New cloud-based keylogger gaining momentum among criminals

Malware comes with lots of built-in functionality.

David bisson
David Bisson

New cloud-based keylogger gaining momentum among criminals

A new cloud-based keylogger malware family is slowly but surely gaining momentum among criminals on underground web marketplaces.

The malware, dubbed “NexusLogger”, appears to have first arrived on the keylogging scene at the beginning of 2017. The timing of its debut means NexusLogger’s authors likely created their software over the New Year period. No wonder we haven’t heard much of the keylogger until now.

Researchers at Palo Alto Networks corroborate that observation:

Sign up to our free newsletter.
Security news, advice, and tips.

“The total number of attacks witnessed using NexusLogger is quite low when compared with other commodity malware families. Again, this is likely due to slow adoption by criminals. The keylogging market is quite saturated with numerous malware families, and it can be difficult for new players to enter the market.”

Nexus 1
Timeline of NexusLogger attacks viewed within AutoFocus, Palo Alto Networks’ threat intelligence service.

As of this writing, only 134 instances of the malware have been spotted in just 400 attacks.

But those numbers could very well change in the near future.

You see, because NexusLogger is cloud-based, non-skilled criminals can use the keylogger’s friendly web portal to configure the malware however they want. They can specify how long they want to use it, with one year’s license costing just $199 in Bitcoin or via PayPal. Buyers can even use the NexusLogger’s email and Skype addresses for customer support if they have any questions.

Nexuslogger's login page

So what can NexusLogger do?

Upon successful installation (and a possible User Account Control – UAC – bypass), the keylogger of course logs keystrokes and clipboard system. It also collects system data, downloads stored passwords, takes screenshots, and even harvests credentials for Minecraft and other games. It then uploads all this information to the attacker via FTP.

According to Palo Alto Networks, it would appear 275 individual attackers have registered with NexusLogger so far. To protect against these bad actors, defenders should block nexuslogger[.]com, a domain to which all samples of the keylogger connect over HTTPS.

Seeing as how most of the NexusLogger infections occur via phishing attacks, organizations should conduct phishing simulations with their employees. They should also hold other security awareness training exercises, like looking for strange USB devices attached to the back of workstations.

Doing this can, without a doubt, help protect their corporate and their customers’ information.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “New cloud-based keylogger gaining momentum among criminals”

  1. Crumble

    Is simulated phishing attacks against your employees really going to help much? These things are really hard to spot, even for a trained individual. Surely we should be focusing efforts on stopping these emails in getting to the users in the first place, such as DMARC?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.