Poenix Keylogger AIO.zip
A keylogger is a tool that can record and report on a computer user's activity as they interact with a computer. The name is a short version of keystroke logger, and one of the main ways keyloggers keep track of you is by recording what you type as you type it. But as you'll see, there are different kind of keyloggers, and some record a broader range of inputs.
Poenix Keylogger AIO.zip
Someone watching everything you do may sound creepy, and keyloggers are often installed by malicious hackers for nefarious purposes. But there are legitimate, or at least legal, uses for keyloggers as well, as parents can use them to keep track of kids online and employers can similarly monitor their workers.
The term "keylogger" covers a wide variety of tools, some of which produce the same results in wildly different ways. We'll drill down into the different types and talk a little bit about how they work.
Perhaps the most common type of keylogger software is a user mode keylogger, sometimes called API-level keyloggers. These programs don't have administrative privileges, but still manage to intercept information transmitted by the application programming interfaces (APIs) that allow different applications to receive keyboard input. On Microsoft Windows, such keyloggers track GetAsyncKeyState or GetKeyState API functions and use a DLL to record the harvested data.
Kernel-level keyloggers are more difficult to create and install, but once they're in place, they get their hooks into the operating system itself and are more difficult to detect and eradicate as a result. At the other end of the spectrum, there are screen scrapers, which don't log keystrokes but rather use the computer's screenshot capabilities to record onscreen text, and browser-level keyloggers, which can only detect text entered into a browser form (but considering how much of our online life takes place within a web browser, that's still pretty dangerous).
One particularly esoteric version of keylogger, which has been tested in the lab, is an acoustic keylogger that can determine with uncanny accuracy what you're typing just based on the noise your fingers make on the keys. Considerably simpler is the idea of third-party recording, which essentially consists of a camera surreptitiously pointed at your screen and keyboard.
All of these different kinds of keyloggers have to save that data somewhere; with hard drives much larger than they once were, it generally isn't hard to find a place to stash it. Keylogging software will occasionally send the information it's harvested over the internet back to whoever's controlling it, sometimes disguising the data to keep its activities hidden. Hardware keyloggers may be able to do this too, although sometimes their controllers must come physically collect them.
Before we move on, we should discuss one other kind of distinction we can make among different kinds of keyloggers. This one isn't about how they work on a technical basis; instead, it's about their legality. Any of the above types of keyloggers could be installed by a malicious attacker who's looking to steal your personal information or passwords.
However, when the owner of a device installs a keylogger on their own system, things get murkier. Many commercial keyloggers are marketed to parents who wish to monitor their children's online activities, and this is generally considered legal if the parents own the computers being monitored. Keyloggers are often found on computers in school or work settings as well, and in most jurisdictions in the United States they are considered legal if used for legal purposes. In other words, your boss can use data gathered from a keylogger installed on your work laptop as evidence to fire you if they discover you're engaging in some unsanctioned activity. But it would still be illegal for them to, say, harvest your banking passwords if you happen to log in to your financial institution at work.
But the most common type of illicit keylogger is the software variety, and that can best be described as keylogger malware. In fact, keyloggers, because they can harvest such lucrative data, are one of the most common malware payloads delivered by worms, viruses, and Trojans.
Thus, the way a keylogger gets onto your system is the same way any other type of malware gets onto your system, and that means that if you exercise good cybersecurity hygiene, you should be able to keep keylogger software at bay. To do that, you should:
How can you know if there's a keylogger on your system? For a hardware keylogger, of course, you should check for the hardware. If there's a thumb drive or something that looks unfamiliar plugged into your computer, investigate it. If you work on a corporate desktop, check the back panel once in a while to see if something new and strange has popped up.
With software keyloggers, there are some signs that you might be able to pick up on yourself. Keyloggers can sometime degrade web performance, spawn unusual error messages, and interfere with loading web pages. These are all features of malware generally; sometimes you can just tell that something is "off" with your computer. Keylogger-specific signs could include lags in your mouse movement or keystrokes, where what you type doesn't appear on screen as quickly as it should. On a smartphone, you might notice that screenshots are degraded. (Yes, keyloggers can be installed on smartphones, just like any other kind of malware.)
