NexusLogger - A New Cloud-Based Keylogger
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Affected platforms
The following platforms are known to be affected:
Threat details
NexusLogger claims to be a parental monitoring software solution however the software is VM-aware and contains anti-debugging features suggesting it is something more malicious.
The malware itself is not very sophisticated. The tools are built in the Nexus web panel which is also used for Command and Control (C2) communications, making it easy to block malicious communications.
Most of the payloads were delivered by spam email but in certain instances, it has been delivered via malicious redirects.
Email subject lines:
- Needed Products List
- Re: DCE STATMENT as at 27 FEB 2017 – NS ALYANCE
- Re: TOP URGENT Editing remittance form (2/26/2017)
- Re: Revise Shipping Sample FW17 At00129 PI
- [CAGE CODE: 3BM51]
- Revise Shipping Sample FW17 At00129 PI
- TOP URGENT Editing remittance form (2/26/2017)
- Returned Msg: NEW ORDER
- RECONFIRM YOUR BANK DETAILS FOR PAYMENT
- NEW ORDER
Attachment names:
- Needed Products4453487doc?gpj.exe
- DCE STATMENT.doc
- Scan 09892.doc
- PO938272.doc
- PO – BK0214017.exe
- scan_2371_001.doc
- Shipping details.exe
- NEW ORDER_BK150217.exe
- 20170256477867667557.exe
- Purchase Order No. LP 68321.doc
Remediation steps
Last edited: 17 February 2020 11:36 am