The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating by means of phishing campaigns.
Delivered as attachments disguised as archives or Microsoft 365 information, it employs malicious Microsoft Workplace paperwork to unfold by means of command-and-control (C2) infrastructure.
It targets delicate information, together with login credentials, monetary info, system information, and personally identifiable info, posing a big risk to compromised techniques.
The evaluation reveals that the malicious doc, initially showing as a file associated to CVE-2017-11882, is an RTF file. Dissecting the file uncovers encoded content material throughout the objdata part.
Whereas extracting and analyzing this information reveals additional object references, finally resolving to a URL, which serves because the obtain supply for a malicious executable, indicating that the RTF doc acts as a supply mechanism for the malware.
Free Webinar on Greatest Practices for API vulnerability & Penetration Testing: Free Registration
Eradicating clean traces and whitespaces from an object throughout the “InfoStealers-wild-image-8” artifact allowed for the restoration of a URL: “http[:]//87[.]120.84.39/txt/xXdqUOrM1vD3An[.]exe,” which was used to obtain a malicious .NET compiled file.
Upon additional inspection with DnSpy, it was found that this file, no matter its precise filename, dynamically masses with the title “skkV[.]exe,” which signifies potential obfuscation methods employed by the malware.
This malware, disguised as a seemingly innocent picture file (“vmGP”), makes use of steganography to hide malicious code throughout the picture information.
Upon execution, the code throughout the MainForm() class extracts and decodes the hidden payload after which proceeds to gather delicate info from the contaminated system, together with system particulars, clipboard content material, screenshots, searching historical past, and cookies.
The data that has been gathered is then transferred to a Telegram bot, which is then transmitted to DuckDNS servers which might be randomly generated.
A keylogger, delivered through phishing emails with malicious attachments, exploits person interplay to infiltrate a system. Upon execution, it establishes persistence by dropping information in system folders.
The malware then exfiltrates delicate information, together with keystrokes, clipboard content material, screenshots, searching historical past, cookies, and e-mail credentials, which is transmitted to a Command & Management (C2) server hosted on Dynamic DuckDNS through Telegram, enabling attackers to remotely monitor and management the compromised system.
Forcepoint protects clients towards this risk by blocking malicious attachments on the lure stage, and suspicious URLs that try and obtain additional payloads are additionally blocked through the redirect section.
It identifies and blocks dropper information by including them to its malicious database, and the platform successfully mitigates command-and-control communication by blocking related credentials, hindering the attacker’s means to take care of persistent management over compromised techniques.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Strive for Free