Jump to content

Fauxpersky Keylogger Malware Stealing Passwords from Windows PCs

Recommended Posts

Cybercriminals are quite innovative, to be honest; they are always coming up with unique ways of exploiting Windows-based systems. According to the findings of Boston-based cyber-security firm Cybereason, one of their newly identified techniques involves using keylogger malware that exploits AutoIT or AutoHotKey (AHK).





Fauxpersky Malware Spreads via malicious USB drives

The malware, dubbed by Cybereason researchers as Fauxpersky, is though not as sophisticated as some of the recently discovered malware but it can efficiently steal passwords from Windows systems. It is spread via infected USB drives.


Cybereason researchers Amit Serper and Chris Black wrote in the company’s official blog post published on Wednesday: “This malware is by no means advanced or even very stealthy. However, this malware is highly efficient at infecting USB drives and exfiltrating data from the keylogger through Google directly to the attacker’s mailbox.”


AutoIT or AHk are quite basic tools used to write small programs for performing a variety of GUI and keyboard automation functions on Windows systems. For instance, AHK uses its own scripting language to let users write code to interact with Windows and perform tasks like reading text or sending keystrokes to other applications. It also lets users create a compiled .exe file.


Fauxpersky is capable of impersonating Kaspersky, well-known Russian antivirus software, whereas the keylogger is created by abusing AHK app. The infection is distributed to the system via USB drives and manages to compromise PCs that run Windows by replicating files stored on the device’s listed drives.

Four droppers

Moreover, researchers also identified four droppers in the computer’s environment and each one had a dedicated name, which was quite similar to the names of Windows OS files. The names are as follows:

· Explorers.exe

· Spoolsvc.exe

· Svhost.exe

· Taskhosts.exe



The method used by AHK keylogger is quite straightforward; it spreads through self-propagation technique. After being executed initially, the keylogger starts gathering information about all the listed drives on the computer and begins the replication process.


When the core files of the malware start running on the system, whatever the user types on the computer gets stored into a text file bearing the respective window’s name. This way, the attacker gets a better idea of the background context of the text that has been keylogged.


This text file’s contents are then exfiltrated from the device via a Google Form. The file then gets deleted from the system while the text file is transferred to the attacker via email. Google was notified of this form by Serper and Black, after which it was taken down in an hour. However, Google did not release any statement explaining who created the form.


From the way the malware has been designed, it is evident that the developers did not pay attention to key aspects to make it look authentic such as changing the executable’s icon from that of AHk’s default icon or creating a rather unconvincing splash screen, which is an exact replica of Kaspersky’s screen.


However, once the malware is spread onto the system, it remains persistent and gets booted up again after Windows system is restarted. It also creates a shortcut for itself in the startup directory of the Start menu.

Limited damage and how to get rid of Fauxpersky Malware

Currently, it is not clear how many computers have been infected but considering that the malware is distributed through sharing of USB drives, it can be assumed that it hasn’t been spread extensively as yet.

If you feel that your computer is also infected, simply access %appdata%\Roaming\ and delete the files related to Kaspersky Internet Security 2017\ directory and the directory itself from the startup directory located in the start menu.




Link to post
Share on other sites

funny name Fauxpersky seems bit  like

Kaspersky its to make Kaspersky  look bad in someway


The write-up described how the malware author "didn't put any effort" into making the malware look authentic, like changing the executable's icon from the AutoHotKey default, and built an unconvincing Kaspersky-style splash screen. When Fauxpersky spreads, it also sticks and maintains persistence, so that it runs when Windows is booted up. The malware simply creates a shortcut to itself in the Start menu's "startup" directory.


The four files were in a directory called Kaspersky Internet Security 2017. In addition to the executable files, there were two that weren’t executables. One was a file called Logo.png with this image:

Kaspersky Internet Security 2017

The other one was a “Readme.txt” file with these instructions:

If you are unable to launch files/folders correctly, please disable your antivirus program.

Source: https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

The Logo.png file is the splash screen displayed when the infected machine logs into Windows to trick the user into thinking Kaspersky is installed and running.

