Cybersecurity researchers have identified a new campaign distributing the sophisticated VIP Keylogger malware through an evolved attack methodology that leverages AutoIt-based injection techniques.
Unlike previous iterations that relied on steganography, this campaign employs process hollowing and memory-based execution to evade traditional antivirus solutions while targeting web browser credentials and sensitive user data.
AutoIt-Based Delivery Mechanism
The attack begins with carefully crafted spear-phishing emails containing ZIP file attachments disguised as legitimate payment receipts, specifically named “payment receipt_USD 86,780.00.pdf.pdf.z.”
Within this archive lies a malicious executable masquerading as “payment receipt_USD 86,780.00 pdf.exe,” exploiting users’ trust in document formats to initiate the infection chain.
Once executed, the malware deploys an embedded AutoIt script that drops two encrypted files, leucoryx and avenes, into the system’s temporary directory.
Threat actors strategically chose the AutoIt framework due to its obfuscation capabilities and ability to compile scripts into executables that bypass conventional security measures. The leucoryx file contains the decryption key, while avenes houses the encrypted payload.
The AutoIt script implements a custom XOR decryption function labeled KHIXTKVLO, which processes the encrypted content in memory.
Using DllCall functions, the script allocates executable memory space and copies the decrypted payload directly into the assigned region, enabling fileless execution that avoids disk-based detection methods.
Process Hollowing and Persistence Mechanisms
The campaign’s most sophisticated element involves process hollowing targeting RegSvcs.exe, a legitimate Windows process.
The malware creates RegSvcs.exe in a suspended state using CreateProcess, then unmaps the original code and injects the VIP Keylogger payload into the process memory space before resuming execution.
This technique allows the malware to operate under the guise of a trusted system process.
For persistence, the malware deploys a Visual Basic Script (VBS) file in the Windows Startup folder, ensuring the payload located in the “AppData\Local\Dunlop” directory executes automatically during each system boot.
The persistence mechanism targets a file named definitiveness.exe, enabling continuous background operation.
The final VIP Keylogger payload demonstrates advanced data exfiltration capabilities, capturing keystrokes, extracting credentials from popular web browsers including Chrome, Microsoft Edge, and Mozilla Firefox, and monitoring clipboard activity.
The stolen data is transmitted through both SMTP protocols and command-and-control (C2) server communications.
This campaign represents a significant evolution in VIP Keylogger distribution methods, showcasing threat actors‘ adaptation to modern security environments through memory-based execution and legitimate process abuse.
Organizations should implement comprehensive email security solutions and endpoint detection capabilities that monitor for process hollowing activities and suspicious AutoIt script execution.
IOCs:
| MD5 | Filename |
| F0AD3189FE9076DDD632D304E6BEE9E8 | payment receipt_USD 86,780.00 pdf.exe |
| 0B0AE173FABFCE0C5FBA521D71895726 | VIP Keylogger |
| Domain/IP | |
| hxxp[:]//51.38.247.67:8081 |
