Credential stealer masquerades as security product
Credential stealer masquerades as security product

Security researchers have found malware that steals credentials while pretending to be anti-virus software from Kaspersky.

According to a blog post by researchers at Cybereason, the malware, dubbed Fauxpersky, spreads via infected USB drives. The keylogger was written in AutoIT or AutoHotKey, which are scripting languages used to create automated tasks in Windows.

The malware drops four files on a user's system; Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe. When these are executed, the malware compiles a list of drives on the machine and starts replicating itself to them. This enables it to spread to other connected external drives.

If the keylogger is propagating to an external drive, it will rename the drive to match it's naming scheme. 

“For example, if a machine executed the keylogger while it had an 8GB USB drive called "Pendrive" mounted, the name would be altered after the files completed replicating to match the naming scheme. The USB drive's new name would be "Pendrive 8GB (Secured by Kaspersky Internet Security 2017)",” said researchers.

The malware also creates an autorun.inf file that points to a batch script with the following content: start /d ".\System Volume Information\Kaspersky Internet Security 2017" taskhosts.exe.

The researchers said the malware is by no means advanced or even very stealthy.

“Its authors didn't put any effort into changing even the most trivial things, such as the AHK icon that's attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker's inbox,” said researchers. They added that the number of infected machines is currently unknown.

The researchers have since contacted Google to report the malicious form. Google has acted to take the form down.

A spokeswoman for Kaspersky told SC Media UK that creators regularly disguise their programs as popular legitimate software, including antivirus programs, in order to lure users to into installing malicious files. “Our data and services are safe and unaffected, and all our customers are protected from this malware,” she said.

Nicholas Griffin, Senior Cyber Security Specialist at Performanta, told SC Media UK that legacy endpoint solutions often struggle to detect malware written in uncommon scripting languages, such as AHK. 

“These types of scripting languages can be abused by various kinds of malware, such as ransomware, cryptocurrency miners, or even more advanced nation-state malware. The key to success for an attacker is in the delivery of the malware,” he said.

“For example, if an organisation uses Kaspersky and a user receives an email pretending to contain a required update to Kaspersky, then they are far more likely to be fooled into installing it. Defending against fake security software is no different to defending against any other kinds of user-targeted malware. Invest in next-generation endpoint security, such as an endpoint detection and response solution, and ensure you have strong defences at the email and web gateway level.”

ndy Norton, director of threat intelligence at Lastline, told SC Media UK that Autohotkey is a legitimate application used to automate an infinite number of tasks. 

@In this case, the task that has been scripted using AHK is to spread via USB drives, and collect key logging information.  It is only the behaviour of this scripted task that makes it malicious. Usurping legitimate applications to perform unauthorised activity, is one of the key reasons to ensure a state of the art defence; in depth security posture includes a layer of behavioural intelligence,” he said.