Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice features… for the good or the bad!

While hunting, I found a bunch of malicious Powershell scripts that implement a basic (but efficient) keylogger. The base script is always the same but contains connection details modified by script kiddies. The current script is based on an old one from 2015[1]. This time, it has been modified to add the following features:

• You can specify for how long the script will capture keystrokes
• At the end of the defined time period, the file with the recorded keystrokes is exfiltrated via email to the attacker.

Here are the parameters at the beginning of the script:

# Editar solo esta secci??n!
$TimeToRun = 2
$From = “xxxxxx@gmail.com"
$Pass = “xxxxxxxx"
$To = “xxxxxx@gmail.com
$Subject = "Keylogger Results"
$body = "Keylogger Results"
$SMTPServer = "smtp.gmail.com"
$SMTPPort = "587"
$credentials = new-object Management.Automation.PSCredential $From, ($Pass | ConvertTo-SecureString -AsPlainText -Force)
############################

The script is very basic, not obfuscated and detected by only one AV on VT[2]! I don't think that such scripts are a major threat, they are mostly used by script kiddies (I already collected some credentials!) but it remains a nice way to spy on people.

[1] https://gist.github.com/dasgoll/7ca1c059dd3b3fbc7277
[2] https://www.virustotal.com/#/file/52a2e804026792d99eaf9538fbc0b020c7f323b3d90f196bbebf83840e3322e6/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key