Researchers have identified new information-stealing malware called VIPKeyLogger, which exhibits similarities to the subscription-based Snake Keylogger.
Phishing campaigns that deliver malicious attachments disguised as archive or Microsoft 365 files are being used to spread the VIPKeyLogger malware.
When a user goes ahead and clicks on the malicious attachment, the malicious software will immediately begin a chain of events. First, it drops or downloads a malicious payload into temporary or startup folders to ensure its persistence on the compromised system.
Subsequently, when the archive or Microsoft 365 file is opened, it retrieves an additional malicious file and stores it in the directory that is associated with the user’s AppData called Roaming.
The malware then executes the downloaded file, which proceeds to steal sensitive information from the infected system, including login credentials, financial data, system details, and personally identifiable information (PII).
According to ForcePoint, immediately following the execution of its malicious functions, the malware deletes itself in order to avoid detection.
It injects the stolen content into the originally opened archive or Microsoft 365 file, creating the deceptive appearance that the legitimate file was modified by the user, which serves to conceal the malware’s presence and hinder its discovery.
The malicious attachments that are used to infiltrate systems are used to deliver keyloggers, which are delivered through phishing attacks.
Once activated, they silently record keystrokes, capture clipboard data, take screenshots, and steal browsing history, cookies, and email configurations. Through the use of Telegram, the data that has been harvested is transferred to the Dynamic DuckDNS C2 servers.
By providing multi-layered protection against the specified threat, users can proactively block malicious attachments that lure users into clicking, prevent access to harmful URLs, and identify and block dropper files.
