VIPKeyLogger, similar to the Snake Keylogger, spreads through phishing campaigns via attachments disguised as archive or Microsoft 365 files. It uses malicious Office documents to connect to C2 servers and targets sensitive data like login credentials, financial details, and personal information, posing a major threat to affected systems.
The analysis shows that the malicious document, disguised as a file related to CVE-2017-11882, is an RTF file. Examining it reveals encoded content in the objdata section.
Further analysis uncovers object references pointing to a URL, which serves as the source for downloading a malicious executable, confirming the RTF file as a malware delivery mechanism.
By removing blank lines and whitespaces from an object in the ‘InfoStealers-wild-image-8’ artifact, a URL was recovered: ‘http[:]//87[.]120.84.39/txt/xXdqUOrM1vD3An[.]exe,’ used to download a malicious .NET file. Further analysis with DnSpy revealed that the file, regardless of its name, loads as ‘skkV[.]exe,’ suggesting the use of obfuscation techniques by the malware.
This malware, disguised as a harmless image file (‘vmGP’), uses steganography to hide malicious code within the image.
When run, the code in the MainForm() class decodes the hidden payload and collects sensitive information from the infected system, such as system details, clipboard data, screenshots, browsing history, and cookies. The gathered information is then sent to a Telegram bot and forwarded to randomly generated DuckDNS servers.
A keylogger, spread through phishing emails with malicious attachments, infiltrates a system when executed. It drops files for persistence and steals sensitive data like keystrokes, clipboard content, screenshots, browsing history, cookies, and email credentials, which are sent to a C2 server via Telegram.
Forcepoint protects against this by blocking malicious attachments, suspicious URLs, and dropper files, while preventing C2 communication to disrupt the attacker’s control.
IOCsRTF hash
RTF hash
Leave A Comment