Crypter autoit
![crypter autoit crypter autoit](https://raw-data.gitlab.io/post/autoit_fud/7.png)
ISpy has many customizable features (Figure 6) including the functionality to record keystrokes, recover passwords, and retrieve serial keys from various software, then sending the stolen data over SMTP, HTTP, or FTP. It creates an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU, based on configuration settings, to execute the malware on system startup. Based on the configuration, it drops itself into one of the following locations:Īfter copying itself into any of the above mentioned locations, it deletes “Zone.Identifier” flag from Alternate Data Stream (ADS) to disable the security warning message that is displayed every time the malware file is executed. The malware checks configuration settings to select the folder for dropping the executable. It first loads the DLL file that further loads the final iSpy payload (.NET binary) using LoadDotNetPE export function.
![crypter autoit crypter autoit](https://raw-data.gitlab.io/post/autoit_fud/6.png)
The decrypted file is a loader file that contains a DLL and. Checks if screen resolution is 800 x 600 or moreįinally, it decrypts the payload file and injects the decrypted file into another instance of the same process using process hollowing technique as seen below:įigure 4: Spawns process in Suspended mode for injection.Loops until cursor movement is detected.Checks for sandbox and debugger using GetTickCount and Sleep.The second layer of packing contains multiple anti-VM and anti-analysis tricks, some of which include: Figure 3 shows the installation and functionality overview of iSpy.įigure 3: Installation workflow and functionality overview of iSpy
CRYPTER AUTOIT CODE
The packer uses the XOR-based method to decrypt the payload and contains obfuscated zombie code between instructions to slow down analysis. The malware sample we analyzed was packed with a VB6 (native) custom packer.
![crypter autoit crypter autoit](https://i.postimg.cc/DZpckmZV/Screenshot-3.png)
Table 1: Different malware samples dropped by. This crypter uses different digital certificates (mostly invalid certificates) and drops different malware samples, as shown in Table 1 belowįigure 2: Certificate used by. So far, we have seen packers written in Visual Basic 6.0, AutoIt, and. The main iSpy payload is usually compressed using a custom packer. ISpy is delivered via spam email that has malicious JavaScript or Document as an attachment, which then downloads the keylogger payload. It is being sold on underground forums via multiple subscription packages as shown in Figure 1.įigure 1: iSpy keylogger subscription packages Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. They give attackers the power to record every keystroke from a victim’s machine and steal sensitive information. Keyloggers have always been present in attackers’ toolkits.