The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, the Rapid7 researchers said.
In addition, the malware can be used to open a Windows command shell on the infected computers that can be used remotely to execute Windows commands, they said.
The backdoor samples collected by the Rapid7 researchers were compiled on April 1, suggesting that the attacks are reasonably recent. The domain names used for the command-and-control servers contacted by the malware were registered during April and May.
These attackers are definitely targeting users in several different countries, Guarnieri said Monday via email. Rapid7 found evidence that users in Taiwan, members of minority populations in China and possibly Western diplomats have also been targeted as part of this campaign, he said.
"The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple," Guarnieri said. "However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity."
That said, the antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. "For some reason this group didn't receive particular attention (at least not publicly) so we expect detection to improve in the next days."