Viotto Keylogger: Freemium Keylogger for the Skids

The PhishMe Research team recently received a campaign escalated by one or our analysts. We’ll explore the campaign delivery, malicious attachments, and analysis of the malicious attachments, and we’ll provide a simple method for extracting the credentials being used for this keylogger family’s data exfiltration.


The PhishMe Triage platform allows SOC analysts to identify, analyze, and respond to email threats that have targeted their organization. For this particular campaign, the suspicious email had an ARJ archive attachment, which contained a Windows PE32 executable.

lureAlthough Windows OS does not natively open archive files with the ARJ extension, a number of third-party applications, such as 7zip, will be able to extract these rarely-used archives. The content of the archive is a single PE32 executable name “DOCUMENT-71956256377.pdf.exe” which is a packed Viotto Keylogger sample, intentionally named with a double extension to entice victims to click and execute the malware.


Malicious attachment contains executable.

Since this malware was written in VB6, we can decompile the unpacked, malicious binaries to verify our classification. By viewing the VB6 forms, we can see that the hidden Form1 contains the name of Viotto Keylogger:


Decompiled VB6 forms.

Now that we have seen an example of how this malware propagates in the wild, let’s examine the family itself. When an analyst has access to a malware’s builder (an application that enables the easy customization of malware samples), we can save precious reverse engineering time by analyzing its capabilities and features to better understand how this malware behaves.


Most of the indicators that comprise a Viotto Keylogger infection can be set at build time when the actor creates the stub (the malware sample that infects a victim’s computer). In the public version 3.0.2 of the builder, the malicious actor can specify where the keylogger’s logs will be stored, the installation method for persistence, and the delivery method of the logs via SMTP and/or FTP. In the paid, private version of the builder, the actor is able to control even more settings, such as encrypting the Keylogger logs with RC4 with a hardcoded key and enabling a Screen Capture feature that periodically sends screenshots of the victim’s desktop back to the actor. Another feature included in both versions that is not highlighted in the builder’s options is the ability to capture all text copied to the victim’s clipboard.


VKL Builder’s main screen.

The storage location option for the keylogger log files can be set by the malicious actor at build time. They also have the ability to specify a custom log filename and to set hidden file attributes. The log files can be saved in the following locations on the infected machine’s disk:

  • Root (C:\)
  • Windows (C:\Windows)
  • System32 (C:\Windows\System32)
  • Program Files (C:\Program Files)
  • Application Path (copied where originally executed)
  • Temp (C:\Users\{username}\AppData\Local\Temp)
  • AppData (C:\Users\{username}\AppData\Roaming)

Options where keylogger logs will be stored.


As described above, depending on the settings enabled during built time of the stub, the actor has the ability to enable infection persistence through reboots of the infected machine. The actor can also select the option to save a copy of the executable which has the same file system options as the log file storage locations. The copy of this executable can then be executed during Windows’ start up events for persistence through computer restarts. Although multiple instances of the stub can be launched by selecting any combination of startup entries, the stub ensures it’s the only process currently running by checking the mutex (a program object lock used to avoid multiple instances of the same malware from running). The default mutex is “ViottoLogger”; however, this setting can also be changed in the builder. The following startup registry keys are viable options:

  • Current User\Run (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
  • Local Machine\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
  • Winlogon\Shell (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell)
  • Winlogon\Userinit (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit)
  • Explorer\Run (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run)

Windows startup persistence options.

Keylogger Data Exfil

Viotto Keylogger is capable of sending the recorded keystrokes, clipboard contents, and screenshots to the perpetrator in an email (via SMTP) or to a file server (via FTP). The email option can be delivered to open relays that do not require authentication or to accounts that require authentication over SMTP using Transport Layer Security (TLS). By utilizing TLS, the account credentials and email contents will be encrypted in transit. Most of the VB6 code in this keylogger was copied from sources freely available on the internet, as indicated in the builder’s About screen:


Extracting Exfil Credentials

Skids wishing to use this malware creator be forewarned: your email and FTP credentials can be easily obtained! Although most of these samples in the wild will be packed, a quick and easy way to extract the malware actor’s credentials being used for victim data exfiltration is by analyzing the application’s process memory. Analysts are not only able to extract this information on the same machine utilizing a program such as Process Hacker, but personally, I prefer keeping my memory analysis tools outside of the infected machine by analyzing full VM RAM dumps with either the Rekall or Volatility memory analysis frameworks. We can also extract the malware sample’s configuration, including any SMTP/ FTP exfil credentials, statically. The malware sample’s configuration is stored plaintext in the Resources section of the stub:


The decompiled FindResource section loads the stub configuration.

