A recent report by CYFIRMA has revealed the emergence of a new keylogger operating via a PowerShell script, a task automation and configuration management framework from Microsoft.
A keylogger is a type of malicious software that captures every keystroke on an infected system. By recording keyboard inputs, keyloggers can gather sensitive information such as login credentials, credit card numbers, and personal communications, and are often used to steal financial data or spy on individuals and organizations.
The keylogger analyzed in CYFIRMA’s research uses Microsoft’s PowerShell script to capture keystrokes stealthily. PowerShell’s native integration with Windows, combined with its powerful scripting capabilities, makes it an attractive target for attackers seeking to execute commands without direct user interaction.
PowerShell based keylogger
The researchers note this PowerShell keylogger showcases several advanced features that enhance its stealth and effectiveness in capturing sensitive information.
This includes its command and scripting interpreter, which enables the keylogger to execute commands through PowerShell without requiring user interaction, significantly complicating detection efforts.
The keylogger also performs system discovery, gathering critical information such as user profile directories, volume details, and cryptographic settings.
Furthermore, the keylogger establishes Command-and-Control (C2) communication through both a cloud server and an Onion server on the Tor network. This dual-channel communication not only maintains anonymity for the attackers but also complicates tracing efforts back to their source. It also incorporates a screen capture feature, allowing attackers to obtain visual data from the infected system in addition to logging keystrokes.
To evade detection, the keylogger employs encoded command execution, transmitting commands using Base64 encoding. This technique obscures the commands from traditional security measures.
It also makes persistent connection attempts via a SOCKS proxy, ensuring that even if initial connection attempts fail, the keylogger will continue trying to establish communication. While the current version of the keylogger lacks a fully developed persistence mechanism, the incomplete code indicates that future updates may enhance its ability to maintain a foothold on infected systems.
Given the advanced nature of this PowerShell-based keylogger, CYFIRMA notes organizations should implement robust cybersecurity measures to defend against such threats, including:
- Enhance security policies: Organizations should enforce stringent security policies to restrict the execution of unauthorized PowerShell scripts. This may involve disabling or limiting PowerShell usage where it is unnecessary and actively monitoring for any unauthorized execution attempts.
- Invest in advanced threat detection: Implement advanced threat detection systems that leverage machine learning and behavioral analytics. These systems can more effectively detect and respond to sophisticated threats, such as keyloggers.
- Educate employees: Conduct regular training sessions to raise awareness among employees about the dangers of phishing and other social engineering techniques, which are frequently used to deploy keyloggers.
- Conduct regular system audits: Schedule frequent system audits and integrity checks to detect any unauthorized modifications, including the presence of keyloggers. These audits help ensure compliance with established security policies.
- Deploy endpoint protection: Utilize endpoint protection solutions designed to detect and block keylogger activities. These solutions should be capable of identifying threats that operate using non-interactive PowerShell processes to bolster overall security.
