Cybereason found new malware, Fauxpersky that disguised as Kaspersky anti-virus software

Cybersecurity company Cybereason wrote on Wednesday that they have discovered a new type of keylogger malware. Although technically speaking, the malware is far from being advanced, it has shown high efficiency in stealing passwords. Cybereason named the malware “Fauxpersky” because it disguised itself as the world-famous Russian anti-virus software Kaspersky.

According to a Cybereason researcher, Fauxpersky builds on the popular application AutoHotKey (AHK). The application allows users to write a variety of graphical user interfaces (GUI) and small scripts for the keyboard to automate tasks on Windows, and to compile these scripts into executable files.

For Fauxpersky developers, the application is used to build keyloggers. The keylogger propagates through a USB drive to infect a Windows computer and is able to self-replicate when any removable drive (such as a USB flash drive) is connected to the infected computer.

Specifically, after the first execution of Fauxpersky, it scans all removable drives attached to the computer, renaming them, and then copying all of their files.

For example, when an 8GB USB drive named “Pendrive” is connected to an infected computer, Fauxpersky will rename it “Pendrive 8GB (Secured by Kaspersky Internet Security 2017))”, translated as “Pendrive 8GB (by Kaspersky Internet Security Company 2017 Protection)”.

The researchers stated that they found a total of six files in a directory named “Kaspersky Internet Security 2017”, including four executable files, and each executable file has a name similar to that of a Windows system file: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

Two other files, one is a picture file named “Logo.png” (used to forge a Kaspersky Anti-Virus startup screen), and the other is a text file named “Readme.txt”.

The four executables are the core components of Fauxpersky, which respectively carry different functions: Explorers.exe is used to complete the USB drive propagation; Svhost.exe is used to complete the key record and write the keyboard record data to the file (Log. Txt); Taskhosts.exe is used to establish the persistence mechanism; Spoolsvc.exe is used for the final data upload.

All data recorded in the Log.txt file will eventually be submitted to the attacker’s inbox via Google Forms. This is a simple but effective method, which means that an attacker does not need to deploy any command and control (C&C) servers. In addition, the data transmitted via Google Forms has already been encrypted, which makes Fauxpersky’s data uploads appear to be not suspicious in various traffic monitoring solutions.

Cybereason does not indicate in the article how many computers have been infected, but given that Fauxpersky’s intelligence is spread through the outdated method of sharing USB drives, it may not be widely disseminated.