Zscaler discovers new keylogger

Cloud security company Zscaler has written a blog to alert of a new keylogger that steals passwords and monitors private webcams.

Discovered by Zscaler's ThreatLabZ team, they had came across the signed keylogger campaign in their cloud sandbox application.

Delivered via spam, the keylogger named iSpy, infects the email with a malicious JavaScript or document as an attachment, which then downloads the keylogger payload.

The company notes that the iSpy payload is usually compressed using a custom packer. So far, the company observed packers written in Visual Basic 6.0, AutoIt, and .Net.

Depending on the configuration, it can send stolen data via three different methods: HTTP, SMTP, or FTP. FTP and SMTP credentials, directly encoded in the file, are encrypted using a custom encryption method.

Function decrypt, in the class StringCipher, is used for the decryption of credentials as well as other strings. MUTEX value from the configuration is used as the key for decryption. For the HTTP method, iSpy uses the PHP_KEY authentication to upload data to C&C server.

Zscaler warns that in spite of the increased use of specialised tools, the keylogger remains a common, and quite potentially damaging tool for any business.