script is always the same but contains connection details modified by script kiddies. The current script is based on an old one from 2015[1]. This time, it has been modified to add the following features:

  • You can specify for how long the script will capture keystrokes
  • At the end of the defined time period, the file with the recorded keystrokes is exfiltrated via email to the attacker.

Here are the parameters at the beginning of the script:

# Editar solo esta secci??n!
$TimeToRun = 2
$From = “xxxxxx@gmail.com"
$Pass = “xxxxxxxx"
$To = “xxxxxx@gmail.com
$Subject = "Keylogger Results"
$body = "Keylogger Results"
$SMTPServer = "smtp.gmail.com"
$SMTPPort = "587"
$credentials = new-object Management.Automation.PSCredential $From, ($Pass | ConvertTo-SecureString -AsPlainText -Force)
############################

The script is very basic, not obfuscated and detected by only one AV on VT[2]! I don't think that such scripts are a major threat, they are mostly used by script kiddies (I already collected some credentials!) but it remains a nice way to spy on people.

[1] https://gist.github.com/dasgoll/7ca1c059dd3b3fbc7277
[2] https://www.virustotal.com/#/file/52a2e804026792d99eaf9538fbc0b020c7f323b3d90f196bbebf83840e3322e6/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

More Russian language malspam pushing Shade (Troldesh) ransomware
Feb 20th 2019
3 days ago by Brad (0 comments)

Identifying Files: Failure Happens
Feb 19th 2019
3 days ago by DidierStevens (1 comment)

Know What You Are Logging
Feb 18th 2019
5 days ago by DidierStevens (0 comments)

Video: Finding Property Values in Office Documents
Feb 17th 2019
6 days ago by DidierStevens (0 comments)

Finding Property Values in Office Documents
Feb 16th 2019
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Run Extracted binaries from mirror traffic on cuckoo
created Feb 6th 2019
2 weeks ago by ching (1 reply)

Another sextortion email
created Feb 5th 2019
2 weeks ago by Anonymous (0 replies)

Two-factor authentication: Why do I need it? What are the best apps?
created Jan 27th 2019
3 weeks ago by Russell (0 replies)

sextortion Mail
created Jan 10th 2019
1 month ago by Anonymous (0 replies)

Internet security needed!
created Jan 3rd 2019
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)