keylogger

Security researchers at zScaler have come across a new variant of a commercial keylogger called iSpy. This new variance not only captures victim’s keystrokes, but it can also take screenshots, access their webcam, and steal user data and license keys to popular applications. We call it a commercial keylogger because it actually has a subscription purchase model as you can see from the image below.

ispy-packages

According to the researchers:

Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple subscription packages.

How It Works

The keylogger so far has been spreading through spam emails that include malware-infected javascript or an infected attachment. When it is opened by the victim, the iSpy software is downloaded and installed. It creates a startup registry key to ensure that it starts when the computer starts. It is usually found in the registry under SOFTWAREMicrosoftWindowsCurrentVersionRun in HKLM or HKCU.

Once the iSpy keylogger is running, it sends the captured data to a C&C server via FTP, SMTP, or HTTP protocols.

It also contains code to steal the license keys of application software, such as Adobe Photoshop, Microsoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook), FTP clients (like FileZilla and CoreFTP), and games like Minecraft.

Source: zScaler