What is Spyware?

Spyware is a type of malicious software that is designed to infiltrate endpoints without the user’s notice. Once on the system, such malware can engage in different illegal activities, including collecting sensitive data, monitoring user actions, and transmitting the gathered information to an unauthorized party.

Spyware can be targeted against both individual users and organizations, including businesses, educational institutions, and those affiliated with governments. It is commonly employed as part of sophisticated cyberattacks carried out by advanced persistent threats (APTs), which are typically state-sponsored hacking groups or highly skilled cybercriminals. The primary purpose of using spyware in these attacks is to conduct espionage, gather intelligence, or steal valuable information for political, economic, or military gain.

There are many families of malware that belong to the spyware category. These are usually customizable and can be configured to affect specific systems, applications, or networks. Such programs are also equipped with the capabilities to evade detection and establish persistence on the device to ensure the malware’s presence over an extended period of time.

One example of a spyware is PlugX. This malicious software has been in active use by Chinese APTs since 2008. Over the years, different versions of the malware have been distributed in dozens of campaigns against organizations in Asia.

What is a Spyware attack?

A spyware attack occurs when a cybercriminal or a group of threat actors attempt to deliver a malicious program to a target device. Such activities may involve the use of various tactics, including:

• Embedding payloads into legitimate software to trick users into unknowingly installing it alongside the desired program.
• Exploiting operating system vulnerabilities that have not yet been patched.
• Taking advantage of zero-day vulnerabilities in applications, such as web browsers, Office Suite programs, and email clients.
• Utilizing malicious macros in documents to kickstart the infection chain as soon as the user opens the file.

In case of a successful attack, the spyware may persist on the infected device for years without the victim’s knowledge.

How does Spyware work?

When viewed from the perspective of the MITRE ATT&CK matrix, several key stages in spyware’s execution process can be observed:

• Initial Access: The attack begins with one of the common vectors, such as a phishing email or a drive-by download.
• Execution: Once on the system, spyware is executed via a script, a command, or through the user's direct launch of the payload.
• Persistence: To ensure it remains on the device, spyware may add itself to the startup folder, modify registry keys, or abuse system services.
• Privilege Escalation: To freely conduct more malicious activities on the endpoint, spyware employs system utilities, allowing it to gain more privileges.
• Defense Evasion: Code obfuscation, payload encryption, and hijacking of legitimate processes are common tactics used by spyware to hide its operations.
• Credential Access: Stealing of browser data and application access tokens are common activities performed by spyware to extract the victim’s login info.
• Discovery: Spyware can perform reconnaissance activities to gather information about the target environment, such as network configurations and installed software.
• Collection: The threats usually focus on collecting sensitive data from the infected device, such as emails, chat messages, documents, or browsing history.
• Command and Control (C2): Attackers can control spyware by sending it instructions, updating its functionality, and even using it to deliver additional malicious payloads.
• Exfiltration: Finally, spyware collects all the data of interest from the device and transfers it to C2, in most cases, by first compressing and encrypting it.

What does Spyware do to an endpoint device?

As noted, the main focus of spyware lies in locating and exfiltrating sensitive information from the machine. This is usually accompanied by granting attackers remote access to the device, letting them have a certain degree of control over it. For instance, Xeno RAT enables attackers to utilize the Hidden Virtual Network Computing (HVNC) module that gives them real-time access to the system.

Apart from browser data, such as history and bookmarks, many families of spyware can identify and exfiltrate files. They also frequently have the ability to record keystrokes of the user that makes it possible to capture more confidential information.

Some spyware programs may be configured to take screenshots, record the machine’s screen, and even listen to the microphone. One example here is Loda RAT, which on top of these activities lets attackers communicate with the victim using a special chat window.

What are examples of Spyware families?

Here are some of the most widespread spyware families:

• Formbook: An infostealer trojan available as malware-as-a-service, popular among attackers due to its ease of use. It offers advanced stealing and evasion functions, including the ability to steal user input, search and interact with files, and take screenshots. Written in C and x86 assembly language, FormBook can inject into processes and employ API monitoring and user-mode hooking for evasion.
• Darkgate: A versatile malware with multiple malicious capabilities. It is particularly known for serving as a loader, but it can also steal data and remotely control the victim's computer. It can even exploit the infected computer’s resources for cryptocurrency mining.
• Konni: A spyware which has been in operation since 2014. It is linked to North Korea, constituting an example of a malicious program used by state actors as part of espionage efforts. Explore an analysis session of the Konni malware in ANY.RUN sandbox.

Execution process of a spyware sample

We can safely study the execution process of Formbook by uploading its sample to the ANY.RUN sandbox.

We can observe how after the launch, Formbook initiates a connection to the command-and-control server.

Subsequently, a malicious executable file, disguised as a .png in this particular analysis, is dropped or overwritten and executed. FormBook then proceeds to steal personal data and modify the autorun value in the registry.

Formbook process graph shown in ANY.RUN

Additionally, the virus loads a DLL from Mozilla Firefox, creates files in the user directory, and launches CMD.EXE to establish persistence and prepare for process injection. Ultimately, the injected Firefox.exe is executed to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP sessions.

Check out this video to see how a typical Formbook infection unfolds and learn how you can analyze spyware in the ANY.RUN sandbox.

How does Spyware spread?

Phishing emails remain a top method for delivering spyware to victims' devices. These typically involve the use of social engineering tactics designed to make the target believe in the legitimacy of the emails. For this purpose, attackers may mimic the visual style and language of entities like established companies and government agencies.

The infection chain begins with malicious attachments in the form of executables, PDFs, documents, and archives containing the payload. Alternatively, attackers may include malicious links that, when clicked, can eventually lead to the installation of spyware on the victim's device.

Another widespread spyware infection method is via special malware called loaders, DarkGate is a loader that is frequently observed to deliver Remocs.

How to prevent Spyware attack

Spyware infections are among the most serious, as they can be difficult to spot. As a result, the malicious program can continue operating on the compromised system for a long time, regularly exfiltrating private information and tracking victims' activities. Preventing spyware attacks requires a comprehensive security approach that includes sandbox analysis.

ANY.RUN is a cloud-based sandbox designed for effective investigations into suspicious files and links. It can detect spyware and other types of malware in under 40 seconds. The sandbox users also get to access: -Interactive Windows and Linux VMs

• Detailed threat reports with indicators of compromise (IOCs)
• Complete overview of malicious network & registry activities, as well as processes

Create your ANY.RUN account – it’s free!