Few days back, a list of 5 million combinations of Gmail addresses and passwords were leaked online. The search engine giant, Google said that Gmail credentials didn’t come from the security breaches of its system, rather the credentials had been stolen by phishing campaigns and unauthorized access to user accounts.
Just now, we come across another similar incident where cyber criminals are using a malware which has already compromised thousands of Windows users worldwide in an effort to steal their Social Media account, Online account and Banking account Credentials.
A Greek Security Researcher recently discovered a malware sample via a spam campaign (caught in a corporate honeypot), targeting large number of computers users rapidly. He investigated and posted a detailed technical analyses of the malware on his blog.
After reverse engineer the malware sample file, he found that the cybercriminals are using a combination of software AutoIT (Automate day-to-day tasks on computers) and a "commercial" Keylogger named "Limitless Keylogger" to make it FUD i.e. Fully Undetectable from static analysis.
Keylogger is a critical type of software program for cyber criminals, which records every input typed into the keyboard and easily detects passwords for users’ Email accounts, Social Media accounts and Online Bank accounts.
This malicious application captures every keystrokes users press and send them to a specified email address linked to the cyber criminal. More interestingly, the malware uses AutoIT in order to evade detection by Antivirus programs.
The malware distributed in the spam campaign comes as a WinRAR SFX executable file with a custom icon which drops 4 malicious files onto the victim’s computers with hidden and system attributes.
The Malware archive includes:
- AutoIT script ‘update.exe’ of 331MB
- Python script to “deobfuscate” AutoIT script
- oziryzkvvcpm.AWX - Settings for AutoIT script
- sgym.VQA – Another Encrypted malware/Payload Binary
Initially the obfuscated AutoIT Script is of size 331MB, because it contains lots of garbage content, but after deobfuscate process it becomes only 55kbyte in size with clean malicious code.
Researcher found lot of functions and various functionalities in the malware code those allow the malicious software to protect itself from detection.
On Further reserve engineering, he found that the malware sends the collected keystroke data to the cybercriminal via SMTP email server. So he sniffed the whole conversation of malware SMTP traffic and discovered that the keylogger was sending all keystrokes of the user, screenshots, recovery data (saved passwords from several applications/browsers) to an email ID - “firstname.lastname@example.org”.
He also extracted the hardcoded SMTP email ID username and passwords of the respective Yandex mail address from the malware source code.
Researcher told SecNews, “The detection was accomplished in the past few days and found that the malware was being Greek is targeting users (minimum numerical cases).”
“Possibly some Indonesian hackers might have used the malicious software available on the Russian hacking forum sites” they said. "and the targets are well known companies from retail industry,oil,airlines etc"
At last, the researcher also disclosed some online FTP servers using Google hacks, where the data has been uploaded by the different variants of the Limitless Logger by various hacking groups.