Nmedia - Fotolia

How does the iSpy keylogger steal passwords and software license keys?

A recent version of the iSpy keylogger has the ability to steal passwords and record Skype chats. Expert Nick Lewis explains how it works and how to protect your systems.

A new version of the iSpy keylogger has the ability to steal passwords saved in browsers and the license keys for software, as well as to record Skype chats. How does this keylogger work, and what are the best defense options?

The iSpy keylogger is a malicious commercial keylogger with functionality for recording keystrokes, taking screenshots and monitoring webcams and clipboards, among other types of spying activity.

The iSpy keylogger is one of many other commercial keyloggers or questionable remote administration tools with similar functionality. One of the key aspects of a software keylogger is that it most often runs with complete access to a system, and it can access any data on the system.

Zscaler reported that the iSpy keylogger malware gets onto an endpoint when end users open a malicious attachment in a spam or phishing email, from which the main iSpy malware is downloaded onto the system. The iSpy malware takes several steps to make it more difficult to analyze, like using XOR-based encryption to encrypt the file, checking for debuggers or sandboxes, and disabling antivirus software. It uses one of the oldest methods for persistence: adding a new key to the Windows registry to start the malware when a user logs in.

The iSpy keylogger has functionality for sending captured data via HTTP, Simple Mail Transfer Protocol or FTP. It even has a web panel used for managing the infected endpoints. It is not reported to use any zero days or vulnerabilities, and could be stopped using basic endpoint security protections, like antimalware tools and not running systems as an administrator. Security teams should also scan their Windows registry keys to look for any suspicious changes or additions.

Next Steps

Find out if the Detekt tool is effective at identifying remote administration spyware

Learn how to prevent Keydnap malware from stealing your Mac passwords

Read how Overseer Android spyware works on infected apps

This was last published in February 2017

Dig Deeper on Threats and vulnerabilities