The instructions in the Readme.txt file were followed by a long, alphabetized list of security products that “are incompatible with Kaspersky Internet Security 2017.” Ironically, the list includes Kaspersky Internet Security.

A close inspection reveals that the files are 64-bit Windows PE files. Using IDA Pro to examine the files shows that they are all almost identical. The similarities can be seen by inspecting the mutex creation routines.

xref example from explorers.exe

One of the xrefs to CreateMutexW() from explorers.exe

xref example from svhost.exe

xref to CreateMutexW() from svhost.exe

As we can see, the mutex that is created is called “AHK Keybd”. A Google search reveals that this is the standard AHK compiled exe and the actual AHK-language code resides in the RCDATA resource within the resource section of each PE.

To extract the AHK code inside the exe file, Amit wrote a small tool called ahk-dumper that simply iterates over the RCDATA resource inside the PE and prints the content to stdout.

Now that we have a clear way to extract the code from each PE file, we can clearly map which PE file does what:

File name



USB drive propagation


Keylogging, writing keylogged data to a file (Log.txt)




Data exfiltration


Analyzing key parts of the AHK code

Svhost.exe - keylogging:

keylogging analysis

The code in that file is fairly simple. Svhost.exe monitors the focused (currently active) window that a person is in by using the AHK function WinGetActiveTitle() and then calls the AHK input() function, which monitors any user input (in the form of keystrokes) to the window. Each keystroke is then appended to a file called “Log.txt” that will be created and saved inside the “%APPDATA%\Kaspersky Internet Security 2017

The keylogged data will look like this:

keylogged data

Taskhost.exe: Persistence

This part of the code handles persistence. The first step would be to change the CWD of the malware  to %APPDATA% and create a directory called “Kaspersky Internet Security 2017” that’s hard coded.

Taskhost.exe code

That file also has another routine (CheckLCore that checks if the files were already created in %APPDATA%:

Taskhost.exe code

In case the files were not copied, the malware will copy the files to that location using the FileCopy() function that will be followed by setting the file attributes using the FileSetAttrib() function. As you can see, the first parameter that is passed to this function is “+RSH”, which means Readonly, System and Hidden.

Spoolsvc.exe: Data exfiltration, watchdog and some more persistence

Spoolsvc has several routines inside of it.

Changing the values of registry keys to enable/disable the display of Hidden and SuperHidden files:


As we can see in this screenshot of the code, the malware will edit two keys inside the HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced registry path. The keys that are being changed are:

  • Hidden - value is being changed to “2” which makes the system not to display hidden files.
  • SuperHidden - value is being changed to “0” which makes the system hide system files (which correlates to the “system” attribution that the files received when they were created by the malware)

After the registry value is modified, the malware will check if explorers.exe is already running. If it’s not running, it will be executed. This is a watchdog that was meant to guarantee persistent execution of the malware.

Watchdog example

CheckLProcess() will be responsible for checking if all the components of the malware are already running. If they’re not, they will be executed by calling the Run() AHK function and using the Loop/Parse call.

In order to achieve persistence the malware creates shortcuts to itself in the start menu startup directory:


Another very important part of this file (perhaps the most crucial) is the exfiltration of the keylogged data from the Log.txt file to a Google form.

The following diagram illustrates the attack flow:

Attack flow diagramExfiltrating data to a Google form is a very simple and clever way to overcome a lot of the “logistics” involved in data exfiltration. Using this technique means there’s no need to maintain an anonymized command and control server plus data transmissions to docs.google.com is encrypted and doesn’t look suspicious in various traffic monitoring solutions.

Google form

Google Forms is used for data exfiltration


The data is submitted to this form by the following codeblock inside the file. The file will be read into a buffer and deleted from the disk. The buffer will then be sent to the Google form.

Google form buffer


This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox. The number of infected machines is unknown, but we’ll update this post if more information becomes available.


We contacted Google and reported the malicious form. Google’s security team took down the form in less than one hour after we reached out to them. If you are infected with the malware, navigate to %appdata%\Roaming\ and remove the Kaspersky Internet Security 2017\ directory, related files should be also removed from the startup directory inside the start menu.

Known Hashes








Edited by knowledge
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...