The VIPKeyLogger infostealer, which bears resemblance to the Snake Keylogger, is actively being circulated through various phishing campaigns. This malicious software is distributed as attachments disguised as archives or Microsoft 365 files and utilizes malicious Microsoft Office documents to spread through command-and-control (C2) infrastructure. The primary target of this infostealer includes sensitive data such as login credentials, financial information, system data, and personally identifiable information, posing a significant threat to compromised systems.
In recent analyses, it has been discovered that the malicious document initially masquerades as a file related to CVE-2017-11882 and is actually an RTF file. Upon further inspection, encoded content within the objdata section of the file was found, revealing object references that lead to a URL. This URL acts as the source for downloading a malicious executable, indicating that the RTF document serves as a delivery mechanism for the malware to infiltrate systems.
Further investigation showed that by removing blank lines and whitespaces from a specific object within the artifact, a URL was uncovered. This URL was used to download a malicious .NET compiled file. Upon closer examination using DnSpy, it was revealed that the file loads dynamically with the name “skkV.exe,” suggesting potential obfuscation techniques employed by the malware to avoid detection.
Moreover, this malware, disguised as an innocuous image file (“vmGP”), utilizes steganography to conceal malicious code within the image data. Upon execution, the code within the MainForm() class extracts and decodes the hidden payload, collecting sensitive information from the infected system, including system details, clipboard content, screenshots, browsing history, and cookies. This data is then transmitted to a Telegram bot and subsequently to DuckDNS servers that are randomly generated.
The keylogger, distributed through phishing emails with malicious attachments, exploits user interactions to infiltrate systems. Once executed, it establishes persistence by dropping files in system folders and proceeds to exfiltrate sensitive data such as keystrokes, clipboard content, screenshots, browsing history, cookies, and email credentials. This data is then transmitted to a Command & Control (C2) server hosted on Dynamic DuckDNS via Telegram, allowing attackers to monitor and control compromised systems remotely.
Forcepoint has taken measures to protect customers against this threat by blocking malicious attachments at the lure stage and suspicious URLs during the redirect phase. By identifying and blocking dropper files and effectively mitigating command-and-control communication, Forcepoint’s platform hinders the attacker’s ability to maintain persistent control over compromised systems.
In conclusion, the VIPKeyLogger infostealer poses a significant threat to cybersecurity, targeting sensitive information through deceptive phishing campaigns. It is imperative for individuals and organizations alike to stay vigilant against such malicious threats and implement robust security measures to safeguard their systems and data.