Keylogging is a fairly common feature of many malware families, as recording the key pressed on a keyboard can reveal a lot of interesting information such as usernames, passwords, etc. Back from SANSFIRE, I looked at my backlog of hunting results and found an interesting piece of Python malware. This one implements a keylogger and a screenshot grabber, but also... A "mouse logger"! By mouse logger, I mean that it can capture the activities generated by the user's mouse.
The attacker uses the classic "Python module pyinput"[1]:. A listener is then defined to capture mouse events.
The listener appends messages to a log (including key presses) that is exfiltrated at regular intervals. The technique used by the attacker is interesting: instead of using a classic compromised mailbox or Gmail account, mailtrap.io[2] is used.
The risk with this setup is that port 2525 is not open in the victim's firewall.
Another interesting behavior: once the script has started the listener, it deletes itself. This is possible because the Python interpreter reads the entire file and parses it to look for syntax errors. The parsed script is then compiled into bytecode (a low-level set of instructions specific to Python). The bytecode is executed by the Python Virtual Machine (PVM) and the original file is no longer needed.
Comments