A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. VIPKeyLogger utilizes steganography to hide obfuscated code within a bitmap image. It exfiltrates various data types including PC names, country names, clipboard data, screenshots, cookies, and browser history. The stolen information is sent via Telegram to Dynamic DuckDNS C2 servers. The attack chain involves multiple stages, from initial email lure to payload execution and data exfiltration. Author: AlienVault
Related Tags:
Snake Keylogger
VIPKeyLogger
T1102.002
T1056.001
CVE-2017-11882
T1059.001
T1074
T1071.001
T1573
Associated Indicators:
2830F9D5F41BBECD2AE105ED0B9A8D49327C8594
A7FB35D35EB23FE3B4358E3C843F5982A161534E
71B37AAC269BADFE278550C567B76DB4
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
http://varders.kozow.com:8081