By rssfeeds-admin 
The attacks rely on social engineering to trick users into opening what appears to be a purchase order. However, the attachment is actually a RAR archive containing a disguised executable.
Once launched, the malware loads the final payload directly in memory, helping it avoid leaving obvious traces on disk.
Researchers found multiple versions of the campaign, with different packaging methods and minor changes to the execution flow.
Despite those differences, the goal remains the same deliver VIP Keylogger quietly and collect sensitive data from browsers, email clients, chat tools, and file transfer applications.
Stealthy Delivery and In-Memory Execution
In one case, the first-stage malware was a .NET executable that carried two DLLs, hidden in its resource section via steganography.
One DLL extracted the next, which then pulled the final payload from a hidden PNG image. After decoding the payload, the malware used Windows APIs to perform process hollowing.
This technique starts a legitimate process in suspended mode, removes its memory image, and replaces it with the malicious code before resuming execution.
In another case, the malware used a more direct approach. The executable stored an AES-encrypted payload in its .data section.
After decrypting it in memory, it patched AMSI and ETW, two Windows security monitoring components, and then loaded VIP Keylogger through the CLR. This allowed the malware to run while bypassing important defensive checks.
The campaign appears to be linked to a malware-as-a-service (MaaS) model. Researchers noted that some features in the final payload were disabled or set to null, suggesting the malware may be customized depending on the buyer’s needs.
Broad Credential Theft Capabilities
According to k7computing research, VIP Keylogger is designed to steal a wide range of information.
It can extract saved logins, cookies, credit card data, autofill details, download history, and visited URLs from many Chromium-based browsers, including Chrome, Brave, Opera, Edge, and Vivaldi.
It can also target Firefox-based browsers by using the PK11SDR_Decrypt API from nss3.dll to recover usernames and passwords.
| Indicator (Hash) | Type | Detection Name |
|---|---|---|
| D1DF5D64C430B79F7E0E382521E96A14 | MD5 | Trojan ( 700000211 ) |
| E7C42F2D0FF38F1B9F51DC5D745418F5 | MD5 | Trojan ( 006d73c21 ) |
| EA72845A790DA66A7870DA4DA8924EB3 | MD5 | Trojan ( 005d5f371 ) |
| 694C313B660123F393332C2F0F7072B5 | MD5 | Spyware ( 004bf6371 ) |
Stolen data can be exfiltrated in several ways, including FTP, SMTP, Telegram, Discord, and HTTP POST. In the analyzed sample, researchers found that the malware was sending logs via the email infrastructure over SMTP port 587.
The campaign highlights how attackers are combining phishing, steganography, and fileless techniques to build scalable credential theft operations that are harder to detect and investigate.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post VIP Keylogger Malware Campaign Hides In Images To Steal Credentials At Scale appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.