Network security systems also have a role to play in detecting keyloggers. Remember, that data has to get back to the keylogger's controller somehow, and generally it's sent out over the internet. While many keyloggers go to great lengths to disguise their data as ordinary internet traffic, good network security tools can sniff it out.
Still, you should always be prepared for the possibility that a keylogger is lurking somewhere on your system. One good defensive mechanism against potential snooping is to use a password manager, which fills passwords into browser windows securely in ways most keyloggers can't detect.
The bad news is that you're probably not going to be able to remove a keylogger on your own. You might find some websites that recommend hunting through your operating system's task manager or list of installed programs and deleting anything that looks unfamiliar or suspicious; while that's not a terrible idea, a keylogger of any degree of sophistication will not be visible in those contexts.
The good news is that endpoint security suites almost all delete malware in addition to detecting it. If you search through reviews and ratings of anti-keylogger software, like the ones from AntiVirus Guide or Best Antivirus Pro, what you find are lists of the heavy hitter antivirus and endpoint protection vendors, like McAfee, Kaspersky, Norton, Bitdefender, and so on. If you find an endpoint protection suite you like, it will almost certainly do the job when it comes to cleaning your computer of keylogger software.
The earliest known keylogger actually predates the computer age. In the 1970s, Soviet intelligence developed a device that could be hidden in an IBM electric typewriter and send information about keystrokes via radio bursts; these were deployed in the typewriters at U.S. diplomatic facilities in Moscow and Leningrad.
The first computer keylogger was developed by then-graduate student Perry Kivolowitz in 1983 as a proof of concept. One particularly noteworthy example of a keylogger "in the wild" was distributed with a Grand Theft Auto V mod in 2015. In 2017 hundreds of models of Hewlett Packard laptops were found to have shipped from the factor with a keylogger installed, though HP insisted that this was a tool meant to diagnose keyboard performance that should've been deleted before shipment rather than an attack.
At the end of July 2019, the Cybereason platform detected a malware sample that was classified by some antivirus vendors as Agent Tesla. Upon further review, however, it became clear that this was not Agent Tesla. We were able to determine this malware was a completely new and previously undocumented malware known as the Phoenix keylogger.
In searching underground communities, we learned that Phoenix first emerged at the end of July in 2019. This keylogger follows the malware as a service (MaaS) model and is sold for $14.99-$25.00 per month by a community member with the handle Illusion.
Illusion joined the underground community at the end of July 2019 and immediately began marketing the keylogger. This behavior is somewhat unusual, as the underground community typically enforces a strict vetting process for members.
Shortly after its launch, the Phoenix keylogger caught the attention of the underground community, with numerous members expressing interest in testing the product. The underground community views Phoenix quite favorably because of its stealing capabilities, stability, easy user interface, and customer support.
By default, Illusion supplies the Phoenix keylogger to their buyers as a stub. The buyer must use their own methods to deliver the stub to the target machine. The majority of Phoenix infections we observe originate from phishing attempts that leverage a weaponized rich text file (RTF) or Microsoft Office document. These deliveries do not use the more popular malicious macro technique, but instead use known exploits. Most commonly, they exploit the Equation Editor vulnerability (CVE-2017-11882).
During our investigation, we discovered the Phoenix keylogger is actually an evolution of an earlier project, Alpha keylogger. We believe the Alpha keylogger was authored by the same team behind the Phoenix keylogger.
In order to investigate deeper, we used YARA rules and other methods to retrieve additional samples of Phoenix. One of the samples we retrieved was almost identical to Phoenix, with some parts copy-pasted with the same naming conventions, parameter names, and more. However, the name of the malware as it appeared in logs and in code, was consistently Alpha keylogger. 041b061a72