Simple Powershell Keyloggers are Back
Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad!
While hunting, I found a bunch of malicious Powershell scripts that implement a basic (but efficient) keylogger. The base script is always the same but contains connection details modified by script kiddies. The current script is based on an old one from 2015[1]. This time, it has been modified to add the following features:
- You can specify for how long the script will capture keystrokes
- At the end of the defined time period, the file with the recorded keystrokes is exfiltrated via email to the attacker.
Here are the parameters at the beginning of the script:
# Editar solo esta secci??n! $TimeToRun = 2 $From = “xxxxxx@gmail.com" $Pass = “xxxxxxxx" $To = “xxxxxx@gmail.com $Subject = "Keylogger Results" $body = "Keylogger Results" $SMTPServer = "smtp.gmail.com" $SMTPPort = "587" $credentials = new-object Management.Automation.PSCredential $From, ($Pass | ConvertTo-SecureString -AsPlainText -Force) ############################
The script is very basic, not obfuscated and detected by only one AV on VT[2]! I don't think that such scripts are a major threat, they are mostly used by script kiddies (I already collected some credentials!) but it remains a nice way to spy on people.
[1] https://gist.github.com/dasgoll/7ca1c059dd3b3fbc7277
[2] https://www.virustotal.com/#/file/52a2e804026792d99eaf9538fbc0b020c7f323b3d90f196bbebf83840e3322e6/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments