Delaware, USA – March 30, 2018 – Sometimes even not very sophisticated or stealthy malware can be quite effective. Researchers from Cybereason discovered a simple keylogger disguising as Kaspersky Internet Security 2017 so they named it Fauxpersky. To create this keylogger, attackers abused AutoHotKey, a popular application for compiling small programs that automate repetitive tasks in Windows. The methods of initial infection are still unknown, but after the system is compromised, Fauxpersky spreads via USB devices. Once launched, malware collects information about existing drives and copies itself to each of them. If it is copied to the removable drive, the malware renames it. Fauxpersky saves keylogged data to the Log.txt file and then transfers it to the attackers. The data extraction method is unusual: attackers collect them from infected systems using Google forms without causing suspicion of security solutions analyzing traffic, as encrypted connections with docs.google.com do not look suspicious.
Leveraging of social engineering can turn even simple malware into a dangerous tool of compromise. To get the transparent view into security events on Windows-based systems, you can use your SIEM with Windows Security Monitor use case that provides visualization of security events and alerts the administrator about discovered deviations and suspicious activity.