iSpy, a new sophisticated commercial keylogger in the criminal underground

Pierluigi Paganini September 22, 2016

The new variant of the popular iSpy keylogger (version 3.x) was available in the criminal underground with sophisticated features.

Security researchers at Zscaler warn of a new sophisticated commercial keylogger dubbed iSpy. The malware is a perfect surveillance tool, it was developed to capture victim’s keystroke and screenshots, access webcam, steal user data and license keys to popular applications.

“Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple subscription packages” states the alert issued by Zscaler.

iSpy has a modular structure, buyer can choose the features it has to include, it implements also multiple features that are designed to make it hard to detect.

The keylogger sends stolen data to C&C server via FTP, SMTP, or HTTP protocols, it gains persistence on the infected host by creating an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU.

The attack chain starts with spam email that has malicious JavaScript or Document as an attachment. When victims open the document iSpy is downloaded to the infected machine.

“iSpy is delivered via spam email that has malicious JavaScript or Document as an attachment, which then downloads the keylogger payload.” continues the analysis. “The main iSpy payload is usually compressed using a custom packer. So far, we have seen packers written in Visual Basic 6.0, AutoIt, and .Net. We have also seen a campaign of signed .NET crypter where iSpy was served. This crypter uses different digital certificates (mostly invalid certificates) and drops different malware samples”

The iSpy keylogger implements advanced keylogger functionalities to spy on its victims avoid detection, some of the packers analyzed by Zscaler are digitally signed with invalid certificates.

The malware researchers highlighted the presence of a license stealing feature implemented by iSpy that could be used by crooks to monetize their efforts by reselling the license keys of popular applications (i.e. Microsoft Office, Adobe Photoshop) in the cyber criminal underground.

” It also contains code to steal the license keys of application software, such as Adobe Photoshop, Microsoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook), FTP clients (like FileZilla and CoreFTP), and games like Minecraft.” states the analysis published by Zscaler.

ISpy is currently available for sale in several crime forums, sellers are offering multiple subscription packages including scalable technical features.

A Bronze Package which offers a one-month access to the malware, instant activation, free support and free updates goes for $25. iSpy is also offered with a “small business” package that goes for $35 and includes six-month access to the malware and six months of free support and updates.

The most popular option is the Diamond Package that costs $45 for one-year access, support, and upgrades.

ispy-packages

The version of iSpy analyzed by Zscaler has a web panel that allows attackers to monitor all the activities on the infected system.

ispy-web-panel-demo

I suggest you give a look at the report that also includes Indicators of Compromise.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  iSpy keylogger, spyware)



you might also like

leave a comment