Researchers are monitoring sales and infection rates of a new keylogger being sold on the dark web for $25 to $35.
Along with capturing keystrokes, iSpy grabs passwords stored in web browsers, records Skype chats, takes webcam screenshots and steals the license keys of software such as Adobe Photoshop and Microsoft Office.
According to Zscaler ThreatLabZ, the malware is delivered via malicious JavaScript or document attachments in spam campaigns. What makes iSpy a unique keylogger, says ThreatLabZ, is the fact versions of it are signed and use (expired) digital certificates in an attempt to maintain an appearance of legitimacy when being scanned initially by security software.
iSpy consists of a loader that delivers an encrypted payload that is compressed using packers written in .Net, Visual Basic 6.0 and AutoIT. The contents of the payload include six components with features that include: clipboard monitoring, webcam logging, keylogging, RuneScape PIN logging (a MMO game), screen capturing and password stealing.
Zscaler ThreatlabZ says in the past 24 hours it has come across an updated version of iSpy with several new features such as “Skype chat recorder.”
iSpy malware employs a number of obfuscation techniques that include deleting the host computer’s “‘Zone.Identifier’ flag from Alternate Data Stream (ADS) to disable the security warning message that is displayed every time the malware file is executed,” wrote Atinderpal Singh in the Zscaler ThreatLabZ analysis of the malware posted online this week.
In addition to muting malware warnings, iSpy also includes a feature designed to disable antivirus programs. According to ThreatLabZ, it does this by creating a “sub-key of the program name under registry key, ‘Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\’ and then setting “rundll32.exe” as the value of “Debugger” under that key.”
Local data collected by iSpy and is exfiltrated to command-and-control servers via the SMTP, HTTP or the FTP protocols. Before data is sent, iSpy uses its own custom encryption. “The current sample… uses FTP for sending the stolen data to attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the FTP credentials are embedded in the file itself,” Singh wrote.
Actual keylogging functions are limited to sending timestamp logs of keys pressed to the attacker.
According to Zscaler, the iSpy malware is being sold on the dark web in three subscription models that range from one-month, six-month and yearly subscriptions ranging in price of $25, $35 and $45.
“Overall, we are seeing a rise in malicious activity involving commercial keyloggers, which makes it very easy for a naive user with malicious intent to conduct successful attacks,” said Deepen Desai, director of security research at Zscaler.