Criminals Using Customized Keyloggers Malware to Steal and Exfiltrate Data
Scmagazine.com reported on 11th July, 2014 quoting researchers of security firm Cyphort as "attackers have been using all types of customized and modified keylogger malware to infect systems and steal data like credentials as a part of massive campaign which dates back to 2009."
Google, Facebook,Yahoo, Skype and Dropbox are among the targets in the campaign known as NightHunter which was so named due to its silent methods of exfiltration of data but threats has been seen targeting oil industry, energy firms hospitals, educational institutions, charities and other organizations.
The security firm is not sure about what attackers are doing with the stolen data but believes that they could use it and attack targets for espionage, extortion and bank fraud.
The cybercriminals distribute the malware through phishing emails which look to be related to payments, purchase orders, jobs and inquiries. Securityweek.com reported on 11th July, 2014 quoting Cyphort as "The malicious notifications are normally sent to the sales, finance and human resources departments of insurance firms, educational institutes, trading companies, charities, broadcasters and others."
The phishing emails contain an archive file which hides a keylogger in most cases and when it is installed on a system, keylogger enable attackers to steal data from FTP applications, Web browsers, instant messaging apps, games, password managers, Bitcoin programs and email clients. Cyphort elaborated that there are additional threats which include features like extension spoofing, screenshot capturing, obfuscation, website blocking, fake error messages, self-removal, file downloaders, Web browser data removal and application disabling.
Cyphort has found more than 1,800 infected systems across the world including U.K., U.S., India, Saudi Arabia and Malaysia.
DarkReading reported on 11th July, 2014 quoting Fengmin Gong, Co-Founder of Cyphort, as saying "The attack is ongoing and we will also continue to monitor it. The attackers are very aggressive in collecting and exfiltrating data. Considering the systematic nature of the actors of the campaign, we are guessing that they are still in a "exploration stage" attacking high-level executives with credentials but currently it is not possible to speculate certainly about their endgame."
» SPAMfighter News - 7/22/2014