EHDevel: key logging malware

Next story
Olivia Storey

EHDevel; the malware which was logging key strokes, location and steals personal data in order to spy on and gather intelligence on Indian and Pakistani entities.

A sophisticated malware framework was discovered earlier this year, named EHDevel, which was aimed at different institutions in India and Pakistan to gather intelligence over the past few years. The framework is thought to be have been used by nation-state hackers, who started with small, vulnerable individuals in order to reach larger goals and gather intelligence.

EHDevel is a plug and play malware framework that allows hackers to log keystrokes, detect a user’s location, steal their personal data, upload and download files, carry out processes, and take screenshots.

The malware also mixes programming languages, switching from one to another, active development of code and bugs. There was also an apparent ‘backdoor’ which showed the malware was constantly being modified to give “additional capabilities”. 

This particular framework has been used in different shapes and forms, as there have been a few previous attack vectors with similar objectives. Last year a suspicious document was discovered called News.doc, which displayed very similar files and capabilities, used in attacks against various institutions, as well as the 2013 Operation Hangover APT malware. 

As this malware framework design is increasingly being adopted by cyber criminals, Anton Cherepanov, ESET Senior Malware Researcher, discusses attacks like this and why blackhats choose this attack vector.

“Most of today’s sophisticated malware families use modular architecture, as this allows their creators and operators to easily adjust their functionality and add new features.

“ESET research has documented many similar cases, with BlackEnergy being one of the most prominent.

“It used a core component and modules, that allowed the attackers to take control of the targeted machines, spy on their activity or damage them.

“Particularly thanks to the modularity the functionality of the malware was not always the same.

“In some cases, such as the attack on Ukrainian media or energy sector at the end of 2015, a destructive component was present, while in other cases – where information extraction seemed to be the primary goal - spyware capabilities dominated.

“Another reason why modularity is used by blackhats is that it further complicates whitehat research, making only a part of the full functionality and adaptability of the malware visible to the security researchers.”

What do you think of this trend in modular malware? Let us know on Twitter @ESETUK.

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.