Thursday, 23 July 2015

Dangerous USB keylogger malware discovered

Python/Liberpy.A is a keylogger reporting all keyboard events (keys the user presses), as well as mouse movements, to a server controlled by the attackers.

In mid-April 2015, ESET’s labs received a report on an executable program named “Liberty2-0.exe”, detected by us as Python/Liberpy.A. Liberpy was a HTTP based botnet, that stole users’ information and that were spread via USB devices, and compromised more than 2000 systems in only a few months. Various Liberty’s campaigns began by sending potential victims fake e-mails containing attachments appearing to be package-tracking “software”. Infected users began to join the botnet, and became new propagation nodes via infecting USB devices connected to their computers. 98% of detections of these threats were in Venezuela and though some infections even made their way to Europe, Liberpy was mainly an operation aimed at users in Latin America in order to steal information from them.

Attackers do not only rely on their fake email campaigns; Liberpy continues to infect systems through techniques similar to those used by other malware families such as Win32/Dorkbot, JS/Bondat and VBS/Agent.NDH among others. This propagation mechanism — hiding all files on a USB, and replacing them with shortcuts — has been common at least since 2011, and remains one of the main propagation vectors of malware via USB devices.

Read the full Liberpy story on their blog.