AutoHotkey is a free, open-source custom scripting language for Microsoft Windows that was developed by Chris Mallett and Steve Gray in 2003. It’s aimed at allowing users to write scripts for custom keyboard shortcuts (hotkeys) that automate various tasks on any Windows application. Due to the ease with which users can manipulate Windows programs with AutoHotkey, it has widely been used by hackers to write malware. The most recent malware created with AutoHotkey is a credential stealer named “Fauxpersky”.
So, what exactly is Fauxpersky and how does it affect Windows systems?
Characteristics of Fauxpersky
Fauxpersky was discovered by Amit Serper and Chris Black, two security researchers from Cybereason, a cybersecurity company. In a detailed post released on March 28, 2018, the two researchers revealed that they found a credential-stealing malware written with AutoHotkey. They named the malware “Fauxpersky” because it disguises itself as the Kaspersky Antivirus program.
A credential-stealing keylogger, Fauxpersky spreads to USB flash drives through these four dropped executable files:
These files were in a directory named Kaspersky Internet Security 2017, along with two non-executable files: 1) a PNG image file of the “Kaspersky Internet Security 2017” label and logo, and 2) a “Read Me” text file.
According to the researchers, each file is responsible for one function necessary for the infection. Here’s how the entire process works.
- Explorers.exe (Propagation)
Once executed, the keylogger uses this file to self-propagate and infect USB drives. It gathers the drives listed on a Windows computer and replicates itself onto them. Fauxpersky collects the removable drives, renames them to match the keylogger’s naming scheme, then copies these files to all the external drives connected to the computer.
In this file, there is a function called CheckRPath that checks the connected drives for the previous renamed files and creates them if they are not already on that drive.
With AutoHotkey’s “FileSetAttrib()” function, the renamed files are then set with the attributes SH (System, Hidden).
- Svhost.exe (Keylogging)
This is the specific file that contains Fauxpersky’s keylogging function. Svhost.exe uses AutoHotkey’s “WinGetActiveTitle()” to monitor the active window on a computer, then uses the input() function to record the keystrokes on that window.
These keystrokes are saved to a file named “Log.txt” and then saved inside the “%APPDATA%\Kaspersky Internet Security 2017” directory, which is created in the next process.
- Taskhost.exe (Persistence)
Through this file, Fauxpersky changes its working directory to %APPDATA%, then creates the “Kaspersky Internet Security 2017” folder. This directory is hardcoded.
CheckLCore, a routine in Taskhost.exe, checks to see if the computer’s files were indeed created and copied by the previous function. If not, Taskhost.exe copies them by using AutoHotkey’s “FileCopy()” function and then sets file attributes with the “FileSetAttrib()” function.
- Spools.svc (Data swiping)
In this file are a series of routines responsible for changing the values of registry keys to either enable the display of “Hidden” and “SuperHidden” files. Once this is done, Fauxpersky checks to make sure that Explorers.exe is running. If not, then the malware will execute it to guarantee its persistence.
A function called “CheckLProcess” checks all the malware’s components to verify if they are running. If not, they will be executed through the “Run()” function and Loop/Parse call.
The last and most crucial aspect of the process is the stealing of the keylogged data saved by Svhost.exe on the Log.txt file, which Fauxpersky sends to a Google form.
Amit Serper and Chris Black state that the malware is simple yet efficient with its goals, namely:
- The infection of USB drives connected to a Windows computer.
- Collecting data with a keylogger.
- Sending it to a Google form accessible to the hacker responsible for the attack.
The two researchers also contacted Google about the form and their security team took it down in less than one hour.
In case you are infected with Fauxpersky, all you need to do is go to %appdata%\Roaming\ and delete the “Kaspersky Internet Security 2017” directory.
Safeguard your data by taking a more proactive approach to cybersecurity. When it comes to protecting yourself against keyloggers and other types of malware, prevention is always better than a cure.