January 28, 2021 • Insikt Group®
Recorded Future analyzed current data from the Recorded Future® Platform, information security reporting, and other open source intelligence (OSINT) sources to identify keyloggers and stealers that facilitate threat actor campaigns. This report expands upon findings addressed in the report “Automation and Commoditization in the Underground Economy,” following reports on database breaches, checkers and brute forcers, loaders and crypters, credit card sniffers, banking web injects, exploit kits, forums, marketplaces and shops, and bulletproof hosting services, and will be of most interest to network defenders, security researchers, and executives charged with security risk management and mitigation.
Keyloggers and stealers allow threat actors to gather sensitive information from victim systems, including credentials, personally identifiable information (PII), login data, network access, and cookies. As malware continues to develop, threat actors are packaging the keylogging capability into their malware functionalities, with stealers including this capability as well as other enhanced features that make them more attractive to threat actors. The success of stealers in recent years is highlighted by the continued creation and popularity of independent dark web shops that advertise captured victim data.
- Dark web threat actors are using low-tier dark web sources to advertise and sell customized keylogger variants. While the utility of keylogging has become more commonly incorporated within malware variants and is no longer purely standalone, the lower barriers to entry and widely available cracked versions and source code still make keyloggers attractive and relevant.
- Customized stealer variants have multiple capabilities, including the ability to capture screens, keyboard strokes, network accesses, and cookies. The ability to capture cookies is in demand by threat actors, as such details permit them to masquerade as their victim. We found that most customized variants are advertised on English- and Russian-language high-tier forums.
- Similar to keylogger variants, well-known stealer variants are advertised on low-tier forums. However, new customized variants are more likely to be advertised on high-tier forums, as these forums cater to more technically savvy threat actors who want more advanced products created and updated by technically proficient developers.
Keyloggers have been used as an attack vector since the 1970s and continue to maintain persistence in a threat actor’s toolkit (as observed during the COVID-19 pandemic), as the availability of cracked versions and the publications of source code has made the barriers of entry low and spurred developers to create customized variants. However, as database breaches and login credentials with passwords have become widely marketed by threat actors, keylogging as a standalone attack vector to harvest credentials has become less relevant. Developers of stealer malware are now incorporating keylogging into their malware’s capture capabilities, specifically network access, cookies, and login details. This integration of multiple functionalities into stealer malware variants is aimed at achieving economies of scale, as well as threat actors’ responding to requests for customized functions that bypass enhancements in network security.
Keyloggers: Variants and Threat Actors
A keylogger is monitoring software that uses algorithms to monitor and capture keyboard strokes through pattern recognition and other techniques. The keystrokes are then sent to a threat actor’s server or stored on a local file that is retrieved by or sent to the threat actor for analysis and review of personally identifiable information (PII) typed by a victim, particularly account login details for financial, email, and other private accounts. Keyloggers were first used by Soviet Union intelligence agencies in the 1970s to monitor IBM electric typewriters used at embassies in Moscow, with captured keystrokes sent to Soviet intelligence agents via radio signals. As communication technologies have advanced, so too have the capabilities of keyloggers. Some of these enhancements include recording mobile phone messages and calls, grabbing GPS locations, taking screenshots, capturing microphone and camera input and output, and avoiding detection security measures.
The fundamental utility of keyloggers — capturing keystrokes and screens — is now a capability many malware developers implement within their own malware variants. In 2020 alone, Insikt Group identified the following malware campaigns incorporating keylogging capabilities into their attack chain: CRAT, Vizom Banking Trojan, LodaRAT, EventBot, EvilQuest Ransomware, and Anubis Trojan. As much as malware developers are using keylogging within their malware’s capabilities, standalone keyloggers (at least 57 variants identified by Recorded Future) are still being used, shared (in some cases via clearnet websites), and sought after by threat actors. We observed noticeable increases in activities for two keyloggers, Agent Tesla and Hawkeye, during the beginning of, and continuing through, the COVID-19 pandemic. As lockdown and work-from-home orders were implemented, threat actors used Agent Tesla and Hawkeye in COVID-19-themed phishing campaigns.
