PowerShell Keylogger

Sept. 4, 2024, 9:45 a.m.

Description

A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It implements various functions including screen capture, encoded command execution, and persistent connection attempts. The keylogger's code suggests a French-speaking developer. While sophisticated in its approach, the persistence mechanism remains incomplete, indicating potential future enhancements. The analysis highlights the need for robust security measures against such stealthy threats.

Date

Published: Sept. 4, 2024, 9:05 a.m.

Created: Sept. 4, 2024, 9:05 a.m.

Modified: Sept. 4, 2024, 9:45 a.m.

Indicators

181fe99c16fa6cc87a3161bc08a9e2dbd17531c7d713b09d8567c1b3debe121f

37.143.129.165

opioem3zmp3bgx3qjqkh6vimkdoerrwh3uhawklm5ndv5e7k3t4edbqd.onion

Attack Patterns

T1059.001

T1571

T1082

T1083

T1059

Additional Informations

Finland