New cloud-based keylogger gaining momentum among criminals

Malware comes with lots of built-in functionality.

New cloud-based keylogger gaining momentum among criminals

A new cloud-based keylogger malware family is slowly but surely gaining momentum among criminals on underground web marketplaces.

The malware, dubbed "NexusLogger", appears to have first arrived on the keylogging scene at the beginning of 2017. The timing of its debut means NexusLogger's authors likely created their software over the New Year period. No wonder we haven't heard much of the keylogger until now.

Researchers at Palo Alto Networks corroborate that observation:

"The total number of attacks witnessed using NexusLogger is quite low when compared with other commodity malware families. Again, this is likely due to slow adoption by criminals. The keylogging market is quite saturated with numerous malware families, and it can be difficult for new players to enter the market."

Nexus 1

Timeline of NexusLogger attacks viewed within AutoFocus, Palo Alto Networks' threat intelligence service.

As of this writing, only 134 instances of the malware have been spotted in just 400 attacks.

But those numbers could very well change in the near future.

You see, because NexusLogger is cloud-based, non-skilled criminals can use the keylogger's friendly web portal to configure the malware however they want. They can specify how long they want to use it, with one year's license costing just $199 in Bitcoin or via PayPal. Buyers can even use the NexusLogger's email and Skype addresses for customer support if they have any questions.

Nexuslogger's login page

So what can NexusLogger do?

Upon successful installation (and a possible User Account Control - UAC - bypass), the keylogger of course logs keystrokes and clipboard system. It also collects system data, downloads stored passwords, takes screenshots, and even harvests credentials for Minecraft and other games. It then uploads all this information to the attacker via FTP.

According to Palo Alto Networks, it would appear 275 individual attackers have registered with NexusLogger so far. To protect against these bad actors, defenders should block nexuslogger[.]com, a domain to which all samples of the keylogger connect over HTTPS.

Seeing as how most of the NexusLogger infections occur via phishing attacks, organizations should conduct phishing simulations with their employees. They should also hold other security awareness training exercises, like looking for strange USB devices attached to the back of workstations.

Doing this can, without a doubt, help protect their corporate and their customers' information.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

One Response

  1. Crumble

    March 22, 2017 at 11:02 am #

    Is simulated phishing attacks against your employees really going to help much? These things are really hard to spot, even for a trained individual. Surely we should be focusing efforts on stopping these emails in getting to the users in the first place, such as DMARC?

Leave a Reply