The PhishMe Research team also wrote a Python script to extract the Viotto Keylogger configuration from an unpacked sample:



The recent sighting of the freely-available Viotto Keylogger in the wild reminds us that cybercrime has a low barrier to entry and that tools built years ago continue to be used to exploit unsuspecting users. PhishMe Simulator trains and encourages users to recognize and report the type of email messages that are delivering this threat. The next step is to act on those reports, and PhishMe Triage enables your team to sift through all reports and quickly and efficiently act on the ones that pose a threat to your organization. Click here to learn more.


Related SHA256 Hashes




Download the Viotto Keylogger yara rule or the configuration extractor.


PhishMe Announces Phishing Program Excellence Award Winners

Palo Alto Networks, AVANGRID, and others honored at Submerge 2016 for their innovative work in phishing prevention.

Leesburg, VA – October 14,  2016 – PhishMe, a global provider of phishing defense and intelligence solutions for the enterprise, has announced the winners of the PhishMe Excellence Awards at Submerge 2016, its inaugural phishing and defense summit and user conference. PhishMe chose the winners for their innovative, successful programs designed to combat phishing attacks and protect their enterprise from the risks of malware infiltration and fraud loss.

An anonymous panel of judges comprised of PhishMe product experts, industry leaders and security professionals reviewed the applications and designated the following companies winners across a number of different categories.

  • AVANGRID, Inc. a diversified energy and utility company, received the Phishing Defense Program of the Year, for consistently demonstrating the most effective all-around, top-performing phishing defense program with superior performance in detection, alerting, reporting, training, participation and results.
  • Palo Alto Networks, the next-generation security company, received the Most Innovative Phishing Defense Program Award, which recognized the company’s ability to think outside the box to leverage fresh approaches to achieve optimal training effectiveness and boost company-wide cyber education participation.
  • Additionally, PhishMe recognized industry leaders for achievements in the field of incident response, honoring the team that demonstrated superior overall process of responding to phishing threats in the Incident Response Team of the Year category, and the PhishMe Community Trailblazer of the Year, an award created to recognize the PhishMe user who has gone above and beyond in their phishing defense efforts.

Co-founders Rohyt Belani, PhishMe CEO, and Aaron Higbee, PhishMe CTO, presented the awards to the winners on-stage at the PhishMe Submerge Conference in Orlando, Florida. More than 100 phishing defense professionals attended this inaugural conference, which provided them with opportunities to learn from industry experts while networking with peers and other PhishMe users from all over the world.

After the award ceremony, Belani commented, “I would like to extend my huge congratulations to our winners and to all those who applied for the PhishMe Excellence Awards this year. The quality of the submissions was outstanding and a credit to the entire industry. I’m highly encouraged to see the commitment companies and individuals exhibit in protecting their businesses against increasingly sophisticated phishing attacks. PhishMe is very proud to be part of such a remarkable and growing community and we look forward to seeing everyone next year at Submerge 2017.”

For more information about the PhishMe Submerge Conference and the PhishMe Excellence Awards, please follow this link.


Connect with PhishMe Online


About PhishMe

PhishMe is the leading provider of human-focused phishing defense solutions for organizations concerned about their susceptibility to today’s top attack vector — spear phishing. PhishMe’s intelligence-driven platform turns employees into an active line of defense by enabling them to identify, report, and mitigate spear phishing, malware, and drive-by threats. Our open approach ensures that PhishMe integrates easily into the security technology stack, demonstrating measurable results to help inform an organization’s security decision making process. PhishMe’s customers include the defense industrial base, energy, financial services, healthcare, and manufacturing industries, as well as other Global 1000 entities that understand changing user security behavior will improve security, aid incident response, and reduce the risk of compromise.

