Operation Liberpy, an HTTP-based botnet for keylogging, has been stealing users’ information since at least last August, managing to compromise more than 2,000 systems in only a few months.
According to ESET, the infection was spread via USB devices. It reports all keyboard events, as well as mouse movements, to a server controlled by the attackers. The campaign began by sending potential victims fake e-mails containing attachments appearing to be package-tracking “software.” Infected users began to join the botnet, and became new propagation nodes via infecting USB devices connected to their computers.
According to ESET Live Grid information, 98% of detections of these threats were in Venezuela, and based on the words and language found in the comments into the threat, it appears that the malware is aimed primarily at users there. When classifying the IP addresses that connected to the ESET sinkhole, a total 2,047 bots were identified, out of which 1,953 were from Venezuela.
“The preliminary threat analysis strongly suggested that it had been developed in the region, triggering two fundamental questions: Is there a 1.0 version? What is the scope of this attack?” said Diego Perez, ESET researcher, in a blog.
Based on the name of the threat, ESET decided to look for indicators related to Liberpy, and found in its records another executable program with virtually the same name, “Liberty1-0.exe.“
“The first variant appeared in mid-August 2014, providing important clues about the origins of this campaign, which were later confirmed by statistics and detections,” Perez said.
Today, Liberpy also continues to infect systems through techniques similar to those used by other malware families such as Win32/Dorkbot, JS/Bondat and VBS/Agent.NDH among others—hiding all files on a USB, and replacing them with shortcuts. This propagation mechanism has been common in the region at least since 2011, and remains one of the main propagation vectors of malware.