'Fauxpersky' malware steals and sends passwords to an attacker's inbox

A newly-discovered keylogger malware has been found infecting computers in the wild. Though the malware is far from advanced, it's efficient at stealing passwords.

Researchers at Cybereason, a Boston, Mass.-based security firm, call the malware "Fauxpersky," as it impersonates the Russian antivirus software Kaspersky. The keylogger is built off a popular app, AutoHotKey, which lets users write small scripts for automating tasks, and compile the script into an executable file. In this case, the app was abused to build a keylogger, which spreads through USB drives and infects Windows PCs -- and replicates on the computer's listed drives.

"This malware is by no means advanced or even very stealthy," said researchers Amit Serper and Chris Black, in a detailed blog post, published Wednesday.

"However, this malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker's mailbox," the researchers said.

That's where the malware's functionality gets interesting: Once the malware's core files are all running, everything typed on the computer is recorded into a text file with the window's name -- giving the malware author a better idea of the context to the keylogged text.

The contents of that text file is exfiltrated from the computer through a Google Form. The file is then deleted from the disk. Each form response goes directly to the malware author's email inbox.

Serper and Black reported the malicious form to Google, which took it down within an hour.

When contacted, Google -- which may have insight into who built the form -- did not comment. (If that changes, we'll update.)

The write-up described how the malware author "didn't put any effort" into making the malware look authentic, like changing the executable's icon from the AutoHotKey default, and built an unconvincing Kaspersky-style splash screen. When Fauxpersky spreads, it also sticks and maintains persistence, so that it runs when Windows is booted up. The malware simply creates a shortcut to itself in the Start menu's "startup" directory.

Cybereason didn't say how many machines were infected, but given that the malware spreads through an antiquated method of sharing USB drives, it's likely not to be widespread.

ZDNET INVESTIGATIONS

Researchers say a breathalyzer has flaws, casting doubt on countless convictions

Lawsuits threaten infosec research — just when we need it most

NSA's Ragtime program targets Americans, leaked files show

Leaked TSA documents reveal New York airport's wave of security lapses

US government pushed tech firms to hand over source code

Millions of Verizon customer records exposed in security lapse

Meet the shadowy tech brokers that deliver your data to the NSA

Inside the global terror watchlist that secretly shadows millions

198 million Americans hit by 'largest ever' voter records leak

Britain has passed the 'most extreme surveillance law ever passed in a democracy'

Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it

Leaked document reveals UK plans for wider internet surveillance

• Researchers say a breathalyzer has flaws, casting doubt on countless convictions
• Lawsuits threaten infosec research — just when we need it most
• NSA's Ragtime program targets Americans, leaked files show
• Leaked TSA documents reveal New York airport's wave of security lapses
• US government pushed tech firms to hand over source code
• Millions of Verizon customer records exposed in security lapse
• Meet the shadowy tech brokers that deliver your data to the NSA
• Inside the global terror watchlist that secretly shadows millions
• 198 million Americans hit by 'largest ever' voter records leak
• Britain has passed the 'most extreme surveillance law ever passed in a democracy'
• Microsoft says 'no known ransomware' runs on Windows 10 S — so we tried to hack it
• Leaked document reveals UK plans for wider internet surveillance