• Keylogger 2.2

HPSBHF03564 rev 2 - Synaptics Touchpad Driver Potential, Local Loss of Confidentiality. HP 246 G2 Notebook.

Keylogger's Installation routine It also drops the following files in the infected system:.%Temp% Sysinfo.txt – the dropped malware executable path.%Appdata% pid.txt – the malware process ID.%Appdata% pidloc.txt – the malware process executable location I then observed network activity from the keylogger process that tries to obtain the infected system's external IP address from checkip.dyndns.com. This legitimate website is commonly used by malware to determine the IP address of the infected system. Email sent by the keylogger to the attacker's email address that contains the system information The information may include:. CPU Name (computer name). Local Date and Time. Installed Language. OS Installed.

Platform. OS Version.

Memory installed.Net Framework Installed. System Privileges. Default Browser. Installed Firewall. Internal IP Address.

External IP Address. Recovered Email settings and passwords. Recovered Browser and FTP passwords As previously mentioned, the keylogger was compiled with Microsoft.NET. So the next thing I did is to decompile the executable. I used an open-source.NET Decompiler called to accomplish this task. Emails are rerouted to the attacker's own email address CONCLUSION Perhaps the attacker knows that the HawkEye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address. We have reported the compromised email accounts to their rightful owners, in order for them to change their passwords and remove the attacker's email address from their reroute message settings.

Keylogger 2.2

Since this was written, we received similar spam messages with RTF attachments but this time containing the CVE-2012-0158 exploit. The payload is the same keylogger but they have used different email credentials. The two vulnerabilties used in these attacks are old, but still widely used in email attacks. As usual, it is advisable to update your systems with the latest patches, to protect you from these old exploits used by cybercriminals. Trustwave Secure Email Gateway's AMAX (Advanced Malware and Exploit Detection) was able to detect these attached RTF exploit in the email gateway.