A recent cyber threat involving a keylogging tool called VIP Keylogger poses significant risks to both organizations and individuals. This campaign employs advanced tactics, making detection challenging for traditional security systems.
In-Memory Execution and Steganography
Unlike typical malware, VIP Keylogger operates entirely in memory, avoiding the creation of files on the hard drive. This technique complicates detection efforts by standard security tools. The campaign was initially identified through unusual email activities on VirusTotal, where recipients were tricked into opening an attachment disguised as a purchase order. The attachment, a RAR file, contained a malicious executable that ran VIP Keylogger directly in memory, avoiding disk interactions.
Global Reach and Consistent Payload
The campaign’s reach is extensive, with multiple instances targeting victims globally. Attackers adapt the packaging style and slightly alter the execution flow, but the core payload remains unchanged. This adaptability indicates a sophisticated operation capable of rapidly expanding while maintaining its primary goal: mass credential theft.
K7 Security Labs uncovered this campaign during their VirusTotal analysis. Evidence suggests the payload is either in early development or part of a configurable Malware-as-a-Service offering. Some features, such as AntiVM and ProcessKiller, were inactive during analysis, implying customers only receive the functionalities they purchase.
Data Harvesting Techniques
Once deployed, VIP Keylogger extracts sensitive information from infected systems. It targets numerous Chromium-based browsers, including Chrome, Brave, and Edge, as well as Firefox-based browsers, to steal cookies, login details, credit card numbers, and browsing histories. Email clients like Outlook and Thunderbird are also compromised, with passwords for POP3, IMAP, SMTP, and HTTP protocols stolen. Additionally, platforms such as Discord and FileZilla are exploited, with account tokens and server details extracted.
The stolen data is transmitted through various channels, including FTP, SMTP, Telegram, HTTP POST, or Discord. The sample analyzed used SMTP to send information via a dedicated server on port 587.
Advanced Evasion Techniques
VIP Keylogger employs two primary methods to avoid security detection. The first involves a .NET PE executable using steganography to hide DLLs within its resources. One DLL, Turboboost.dll, extracts another, Vertical bars.dll, which contains the final payload concealed in a PNG image. This payload is deployed through process hollowing, replacing the host process’s memory with malicious code before activation.
In the second method, a standard PE file contains AES-encrypted bytes in its .data section. After decryption, the malware disables AMSI and ETW, crucial for scanning and logging suspicious activities, allowing VIP Keylogger to execute without interference.
To mitigate these threats, organizations should avoid opening email attachments from unknown sources, particularly compressed files like RAR or ZIP. Deploying endpoint solutions capable of detecting in-memory threats and process hollowing is recommended. Regular updates to browsers and applications can also help minimize vulnerabilities exploited by VIP Keylogger.
Stay updated on similar cybersecurity developments by following us on Google News, LinkedIn, and X, and set CSN as your preferred Google source.
