Security researchers at Zscaler warn of a new sophisticated commercial keylogger dubbed iSpy. The malware is a perfect surveillance tool, it was developed to capture victim’s keystroke and screenshots, access webcam, steal user data and license keys to popular applications.
“Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple subscription packages” states the alert issued by Zscaler.
iSpy has a modular structure, buyer can choose the features it has to include, it implements also multiple features that are designed to make it hard to detect.
The keylogger sends stolen data to C&C server via FTP, SMTP, or HTTP protocols, it gains persistence on the infected host by creating an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU.
The iSpy keylogger implements advanced keylogger functionalities to spy on its victims avoid detection, some of the packers analyzed by Zscaler are digitally signed with invalid certificates.
The malware researchers highlighted the presence of a license stealing feature implemented by iSpy that could be used by crooks to monetize their efforts by reselling the license keys of popular applications (i.e. Microsoft Office, Adobe Photoshop) in the cyber criminal underground.
” It also contains code to steal the license keys of application software, such as Adobe Photoshop, Microsoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook), FTP clients (like FileZilla and CoreFTP), and games like Minecraft.” states the analysis published by Zscaler.
ISpy is currently available for sale in several crime forums, sellers are offering multiple subscription packages including scalable technical features.
A Bronze Package which offers a one-month access to the malware, instant activation, free support and free updates goes for $25. iSpy is also offered with a “small business” package that goes for $35 and includes six-month access to the malware and six months of free support and updates.
The most popular option is the Diamond Package that costs $45 for one-year access, support, and upgrades.
The version of iSpy analyzed by Zscaler has a web panel that allows attackers to monitor all the activities on the infected system.
I suggest you give a look at the report that also includes Indicators of Compromise.
(Security Affairs – iSpy keylogger, spyware)