Digitalization has improved our standard of living considerably, making things easier, faster and reliable. But then maintaining all records on computer and processing through internet is like a coin with two dissimilar sides. With countless benefits there are a few notable drawbacks especially Hackers and their tools know as malware. The newest addition to this large malware family is Fauxpersky. Though it rhymes with the famous Russian antivirus ‘Kaspersky’ but that’s where their paths diverge.. Fauxpersky disguises itself as Kaspersky and is designed to steal user information and send it to hackers through internet. It spreads through USB drives, infecting the user’s computer, capturing all the keystrokes like a keylogger and finally sending it to the attacker’s mailbox through Google Forms. The logic behind this malware’s name is simple. Anything made in imitation would be known as Faux, hence imitation of Kaspersky would be Faux – Kaspersky or Fauxpersky.
To understand the execution process of this malware, let’s first check out its various components:
Google defines a computer program that records every keystroke made by a computer user, especially to gain fraudulent access to passwords and other confidential information. However, when designed initially, Keylogger served a purpose to parents who could monitor their children’s online activity and to organizations where employers could determine if the employees were working on the desired tasks assigned to them.
AutoHotkey is a free, open-source custom scripting language for Microsoft Windows, initially aimed at providing easy keyboard shortcuts or hotkeys, fast macro-creation and software automation that allows users of most levels of computer skill to automate repetitive tasks in any Windows application. From Wikipedia, the free encyclopaedia.
Google Forms is one of the apps which form the Google’s online office apps suite. It is used to create a survey or questionnaire which is then sent to the desired group of people and their responses are recorded in a single spreadsheet for analytical purposes.
Kaspersky is a well-known Russian antivirus trademark which has developed antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.
There, as it is sometimes said “Too many good things can make a big bad thing”.
Fauxpersky was developed using AutoHotKey (AHK) tools which read all texts entered by the user from Windows and send keystrokes to other applications. The method used by AHK keylogger is quite straightforward; it spreads through self- replication technique. Once executed on the system, it initiates storing all the information typed by the user into a text file bearing the respective window’s name. It operates under a mask of Kaspersky Internet Security and sends all the information recorded from the keystrokes to a hacker through Google Forms. The data extraction method is uncommon: attackers gather them from infected systems using Google forms without causing any doubt within the security solutions analysing traffic, as encrypted connections with docs.google.com do not look suspicious. Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. However, once the system is infected the malware gets booted up again after computer is restarted. It also creates a shortcut for itself in the startup directory of the Start menu.
Fauxpersky: Modus Operandi
The process of initial infection is not determined yet but after the malware compromises a system, it scans all the removable drives attached to the computer and replicating itself in them. It creates a folder in %APPDATA% by the name of “Kaspersky Internet Security 2017” with six files, four of which are executable and have the same name as Windows system file: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe. The other two files are a picture file with Kaspersky antivirus logo and another file which is a text file with the name of ‘readme.txt’. The four executable files carry out different functions:
- Explorers.exe – spreads from host machines to connected external drives through file duplication.
- Spoolsvc.exe– It alters the registry values of the system which in turn prevents the user from viewing all the hidden and system files.
- Svhost.exe- uses AHK functions to monitor the currently active window and log any keystrokes entered into that window.
- Taskhosts.exe– is used for the final data upload.
All the data is recorded in the text file will be sent to the attacker’s mailbox through Google forms and gets deleted from the system. In addition, the data transmitted via Google Forms has already been encrypted, which makes Fauxpersky’s data uploads appear to be not suspicious in various traffic monitoring solutions.
Cybersecurity company ‘Cybereason’ is credited with discovering this malware and although it does not indicate how many computers have been infected, but given that Fauxpersky’s intelligence is spread through the old-fashioned method of sharing USB drives. Once Google was notified, it immediately responded by taking down the form from its servers within an hour.
If you feel that your computer is also infected, simply access the folder ‘AppData’ and enter the ‘Roaming’ folder and delete the files related to Kaspersky Internet Security 2017 and the directory itself from the startup directory located in the start menu. It is also advisable to modify the passwords of the services, to avoid unauthorized use of the accounts.
Even with the latest antimalware, money can buy it would be wrong to think that our personal information stored on our computers is safe because malwares are frequently being created by social engineering activists all over the world. The antimalware developers can keep updating the malware definitions but it is not always 100% possible to detect the anomalous software created by the brilliant minds who have gone astray. The best way to prevent an infiltration is to visit trusted websites only and heed extreme caution while using external drives.