A sophisticated credential-stealing campaign leveraging a stealthy tool known as VIP Keylogger has emerged as a significant threat to organizations worldwide. This advanced malware operates entirely in memory, bypassing traditional file-based detection methods. Security researchers first identified the campaign through suspicious email activity, which directed recipients to open deceptive attachments disguised as purchase orders. These attachments, often disguised as legitimate files, harbored a malicious executable capable of deploying VIP Keylogger directly into system memory without leaving any trace on the hard drive.
The scale and adaptability of this campaign are particularly concerning. Multiple instances have been observed targeting victims across various countries, with attackers making only minor modifications to the delivery mechanism and execution flow. This indicates a well-organized operation focused on mass credential theft, capable of rapid expansion while maintaining its core objective. The consistent payload across different campaigns suggests a unified development or a highly configurable Malware-as-a-Service (MaaS) offering.
How VIP Keylogger Executes Without Leaving a Trace
According to analysis by K7 Security Labs, the VIP Keylogger campaign utilizes advanced techniques to achieve stealthy execution. One method involves a .NET executable that employs steganography to conceal two Dynamic Link Libraries (DLLs) within its resource section. The first DLL, “Turboboost.dll,” is responsible for extracting the second DLL, “Vertical bars.dll.” This second DLL contains the actual VIP Keylogger payload, hidden within a PNG image using steganography. The malware then retrieves this payload from the image and deploys it via process hollowing. This technique involves launching a legitimate host process in a suspended state, replacing its memory with the malicious code from VIP Keylogger, and then resuming execution, making it difficult for security tools to distinguish from normal processes.
A second execution path for VIP Keylogger involves a standard Portable Executable (PE) file that stores AES-encrypted data within its .data section. Upon decryption in memory, the malware proceeds to disable crucial security mechanisms like AMSI (Antimalware Scan Interface), a Windows feature designed to detect and block malicious scripts, and ETW (Event Tracing for Windows), a logging system that security products often rely on for threat detection. By disabling these defenses, VIP Keylogger can load cleanly through the Common Language Runtime. Both execution paths share the singular goal of running the payload without writing to disk, thus minimizing the digital footprint and evading detection.
Once active, VIP Keylogger systematically harvests sensitive information from compromised systems. It targets a wide range of Chromium-based browsers, including Chrome, Brave, and Edge, as well as Firefox-based browsers like Firefox, Thunderbird, and Waterfox. The collected data includes cookies, login credentials, credit card details, and browsing histories. In addition to browsers, popular email clients such as Outlook, Foxmail, Thunderbird, and Postbox are also affected, with POP3, IMAP, SMTP, and HTTP passwords being exfiltrated. Furthermore, platforms like Discord, FileZilla, and Pidgin are targeted for account tokens and server details. The stolen data is then exfiltrated through one of five channels: FTP, SMTP, Telegram, HTTP POST, or Discord. The analyzed sample utilized SMTP to relay information through a dedicated server on port 587.
The modular nature of VIP Keylogger is highlighted by the disabling or nullifying of certain capabilities, such as AntiVM, ProcessKiller, and DownloaderFile, during the analysis phase. This suggests that clients of this Malware-as-a-Service offering can choose and pay for specific features, making the tool accessible to threat actors with varying levels of technical expertise. This configurable approach allows for tailored attacks and further complicates threat identification.
Organizations are advised to implement robust security measures to counter this evolving threat. Critical among these is user awareness training to avoid opening email attachments from unknown or suspicious senders, particularly compressed files like RAR or ZIP archives. Security teams should deploy endpoint detection and response (EDR) solutions capable of identifying in-memory threats and process hollowing behaviors. Maintaining up-to-date browsers and applications is also essential to minimize the attack surface that VIP Keylogger exploits.