SPY KEYLOGGER RECORDS SKYPE CHATS, STEAL PASSWORDS STORED IN THE BROWSER AND TAKE PICTURES THROUGH DEVICE WEBCAM.
A keylogger dubbed as iSpy is being monitored quite ferociously by researchers primarily because it is very much in demand on the Dark Web. Reportedly, the keylogger is being sold at a meager rate of $25 to $35.
The reason why this keylogger is so much in demand is that it is quite powerful software that can capture keystrokes, steals passwords stored in web browsers and Skype conversation records, takes pictures via webcam and stores the license keys of software like Microsoft Office and Adobe Photoshop.
iSpy comprises of a loader that is responsible for delivering an encrypted payload, which is compressed through .Net, AutoIT and Visual Basic 6.0 languages. Furthermore, there are six components of the payload all equipped with diverse features such as clipboard monitoring, RuneScape( MMO game) PIN logging, keylogging, webcam logging, screen capturing and of course, accessing and stealing of passwords.
According to Zscaler ThreatLabZ’s analyst Atinderpal Singh, the company has come across a new and improved version of this keylogger in the past 24 hours. This new version some other added features including erasing the Skype chat recorder. The keylogger uses various techniques for deceiving users such as it removes the “Zone.Identifier” flag from the ADS (Alternate Data Stream) of the host computer to deactivate the security warning message that pops up whenever the malware file is run.
Additionally, the keylogger has the feature of disabling antivirus software, which is done by creating a Sub-Key of the same program in the registry key: ‘Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\’
Then it sets “rundll32.exe” as the “Debugger” value in that key. The local data obtained by iSpy is sent to its command and control servers through FTP, HTTP, and/or SMTP protocols. Prior to transferring the data, the malware uses its custom encryption.
“The current sample… uses FTP for sending the stolen data to the attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the FTP credentials are embedded in the file itself,” stated Singh.