A Greek security researcher discovered a strain of malware which is a combination of AutoIT software and a commercial Keylogger named Limitless Keylogger.
A few days ago security a database containing 5 million alleged Google login and password has been leaked online on a Russian cyber security internet forum. Google immediately started its investigation and discovered that huge archive of Gmail credentials didn’t come from the security data breaches, rather the accounts’ data had been stolen by phishing attacks and other illegal practices, including social engineering attacks and malware based attacks.
Recently it has been discovered a malware which infected hundreds of thousands of computers worldwide with the purpose to syphon users’ data. The malware based attack allowed bad actors to steal social and banking site credentials.
A Greek security researcher discovered a new strain of malware spread via spam email infecting rapidly a huge number of machines. The expert detected the malware while it was attacking his corporate honeypot and conducted technical analyses posting its results on a blog post. The malware appears as a combination of software AutoIT (Automate day-to-day tasks on computers) and a commercial Keylogger named “Limitless Keylogger”. The researchers highlighted the use of Limitless Keylogger to intercept every keystrokes users press and send them back to the attackers via email, meanwhile AutoIT was adopted in order to evade detection by Antivirus programs.
The use of Keylogger confirms the intention of attackers into users’ credentials for most popular web services, including Email accounts, Social Media accounts and Online Bank accounts.
The researcher explained that malware is sent as mail attachment with a customized icon.
“The mail attachment, contained this file. An executable with a custom icon. After a fast static analysis, it is recognised to be a WinRAR SFX executable with some dummy comments.” states the researcher.
The malicious file archive includes the following files:
AutoIT script ‘update.exe’ of 331MB
Python script to “deobfuscate” AutoIT script
oziryzkvvcpm.AWX – Settings for AutoIT script
sgym.VQA – Another Encrypted malware/Payload Binary
The researcher discovered that originally the AutoIT Script size is 331MB, but once “deobfuscate” it appears as a tiny malicious code with only 55 kb in size.
The threat actor dedicated great attention to evasion technique, he implemented several functionalities to keep hidden malware and its activities.
The Greek researcher has analyzed the network traffic produced by the malware, in particular, he sniffed SMTP data, discovering that information collected from the keylogger was sent to a specific email, “email@example.com”.
The researcher speculated that a group of Indonesian hackers is behind the spam campaign and the cyber criminals are targeting popular companies from different industries.
“Possibly some Indonesian hackers might have used the malicious software available on the Russian hacking forum sites” “and the targets are well known companies from retail industry, oil, airlines etc” said the researcher.
The researcher closes the post with an interesting observation … it seems that cyber criminals forgot their keylogger logs in public!
“If we de-base64 the traffic send by the Limitless Logger via mail, and search the pattern in google, you can find some interesting things.. “
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.