KL&STeal-Creator Kit

The KL&STeal-Creator Kit is software package developed by a Black Hat hacker that goes under the alias 'ZIMA.' Malware researchers announced the discovery and intriguing functionality of the KL&STeal-Creator Kit on January 11th, 2018. The KL&STeal-Creator Kit is promoted via Dark Web forums and Web services hosted on the Tor Network. The creator of the KL&STeal-Creator Kit invited interested parties to use the kit and create personalized keyloggers and Trojan-Droppers. The advantages of KL&STeal-Creator Kit compared to competitors include support for silent installation, uploading logs via secure FTP connections, and a wide range of available customizations.

Analysis of the KL&STeal-Creator Kit revealed that the custom KL&STeal keyloggers are using a corrupted copy of a Microsoft product called Windows Driver Foundation to send the keyboard input logs to the threat actors. The file 'Windows Driver Foundation(WDF).exe' can be seen in the Task Manager and it is responsible for the upload to the 'Command and Control' servers. The KL&STeal-Creator Kit enables the cybercrooks to record the input on online banking portals, IM clients (Skype, Pidgin, QQ Messenger), email clients (Thunderbird, Outlook) and e-payment systems. The KL&STeal keylogger might be registered as a legitimate service by Microsoft and run on the Windows boot. It is hard for advanced PC users to detect a keylogger and that is why you should track your finances online, as well as messages sent over IM apps. The KL&STeal-Creator Kit allows cybercrooks with limited programming skills to utilize advanced information gathering tools and capitalize on the misappropriated user logins.

What you may find particularly interesting is that the author of the KL&STeal-Creator Kit embedded an obfuscated function in the keylogger builder, which allowed 'ZIMA' to receive a copy of the login credentials of everyone using the KL&STeal-Creator Kit along with the collected data by the custom keyloggers. The hacker called 'ZIMA' might face bans from forums on the Dark Web and unpleasant consequences, judging by the audience at which the KL&STeal-Creator Kit was directed. Either way, PC users need to run a reputable anti-malware suite that can detect and eliminate threats like the KL&STeal keyloggers. AV engines are known to flag files, Registry keys, and services associated with theKL&STeal-Creator Kit using the following names:

• Artemis!A7DC6E4D676F
• Gen:Variant.Ursu.45030
• RDN/Generic PWS.y
• Spyware ( 005138541 )
• TROJ_GEN.R002H09A818
• TROJ_GEN.R03BC0PAD18
• Trojan-Spy.Builder.Zima
• Trojan[Dropper]/Win32.Sysn
• Win32.Trojan-Spy.Kealog.B
• malicious.1b8fb7