For all those starting work on Monday and starting to trawl through emails and/or planning the week ahead, here’s something to brighten your day. There is a new malware delivered via phishing emails, but the attackers committed a few errors when crafting their cyber attack.
As this article on PhishMe reports, the malware is called Dynasty Keylogger, or Predator Dynasty. Dynasty Keylogger is a keystroke logging malware, but it also can send back passwords from applications such as web browsers. The malware also takes screenshots and sends them back to the command and control server. Dynasty Keylogger is written in .NET and uses port 587 to communicate with its command server.
The malware is spread via a phishing email. The email looks like it is from HSBC bank; the attachment to the email contains the Dynasty Keylogger malware. When the attachment is opened, the malware sends back an email to the attackers letting them know the malware has been installed.
However, the malware has some interesting features. The email that is sent back to the attacker has a hard-coded login name (including the server name) and a hard coded password. The researchers at PhishMe were able to easily extract the attacker’s login credentials.
The researchers were able to watch the attackers; in particular, they were able to use a WireShark capture to monitor the attackers taking a screenshot of the victim machine. Amusingly, the screenshot the attackers took was a screenshot showing the researcher monitoring the attacker’s activities on the victim machine. (The malware was installed on a virtual machine.) The PhishMe article includes a screenshot of what the attackers would have seen.
This malware lacks the sophistication of, for instance, the Sandworm malware. However, it should still be treated as serious; again it is spread via a phishing campaign. In this case, the email impersonates a HSBC email. Whilst phishing is a low tech form of attack, it is frequently effective.