Author: James Barnett
TLP: WHITE
On 11 and 15 October, Infoblox observed two related malicious spam (malspam) campaigns that used 7-Zip archive files to deliver the 404 Keylogger malware.
404 Keylogger is an information stealer (infostealer) that can steal a victim’s credentials and log their keyboard input. It was initially released on a Russian hacking forum in August 2019.1 It is notable for its relatively unusual methods of data exfiltration, including via email messages, Pastebin file uploads, and encrypted Telegram messages.
All malspam emails in the two campaigns we observed came from the same SMTP server, but each campaign had different themes for the subject lines and attachments. The 11 October campaign used the subject line RE: BANK TRANSFER SLIP and had an attachment named swift transfer copy 639082020.7z. The 15 October campaign used the subject line Re: T21 Orders – Quotation – MLM -309-Ref-284 and included an attachment named T21 Orders – Quotation 309-Ref-284.7z.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.lastline.com/labsblog/infostealers-weaponizing-covid-19/
