The Soviet Union, Plex, and the son of a mob boss don’t seem like they would be associated, but they have one thing in common: keyloggers.
A keylogger is software or hardware specifically engineered to monitor and record the keystrokes of a device. The primary intent of keylogger use is to gather sensitive information, such as usernames and passwords, and exfiltrate this information for criminal or judicial use.
There has also been a rise in using legitimate keylogging for parents monitoring their children’s devices.
History of keyloggers
Keylogging has not been contained to just computers; the earliest form of a keylogger dates back to the 1970s during the Cold War. IBM Selectric typewriters were the most common typewriter across the workforce as the transition to an electric typehead rapidly increased type speed. With the introduction of new technology comes the opportunity for the exploitation of new technology.
The Soviet Union developed a device, later known as the Selectric bug, to track the location of the printer head ball by measuring minor magnetic disturbances. The data captured by the device would then emit short bursts of radio waves to a nearby listening post. This bug was so sophisticated for the time that it was almost impossible to detect. The Selectric bug was found within 16 IBM Selectric typewriters used within the US embassy in Moscow during the GUNMAN project in the 1980’s.
With the increase in accessibility of personal computers during the ’90s and ’00s, keyloggers became more sophisticated. They no longer needed to rely on hardware-based exploitation; they could be deployed as software and relay information to the attacker over the internet. This opened the market for criminals to target home users and businesses for fraud.
In the early 00s, the FBI exploited the system of Nicodemo Scarfo Jr, the son of a prominent mob boss in Philadelphia. The agents installed the keylogging software onto his computer, recording the PGP passphrase and allowing the FBI to decrypt digital files. The use of a keylogger by authorities broke open the case they had been building against the mob, resulting in the deconstruction of a large illegal gambling and loan shark operation.
More recently and one of the most significant breaches of sensitive information via the use of a keylogger was that of LastPass. In 2022, a senior engineer at LastPass was the victim of a keylogger attack that resulted in the exfiltration of the secure access keys to the entire company’s encrypted password vault AWS backups. This engineer was one of only four employees with this level of access, demonstrating sophisticated attacks that carry dire consequences. The attacker accessed the engineer’s home network by exploiting his outdated Plex server, a home multimedia system. Once the attacker had infiltrated their network, they could implant the keylogger malware onto the engineer’s devices.
Types of Keyloggers
We can see several iterations of physical and digital keyloggers from the examples in the history of keyloggers.
Hardware-based
- USB M-F and extension cables
- Module PCB
- Keyboard embedded
- Keyboard to Ethernet
Software-based
Software-Based keyloggers, or malware, do not rely on physical access to a device or proximity extraction. Legitimate keylogger software can be installed on corporate employee or parental monitoring devices. Illegitimate keylogger software is usually implanted via malware that has been executed through phishing or unintentional execution of suspicious files. In some cases, keyloggers can be challenging to detect, further enforcing a diverse prevention strategy.
How Does It Work?
The method of how the keylogger can monitor and extract information successfully will vary based on the two types above.
Hardware-based keyloggers directly intercept data through the physical layer, exploiting data as it passes through an input device to the computer. This data is usually stored as plaintext keystrokes within the memory of the small device pending the exfiltration from the attacker.
The latest version of a software-based keylogger seen is the Snake Keylogger, first detected in late 2020. Snake keylogger is usually spread through Microsoft Office document macros or weaponized PDF documents, and it will upload stolen data via SMTP, FTP, or Telegram. This is the most common method of infection for software-based keyloggers.
The payload for the infected document aims to inject an encrypted DLL file into the system. This helps the file avoid detection from most antivirus systems and allows the executable to be decrypted for content delivery. To further avoid detection, the Malware will obfuscate its code with randomly generated strings. For continued execution, the payload implements a kernel driver to inject code into startup and child processes. These processes exploit the API callback function to monitor low-level keyboard input events. This type of keylogger is considered a kernel mode keylogger, the more sophisticated software-based version. This type of exploit will allow for keylogging, clipboard data extraction, and screenshotting.
Phishing or spear phishing are the main entry points for keyloggers in the modern workplace. Having the right tools available to protect your organization proactively and consistent user education phishing campaigns are critical. We at Hornetsecurity work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.
Keylogger Prevention and Remediation
How do you know if you have a keylogger, and what can you do to remove it?
The best method for detecting and removing a keylogger, or any malware for that matter, is to employ a modern antimalware solution with full Endpoint Detection and Response (EDR) capabilities—and use scheduled scanning of your system along with keeping the system up to date.
However, this solution is more reactive than proactive. The proactive method to any virus prevention is user education, modern email Spam & Malware Protection, and Web protection. Aim for at least maturity level one of the Australian Essential 8 model as a rule of thumb for corporate environments. A holistic approach like this will keep your environment keylogger free.
Prevention and detection of hardware-based keyloggers are more complex. Finding these in the wild can be challenging and often significantly more time-consuming. The best method to combat hardware-based keylogging is to intercept data exfiltration via firewall packet inspection or a Web proxy solution. Both are key to proactive prevention and detection of any malware in your environment.
Microsoft and other operating system manufacturers understand the level of identity exploitation and the increase in sensitive authentication leaks by third parties. Microsoft has implemented Windows Hello for businesses and also supports FIDO2 hardware keys to combat the monitoring of keystrokes or passwords. Both solutions allow the use of biometrics in conjunction with multifactor authentication. This significantly reduces the attack surface and the utility for the attacker of a keylogger.
Uses of Keyloggers
Parental monitoring
Corporate monitoring
Although this has become rare in the modern workplace, there is still a need for corporate keylogging. This can be found in organizations with security clearance requirements or when dealing with sensitive information. More commonly, businesses will implement less intrusive monitoring via Web proxy solutions and Information protection services.
To adequately protect your cyber environment, consider the use of Hornetsecurity Advanced Threat Protection, which has a keylogger detector function, as well as a Security Awareness Service to train your employees in deterring cyber threats and securing your critical data.
To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.
FAQ
Can a keylogger be detected?
Yes. Most keyloggers can be detected with adequate antivirus and antimalware tools. Hornetsecurity has one specifically designed to prevent the attachment of suspicious files on corporate emails.
How do hackers install keyloggers?
Targeted hacking is rare in most cases; however, spear phishing or whaling within a corporate environment is more common. This is where a malicious actor has specifically targeted an individual (spear phishing) or a C-Level executive (whaling). The payload will usually be a well-disguised document or link for the victim to execute code. In other physical-based attacks, a hacker may gain direct access to a device and plant a hardware-based keylogger. This can be very rare, but there have been cases where this has occurred.
Is a keylogger a virus?
Yes. A keylogger is considered a virus or malware. As such, keyloggers fall into the category of prevention rather than reaction. Using a quality antivirus solution, in conjunction with user education, is the best proactive method.
What does a keylogger do?
Keyloggers monitor and record keyboard inputs to extract sensitive information like passwords or credit card information.
How do you know if someone is keylogging you?
You may notice that your computer uses an unusual amount of resources, and your mouse movement/keyboard keystrokes may be delayed. If you suspect you may have a keylogger, run a virus scan.
