Tuesday, January 31, 2017

Early Warning of a Russian Keylogger Campaign


On 24 January 2017, Wapack Labs began collecting keylogger data associated with a threat actor's email address. All of the collected data that was associated with the threat actor indicated that the keylogging campaign has not yet become operational. Metadata contained within the keylogger output indicated the threat actor is located in Western Russia. A screenshot of the threat actor, installing a cracked copy of a popular keylogger program, indicates it was obtained from a Russian underground forum. The actor makes white-supremacist references, but it is unknown if the references are indicative of the threat actor’s motivations or intended to mislead/insult malware researchers. 

Wapack Labs has reported extensively on Russian threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal in the Red Sky Alliance Portal.

TLP: AMBER
ACTOR TYPE: (II)
SERIAL: TR-021-2017
COUNTRIES: XZ
REPORT DATE: 20170127