Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad! While hunting, I found a bunch of malicious Powershell scripts that implement a basic (but efficient) keylogger. The base script is always the same but contains connection details modified by script kiddies. The current script is based on an old one from 2015[1]. This time, it has been modified to add the following features:
Here are the parameters at the beginning of the script: # Editar solo esta secci??n! $TimeToRun = 2 $From = “xxxxxx@gmail.com" $Pass = “xxxxxxxx" $To = “xxxxxx@gmail.com $Subject = "Keylogger Results" $body = "Keylogger Results" $SMTPServer = "smtp.gmail.com" $SMTPPort = "587" $credentials = new-object Management.Automation.PSCredential $From, ($Pass | ConvertTo-SecureString -AsPlainText -Force) ############################ The script is very basic, not obfuscated and detected by only one AV on VT[2]! I don't think that such scripts are a major threat, they are mostly used by script kiddies (I already collected some credentials!) but it remains a nice way to spy on people. [1] https://gist.github.com/dasgoll/7ca1c059dd3b3fbc7277 Xavier Mertens (@xme) |
Xme 579 Posts ISC Handler Feb 21st 2019 |
Thread locked Subscribe |
Feb 21st 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!