A recent report from CYFIRMA has revealed the emergence of a new keylogger that operates through a PowerShell script, a Microsoft framework for task automation and configuration management.
A keylogger is a type of malicious software that records every keystroke typed on an infected system. By capturing keyboard input, keyloggers can collect sensitive information such as login detailscredit card numbers and personal communications. They are often used to steal financial information or to spy on individuals and organizations.
The keylogger analyzed in CYFIRMA’s research uses Microsoft’s PowerShell script to covertly capture keystrokes. PowerShell’s native integration with Windows, combined with its powerful scripting capabilities, makes it an attractive target for attackers looking to execute commands without direct user interaction.
PowerShell-based keylogger
The researchers note that this PowerShell keylogger has several advanced features that enhance its stealth and effectiveness in capturing sensitive information.
This includes the command and script interpreter, which allows the keylogger to execute commands via PowerShell without user intervention. This makes detection significantly more complicated.
The keylogger also performs system detection and collects important information such as user profile folders, volume data, and cryptographic settings.
In addition, the keylogger establishes Command-and-Control (C2) communication via both a cloud server and an Onion server on the Tor network. This dual-channel communication not only ensures that the attackers remain anonymous, but also makes it difficult to trace attempts to their source. It also includes a screen recording feature, which allows attackers to obtain visual data from the infected system in addition to logging keystrokes.
To evade detection, the keylogger uses encoded command execution, where commands are sent using Base64 encoding. This technique hides the commands from traditional security measures.
It also makes persistent connection attempts via a SOCKS proxyensuring that even if initial connection attempts fail, the keylogger will continue to attempt to establish communication. While the current version of the keylogger lacks a fully developed persistence mechanism, its incomplete code suggests that future updates may improve its ability to maintain a foothold on infected systems.
Given the advanced nature of this PowerShell-based keylogger, CYFIRMA notes that organizations should implement robust cybersecurity measures to defend against such threats, including:
- Enhance security policies: Organizations should enforce strict security policies to restrict the execution of unauthorized PowerShell scripts. This may include disabling or restricting PowerShell usage where it is not needed and actively monitoring for unauthorized execution attempts.
- Invest in advanced threat detection: Implement advanced threat detection systems that use machine learning and behavioral analytics. These systems can more effectively detect and respond to advanced threats, such as keyloggers.
- Training employees: perform regularly training sessions to make employees aware of the dangers of phishing and other social engineering techniques, which are often used to place keyloggers.
- Perform regular system audits: Schedule frequent system audits and integrity checks to detect unauthorized changes, including the presence of keyloggers. These audits help ensure compliance with established security policies.
- Apply endpoint security: Use endpoint protection solutions designed to detect and block keylogger activity. These solutions should be able to identify threats that operate using non-interactive PowerShell processes to strengthen overall security.
