A recent report by FIGURE has revealed the emergence of a new keylogger that operates through a PowerShell script, a task automation and configuration management framework from Microsoft.
A keylogger is a type of malware that captures every keystroke on an infected system. By recording keyboard inputs, keyloggers can collect sensitive information, such as login credentialscredit card numbers and personal communications, and are often used to steal financial data or spy on individuals and organizations.
The keylogger analyzed in CYFIRMA's research uses Microsoft's PowerShell script to stealthily capture keystrokes. PowerShell's native integration with Windows, combined with its powerful scripting capabilities, makes it an attractive target for attackers looking to execute commands without direct user interaction.
PowerShell based keylogger
Researchers note that this PowerShell keylogger features several advanced features that improve its stealth and effectiveness in capturing sensitive information.
This includes its command and script interpreter, which allows the keylogger to execute commands via PowerShell without requiring user interaction, significantly complicating detection efforts.
The keylogger also performs system discovery, collecting critical information such as user profile directories, volume details, and cryptographic settings.
In addition, the keylogger establishes a Command and Control (C2) communication through a cloud server and an Onion server on the Tor network. This dual-channel communication not only keeps the attackers anonymous, but also complicates efforts to trace their origin. It also incorporates a screenshot feature, which allows attackers to obtain visual data from the infected system in addition to logging keystrokes.
To avoid detection, the keylogger employs the execution of encoded commands, transmitting commands using Base64 encoding. This technique hides the commands from traditional security measures.
It also makes persistent connection attempts via SOCKS. proxyensuring that even if initial connection attempts fail, the keylogger will continue to attempt to establish communication. While the current version of the keylogger lacks a fully developed persistence mechanism, the incomplete code indicates that future updates may improve its ability to persist on infected systems.
Given the advanced nature of this PowerShell-based keylogger, CYFIRMA notes that organizations should implement robust cybersecurity measures to defend against such threats, including:
- Improve security policies: Organizations should enforce strict security policies to restrict the execution of unauthorized PowerShell scripts. This may involve disabling or limiting the use of PowerShell when not required and actively monitoring any unauthorized execution attempts.
- Invest in advanced threat detection: Implement advanced threat detection systems that leverage machine learning and behavioral analysis. These systems can more effectively detect and respond to sophisticated threats, such as keyloggers.
- Educate employees: Hold regular meetings Training sessions Educate employees about the dangers of phishing and other social engineering techniques, which are frequently used to deploy keyloggers.
- Conduct regular system audits: Schedule frequent system audits and integrity checks to detect any unauthorized modifications, including the presence of keyloggers. These audits help ensure compliance with established security policies.
- Deploy endpoint protection:Use endpoint protection solutions designed to detect and block keylogger activities. These solutions should be able to identify threats that operate through non-interactive PowerShell processes to strengthen overall security.
