A new keylogging malware has been observed. Known as Fauxpersky, it disguises itself as Kaspersky’s Internet Security anti-virus product.
Fauxpersky was developed using AutoHotKey (AHK), a simple scripting language for Windows, and is delivered via infected USB drives. Once installed it downloads four files with similar names to Windows components; Explorers.exe, Svhost.exe, Taskhosts.exe and Spoolsvc.exe. Using an AHK function it monitors keystrokes, tagging to a file named Log.txt before uploading it to a Google Form.
Propagation is achieved by copying itself to any connected external drives, whose volume labels are then appended with ‘Secured by Kaspersky Internet Security 2017’
This malware is by no means advanced or even very stealthy,” said researchers Amit Serper and Chris Black, in a detailed blog post, published Wednesday.