iSpy Keylogger

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

Keyloggers have always been present in attackers’ toolkits. They give attackers the power to record every keystroke from a victim’s machine and steal sensitive information. Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple subscription packages as shown in Figure 1.

iSpy subscription packages

Figure 1: iSpy keylogger subscription packages

iSpy keylogger infection
iSpy is delivered via spam email that has malicious JavaScript or Document as an attachment, which then downloads the keylogger payload. The main iSpy payload is usually compressed using a custom packer. So far, we have seen packers written in Visual Basic 6.0, AutoIt, and .Net. We have also seen a campaign of signed .NET crypter where iSpy was served. This crypter uses different digital certificates (mostly invalid certificates) and drops different malware samples, as shown in Table 1 below

Certificate used by .Net Crypter

Figure 2: Certificate used by .Net Crypter

Table 1: Different malware samples dropped by .NET crypter
MD5 Email used in certificate Malware
b99491b53faabb559adf42d6156d9dad iSpy
2b8e2d23c88b11bbcf59928d5d440bdb Phorpiex
73dcbece89a474bccfb76f022e5e81a4 Skypoot
c1838d9542e6860cd44d706883b49a73 Skypoot
2aac4e7b7a1ab407039e12b53a4af942 Phorpiex
398680cbdd017f7b99e9add1477939a8 Phorpiex
2368102c5e12b0c881bc09256546d255 Skypoot
92a342a6ce4b0accfb20c61fd657104b Phorpiex
1ffadc9cde4d4a1d794362c9179a0ec9 Phorpiex
c17cddb6f63d9797583167a30c5711c1 Phorpiex
de7db381733f3c5a479865120f58a8c1 Phorpiex
58334fb57165350ccb06c1949459a65c Skypoot
5e6114b726b1b8a52331890054157969 Skypoot
12f4de75e2e299e6d444a58fff78d83d Phorpiex
92eaac8b2266fb2514e66a8e2cf98f13 Kasidet
a9867d69c3d7d716339dd10ac4b29216 Phorpiex
edaf8ce53d4919c52e422c7ce7242738 Phorpiex
2b478db2af56153a2cee33f71213cc2f Hawkeye
214280b4e09fe4c4cc46aebef533e07e Phorpiex
ba8c47e679eba575c4e8605da97f4e77 Phorpiex
d151378aeae384e85ab10f5bb19ef254 Phorpiex
881e968ddf34c38943a56651a3870174 Subti
0e565eb881a25180993539f34e88ec3d Bladabindi

The malware sample we analyzed was packed with a VB6 (native) custom packer. The packer uses the XOR-based method to decrypt the payload and contains obfuscated zombie code between instructions to slow down analysis. Figure 3 shows the installation and functionality overview of iSpy.

Installation workflow and functionality overview of iSpy

Figure 3: Installation workflow and functionality overview of iSpy

The second layer of packing contains multiple anti-VM and anti-analysis tricks, some of which include:

  • Checks PEB flags for debugger presence
  • Checks for sandbox and debugger using GetTickCount and Sleep
  • Loops until cursor movement is detected
  • Checks if screen resolution is 800 x 600 or more

Finally, it decrypts the payload file and injects the decrypted file into another instance of the same process using process hollowing technique as seen below:

Spawns process in Suspended mode for injection

Figure 4: Spawns process in Suspended mode for injection

The decrypted file is a loader file that contains a DLL and .NET binary in its resource section. It first loads the DLL file that further loads the final iSpy payload (.NET binary) using LoadDotNetPE export function.

The malware checks configuration settings to select the folder for dropping the executable. Based on the configuration, it drops itself into one of the following locations:

  • %USERPROFILE%\Documents
  • %TEMP%

Installation function

Figure 5: Installation function

After copying itself into any of the above mentioned locations, it deletes “Zone.Identifier” flag from Alternate Data Stream (ADS) to disable the security warning message that is displayed every time the malware file is executed.

