A few days ago security a database containing 5 million alleged Google login and password has been leaked online on a Russian cyber security internet forum. Google immediately started its investigation and discovered that huge archive of Gmail credentials didn’t come from the security data breaches, rather the accounts’ data had been stolen by phishing attacks and other illegal practices, including social engineering attacks and malware based attacks.
Recently it has been discovered a malware which infected hundreds of thousands of computers worldwide with the purpose to syphon users’ data. The malware based attack allowed bad actors to steal social and banking site credentials.
A Greek security researcher discovered a new strain of malware spread via spam email infecting rapidly a huge number of machines. The expert detected the malware while it was attacking his corporate honeypot and conducted technical analyses posting its results on a blog post. The malware appears as a combination of software AutoIT (Automate day-to-day tasks on computers) and a commercial Keylogger named “Limitless Keylogger”. The researchers highlighted the use of Limitless Keylogger to intercept every keystrokes users press and send them back to the attackers via email, meanwhile AutoIT was adopted in order to evade detection by Antivirus programs.
The use of Keylogger confirms the intention of attackers into users’ credentials for most popular web services, including Email accounts, Social Media accounts and Online Bank accounts.
The researcher explained that malware is sent as mail attachment with a customized icon.
“The mail attachment, contained this file. An executable with a custom icon. After a fast static analysis, it is recognised to be a WinRAR SFX executable with some dummy comments.” states the researcher.
The researcher discovered that originally the AutoIT Script size is 331MB, but once “deobfuscate” it appears as a tiny malicious code with only 55 kb in size.
The threat actor dedicated great attention to evasion technique, he implemented several functionalities to keep hidden malware and its activities.
The Greek researcher has analyzed the network traffic produced by the malware, in particular, he sniffed SMTP data, discovering that information collected from the keylogger was sent to a specific email, “email@example.com”.
The researcher speculated that a group of Indonesian hackers is behind the spam campaign and the cyber criminals are targeting popular companies from different industries.
The researcher closes the post with an interesting observation … it seems that cyber criminals forgot their keylogger logs in public!
“If we de-base64 the traffic send by the Limitless Logger via mail, and search the pattern in google, you can find some interesting things.. “
(Security Affairs – AutoIT malware, cybercrime)