Insikt Group analysts validated shared Agent Tesla indicators found in publicly accessible open directories revealing new infrastructure being used by Agent Tesla, including IP addresses and URLs. An updated Agent Tesla variant, reported in December 2020, can also target stored credentials on less-popular web browsers and use Tor to bypass content and network security filters. The threat actor group “Vendetta” used Agent Tesla as well as Hawkeye and other malware in COVID-19-themed phishing attacks masquerading as instructions from Taiwan’s Center for Disease Control and Prevention.
We examined dark web sources and Recorded Future data from January to December 2020 and identified threat actors showing interest in other keyloggers in addition to Agent Tesla and Hawkeye:
- Keyloggers are mostly advertised on low-tier, more widely accessible forums. Threat actors are posting cracked variants, public versions, or including a keylogger within an advertised malicious tool package. The most popular dark web sources for advertising keyloggers in 2020 were Cracked Forum, Hack Forums, Nulled Forum, and Best Hack Forum.
- The most advertised and discussed keylogger variants in 2020 were Agent Tesla, Atom Logger, Project Neptune 2.0, Rapzo Logger 1.5, Silent Keylogger 1.6, Digital Keylogger 3.3, and Hawkeye.
- Threat actors are advertising customized variants that contain multi-functional capabilities that are updated regularly (based on customer feedback), with one keylogger developer maintaining and updating the same forum advertisement thread since 2011.
Stealers: Variants and Threat Actors
Stealers are used to exfiltrate sensitive information from victims, and also offer a method for installing secondary payloads onto victim systems. These pieces of malware are often preconfigured to steal a wide variety of login credentials from popular online services, email clients, and file management software, along with other valuable assets such as cryptocurrency wallets and browser cookies. These types of malware essentially act like remote access trojans (RATs) in that attackers can remotely interact and, in some cases, control a compromised computer or cellular device.
These capabilities of remote interaction and control of a victim’s device have driven demand for threat actors to offer such services. Some threat actors have been successful in monetizing these services by providing interested buyers access to compromised credentials via easy-to-use shops that list obfuscated but enough victim data, particularly IP addresses, geolocations, operating systems, and account types, that permits a threat actor to select a specific target. Two such shops that offer the aforementioned services, capabilities, and are widely used are Genesis Store and Russian Market. Both of these shops use stealer malware variants to harvest victim credentials, with Genesis Store previously using AZORult before migrating to another unknown stealer variant in February 2020 while Russian Market lists, per advertised victim credential, one of the following four stealer malware variants used: AZORult, Raccoon Stealer, Vider, and Taurus.
Similar to keyloggers, cracked versions, releases of source codes, and resources to develop stealers have allowed threat actors to create their own customized variants. We examined Recorded Future data from January to December 2020 for stealer malware trends across dark web sources and identified the following trends:
- Threat actors used both low- and high-tier forums to advertise and discuss stealer variants, with more customized variants being advertised on the forums Exploit and XSS. Other popular dark web sources used by threat actors to advertise and purchase stealers include Cracked Forum, Hack Forums, Best Hack Forum, and WWH-Club.
- The five most widely advertised and discussed stealer variants across the above dark web sources were WARZONE RAT, Raccoon Stealer, RedLine Stealer, ToxicEye, and AZORult.
Outlook and Mitigation Strategies
Even as keylogging variants become obsolete due to enhancements in technologies and security postures, threat actors are still using their proven utilities to improve malware variants that incorporate keylogging into their attack chain. As keylogging is becoming more common in malware attack chains, threat actors are likely to incorporate these features and others into enhanced stealer variants to defeat security measures. Furthermore, technologies that have become more popular as large parts of the workforce have shifted to working from home are likely to be targeted by threat actors seeking to capture keystrokes and other user login data.
Mitigation strategies against keyloggers and stealer malware include the following:
- Run up-to-date antivirus software or other endpoint protection tools to monitor and scan for the presence of malware, including keyloggers. If found, remove and delete.
- Install software and browser updates, as updates include vulnerability patches and replaces outdated plug-ins and add-ons that thwart threat actors from exploiting these vulnerabilities to infiltrate your device.
- Use key encryption software to conceal keystrokes and prevent threat actors from capturing keystrokes.
- Invest in a solution that offers patch posture reporting. This type of solution can provide insight into the vulnerabilities that have received remediation measures as well as the machines that have received those patches.
- Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on any malicious activity.
- Monitor for suspicious changes to system file drives and Registry (in Windows OS) that focus on the interception of keystrokes.