Legacy Malware Leveraged from Modern Cloud Environments

Keystroke logging software is one of the oldest forms of malware but remains a highly successful tool and frequently used cyber-attacks.

Keyloggers are monitoring software that record keystrokes made by a user and upload the logged data via predefined websites, databases, or FTP servers.  Some of the most powerful keyloggers are advanced cloud-based systems with cutting-edge features designed for sophisticated data capture. For example, keyloggers can access stored passwords, take screenshots or act as monitoring tools, and record sound and live surroundings through a webcam and microphone.  This cloud-based control and monitoring software allows attackers to review the logs of seized data without physically accessing devices.

How to Defend Against Keyloggers

Below are steps considered best practice to help defend your organization against the use of unwanted keyloggers:

1. Install a password manager with a strong password policy

Enable two-factor authentication across all accounts and devices and require passwords to be frequently updated.  A password manager will help employees keep track of complex passwords but won't prevent keyloggers from copying the virtual keystrokes used in the autofill functionality. Instead, consider using a password manager that uses Two-Channel Auto-Type Obfuscation (TCATO).  TCATO splits the password into two, copies them to the clipboard, then merges them in the password field.  While even this approach isn't 100 percent secure, it will slow an attacker down.

2. Install an anti-keylogger software solution

Key logging software, just like any software, leaves behind a digital footprint. Anti-key logging applications run in the background and continually search for whether a computer or device is infected.  Some anti-loggers will block or even remove key loggers.  

3. Disable USB ports on computers

Disabling the opportunity to boot an alternate operating system from a USB stick will reduce the chance for an attacker to bypass authentication and access controls on the computer and give them access to assets inside the company firewall.

4. Monitor CPU usage and data access

Confirm data auditing logs are properly capturing records of who accessed sensitive information and the file path used.  Watch for suspicious patterns of CPU usage and background processes on machines.  Typically, a keylogger needs root access to the machine, which can also be a telltale sign of a keylogger infection.

5. Keep antivirus and anti-rootkit protection up to date

A rootkit is a software program, typically used with malicious intent, conceals its presence and uses root-level access to sensitive and restricted data. Because keyloggers can embed themselves into a computer's operating system, they are known as rootkit malware. Many rootkits boot up before the target operating system, so they can be difficult to detect.  Rootkits can alter system configuration settings and can open backdoor TCP ports in firewall settings.

6. Closely review network logs

Examine network logs from packet analyzers or firewalls to identify rootkits communicating with a remote control center.

Learn more about how attackers can gain on-site network access from security consultant Brian Halbach. 

Q: When inside a facility, if you can't find a spare computer to use as a means of gaining network access, what is your next move? 

Brian: If we can't find a spare computer around to be able to access the network, a backup plan that we have is actually we'll have different types of USB drives and these drives; sometimes they will be a real USB with like a Word document on it that if somebody enables macros it will bypass their antivirus or their EDR solution and it'll phone home back to us. We usually do this in a couple of different ways. We'll either try to leave it in kind of a common area so it kind of looks like, 'oh, common area, this must-have fallen out of someone's pocket,' or we'll try to leave it by entry and exit doors. We're finding that to be successful just because that's kind of when someone may be looking for their car keys, and you know, reaching for your car keys and USB drive falls out. We'll give these documents interesting, juicy names, something that if a common employee picks it up, it's going to be something that they want to open such as, 'salary information for employees for the years 2020-2021,' like that, they're going to want to open that or, 'new COVID guidelines/layoff information,' they are going to open it. So even if it says like you enable macros, if we make it seem good enough, you'll be surprised what some employees will do to see that information. 

Another different attack style that we have is that we have involves little USB drives that are mini-computers, so it has a microchip instead of a storage chip. So we leave those around in hopes that somebody will plug it into their computer when it's unlocked, and what that does is it actually launches some code directly into their computer, it acts as their keyboard, and virtually types on their keyboard and what it does is it goes out to our cloud servers - our attacker cloud servers, pull down our malicious software. We'll try to install and run it, and usually, we can configure it to get past most antivirus and get past some, not all, EDR solutions. So that way, they plug it in, and to them, it just looks like, oh, that was weird, there was a hiccup on my computer, and they don't realize that it downloaded something in the background.

Q: Other than around an office building, are there other areas you consider when placing USBs?  

Brian: Yeah, another good place to place USB drives besides employee computers or doors is also in parking lots. We can place them around in parking lots in hopes that again people will see and think, oh, this must belong to somebody who works here; let me plug it in and see if I can return it to them. And so that will often work as an attack vector to get somebody to plug in a USB drive. 

Q: How easy is it to craft a malicious payload and place it on a USB? 

Brian: Yeah, so for crafting a malicious payload, which is malicious software that will do what we as the attackers or good guy hackers want it to do. It's an art and a science, and it's one of those things that takes a little bit of an understanding of what the operating system is really doing. It takes a good understanding of how systems talk to each other, what they are doing, and then just looking at that and saying, alright, how can I craft something that can look. Similar, but do the malicious things that I also want to do and do it in a way that isn't going to raise any alarms or bypass the alarm bells that your typical anti-virus or EDR solution would have. So it's a little bit of an art and science. And it's a fun, interesting cat and mouse game where it seems like every month, a new tactic comes out, and then the companies catch up. Then the companies may be ahead for a little bit, and then there will be a new technique again, and the bad guys will have an advantage again, and it's this constant back and forth. So it's one of those things where you always need some antivirus, you need some endpoint protection on your systems, but it's not the catchall of all security. You need to go a little bit beyond that to make sure that you are secure. 

Q: What is a shell and why do you need one to deliver a malicious payload?

Brian: So a shell is kind of hacker speak for a terminal or a command prompt - that little black box that you can sometimes see the IT guys bring up where they type in their commands. It's what gives us a keyboard control of the computer and a way to instruct the computer to do what we want it to do behind the scenes that you won't be able to see. So if we have a shell, that's our term of remote control, so we always want to get a shell on a computer because that means that we can now remotely control that computer and tell it to do our commands. So the user can still do what they're trying to do, but they can still run our commands in the background. 

Q: Is detonating a malicious payload a big deal? What does it achieve?

Brian: Detonating a malicious payload, which is a term for essentially, you know, plugging in that USB drive or downloading that email attachment and then clicking the 'run' or 'enable content.' What that does is that it allows the attacker's code to run. So that so there are multiple steps in an attack chain for us actually to be successful, and that is a very important one, because if somebody plugs in the USB and doesn't open the document or they don't actually enable the macros, or if they download an email but they don't download the attachment...Yeah, they open the email and read it, but the malicious code can never move on to the next step of actually running. So it's very important that we can actually get the payloads to detonate that we can get somebody to double click and run our code because that allows us to move on along the kill chain and hopefully move from detonating the payload to running the payload to downloading additional code to being able to call back to our attacker cloud servers and just moving along. So it's that first step that we need to accomplish somehow, so the rest of the steps can fall over like dominoes.