Loops until cursor movement is detected.Checks for sandbox and debugger using GetTickCount and Sleep.The second layer of packing contains multiple anti-VM and anti-analysis tricks, some of which include: Figure 3 shows the installation and functionality overview of iSpy.įigure 3: Installation workflow and functionality overview of iSpy
#CLOUD CRYPTER CODE#
The packer uses the XOR-based method to decrypt the payload and contains obfuscated zombie code between instructions to slow down analysis. The malware sample we analyzed was packed with a VB6 (native) custom packer. Table 1: Different malware samples dropped by. This crypter uses different digital certificates (mostly invalid certificates) and drops different malware samples, as shown in Table 1 belowįigure 2: Certificate used by. So far, we have seen packers written in Visual Basic 6.0, AutoIt, and. The main iSpy payload is usually compressed using a custom packer. ISpy is delivered via spam email that has malicious JavaScript or Document as an attachment, which then downloads the keylogger payload. It is being sold on underground forums via multiple subscription packages as shown in Figure 1.įigure 1: iSpy keylogger subscription packages Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy.
Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox.
They give attackers the power to record every keystroke from a victim’s machine and steal sensitive information. Keyloggers have always been present in attackers’ toolkits.
0 kommentar(er)