It creates an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU, based on configuration settings, to execute the malware on system startup.

iSpy has many customizable features (Figure 6) including the functionality to record keystrokes, recover passwords, and retrieve serial keys from various software, then sending the stolen data over SMTP, HTTP, or FTP. It also has a web panel that helps the attacker to monitor the activity of iSpy infections.

iSpy configuration class

Figure 6: iSpy configuration class

As mentioned earlier, depending on the configuration, it can send stolen data via three different methods: HTTP, SMTP, or FTP. FTP and SMTP credentials, directly encoded in the file, are encrypted using a custom encryption method. Function decrypt, in the class StringCipher, is used for the decryption of credentials as well as other strings. MUTEX value from the configuration is used as the key for decryption. For the HTTP method, iSpy uses the PHP_KEY authentication to upload data to C&C server.

Data stealing
The current sample, discussed in this blog, uses FTP for sending the stolen data to attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the ftp credentials are embedded in the file itself. The website resolves to IP address “” which belongs to, which is owned by 000webhost Network, a provider of free hosting. We have notified of the offending account.

After successful installation, iSpy collects computer information such as username, Windows version, and installed program details (AV, firewall, browser, etc.), and sends this information along with install notification (Figure 7) to a C&C server.

Installation notification contents

Figure 7: Installation notification contents

Keylogging code is the main component of this malware. It logs timestamped key presses and sends them to the attacker. It also contains code to steal the license keys of application software, such as Adobe Photoshop, Microsoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook), FTP clients (like FileZilla and CoreFTP), and games like Minecraft.

iSpy has the functionality to disable antivirus programs by creating a sub-key of the program name under registry key, “Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\” and then setting “rundll32.exe” as the value of “Debugger” under that key. It also disables access to that newly created registry key by setting all RegistryRights to deny so it cannot be easily removed. After this change in registry, Windows will load “rundll32.exe” when the targeted process is started. As a result, the given AV process will not start. Below is the list of AV processes that iSpy targets:
“rstrui.exe”, “AvastSvc.exe”, “avconfig.exe”, “AvastUI.exe”, “avscan.exe”, “instup.exe”, “mbam.exe”, “mbamgui.exe”, “mbampt.exe”, “mbamscheduler.exe”, “mbamservice.exe”, “hijackthis.exe”, “spybotsd.exe”, “ccuac.exe”, “avcenter.exe”, “avguard.exe”, “avgnt.exe”, “avgui.exe”, “avgcsrvx.exe”, “avgidsagent.exe”, “avgrsx.exe”, “avgwdsvc.exe”, “egui.exe”, “zlclient.exe”, “bdagent.exe”, “keyscrambler.exe”, “avp.exe”, “wireshark.exe”, “ComboFix.exe”, “MSASCui.exe”, “MpCmdRun.exe”, “msseces.exe”, “MsMpEng.exe”

WebCam Snapshot & Screen grabber
If the webcam logger is configured, it will capture snapshots using the victim’s webcam. It saves the snapshot in %TEMP% folder with the prefix “snapshot” with the .PNG extension. It can then uploads the snapshot to “” (a legitimate image hosting website). It logs the URL path of uploaded snapshot and uploads the log’s data on a C&C server using the configured method.

Similarly, iSpy takes screen shots using .NET API CopyFromScreen and saves them to a file with the name “img.png” under the %TEMP% folder. Saved images are uploaded to the website mentioned above and a log of URL paths of uploaded files is sent to attacker.

Other features of iSpy:

  • Website blocking (based on host file modification)
  • File downloading
  • Bot killer
  • Fake message (it displays this message every time malware starts execution)
  • Disabler (Taskmgr, Regedit, CMD)
  • Runescape PinLogger(RuneScape is a fantasy MMORPG developed and published by Jagex, A Bank PIN is a security feature provided in game that players can use to protect their, virtual in game, banks.)
  • Run Bind file (file to run along with malware)

Web panel interface
The current version of iSpy has a web panel where the attacker can monitor the infected system.

iSpy web panel

Figure 8: iSpy web panel

Commercial keyloggers are general-purpose data stealing tools used by criminals to collect as much data as possible about a victim. There are many commercially available keyloggers in the underground market and, unfortunately, using them is fairly easy, requiring little technical knowledge. In spite of the increased use of specialized tools, the keylogger remains a common, and quite potentially damaging, tool.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this