Threat Watch

BusyGasper Spyware

Researchers have discovered a new spyware dubbed BusyGasper, which is believed to have existed since at least May 2016. BusyGasper remained silent because it only targeted less than 10 Russian victims. Some researchers believe that the infection vector for this limited allotment of devices might be a manual installation requiring physical access to the targeted device. The spyware can issue roughly 100 commands. Some of its capabilities include keylogging, exfiltrating data from messaging apps, bypassing the Doze battery saver, and spying on device sensors. BusyGasper utilizes the IRC (Internet Relay Chat) protocol to communicate with its C&C FTP server. According to researchers, “Additionally, it can receive C2 instructions by logging into the attacker’s email inbox and searching for commands, as well as malicious payloads in the form of email attachments.” Further investigation revealed multiple TXT files on the attacker’s FTP server displaying victim identifiers, along with an ASUS firmware component. The attacker’s email account contained personal data of the victims, such as IM messages. The initial module mainly enables C&C communication and downloads other components. The second module, which is the main module, logs the command execution history and will introduce almost all of the spying and C&C capabilities. Researchers also discovered a separate keylogger component and a hidden menu that is used for controlling implant features.

ANALYST NOTES