Media Contacts:


Wes Anderson

Cohn & Wolfe US for PhishMe

Phone: 323.602.1080



Francesco Tius

AxiCom UK for PhishMe

Phone: +44 (0)20 8392 4061


Behavioral Conditioning, Not Awareness, Is the Answer to Phishing


You don’t stop phishing attacks by raising user awareness. A recent study conducted by a German university confirms what we at PhishMe have known all along: Focusing on awareness isn’t the point. The real solution is behavioral conditioning.

The study, conducted by Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, used 1,700 students to simulate spear phishing attacks. An August 31 Ars Technica article published preliminary results of the study showing at least 50% of students clicked simulated phishes, even though they understood the risks.

With its headline, “So Much for Counter-phishing Training: Half of People Click Anything Sent to Them,” the article appears to suggest training is pointless. But we see it differently. While the article confirms what our own research has revealed – that awareness isn’t the problem – the proper conclusion to draw isn’t that training is futile. PhishMe tends to agree with this sentiment and encourages organizations to focus on conditioning their employees to identify and report security risks.

We focus our training on conditioning human behavior, and the results speak for themselves. Our customers spend 22 seconds reviewing phishing education, and yet their susceptibility to phishing decreases significantly. Why? It’s the experience we put them through that changes behavior. Even when they are aware of the risks, as studies show, they are susceptible to opening email from unknown users and clicking suspicious links. But conditioned through the real-world examples we provide in our simulations, users are much less likely to click.

Enterprise Relevance

The FAU study focused on students, who were sent emails and Facebook messages with links purporting to be for photos from a New Year’s Eve party held a week before the study. “Links sent resolved to a webpage with the message ‘access denied,’ but the site logged the clicks by each student.”

It’s dangerous to use research results conducted on a student population to Enterprise workers. We have several problems with the approach as described. For starters, it wasn’t created by people in the trenches who understand real-world threats, but by academics in a computer science department. We already know the bait used by the study’s authors works on students, as well as consumers, but is far less effective with enterprise users. Yet, readers of the Ars Technica article are concluding the study’s results apply to enterprise environments.

We know that because we’ve started to get messages with their reactions. So we feel an obligation to point out the study didn’t use a realistic scenario, from an enterprise point of view. Real-world enterprise phishes are more likely to be emails pretending to be files from a scanner, a document with a job evaluation, or a message that someone has signed for a package addressed to the user.

There’s also a difference of perspective between students and enterprise users. Students, whose primary experience with computing revolves around mobile devices such as tablets and smartphones, don’t worry about cyber risks. Clicking a link from a smartphone isn’t going to compromise the device because such devices are nearly impervious to attacks. But click the link from a computer, and the story is quite different.

It also appears the FAU study focused only on clicking links, but phishing threats aren’t limited to one vector. Others include data entry, password credentials, clicking attachments, and email conversations that don’t involve links or attachments. Replicating some of these vectors in a real-world simulation is a bigger challenge than the method used by the study.

Focus on Reporting

A PhishMe-commissioned study found 94% of office workers know what phishing is and the risk it presents to organizations. The study also found that 94% of office workers know how to report suspicious emails in their organization. And that’s where the focus of training needs to be – reporting. When users are conditioned to report suspicious email, even if they do so after already clicking on it – maybe they had a lapse – the reporting is still valuable because it helps your security operations teams.

Learning to identify suspicious emails through conditioning is far more effective than general efforts to raise awareness. PhishMe simulator provides customers with templates that include the exact content used by threat actors.  By deriving content from our Phishing Intelligence platform we provide experiences that are relevant to enterprise users.   This method allows customers to condition users to spot potential phishes, avoid interacting with them, and report them to their security teams.

While we appreciate the FAU’s study’s confirmation of what our own research has shown about awareness, we fear it may lead enterprises to make decisions based on the erroneous conclusion that training doesn’t matter. This perspective could lead to the compromise of a network with disastrous results. To avoid such an outcome, we at PhishMe stand ready to work with any academic institution or researcher that could benefit from our experience in the trenches to produce meaningful research about phishing.

Computing Security Awards Finalist

PhishMe Shortlisted as Finalist in Two Categories at Coveted 2016 Computing Security Awards

We are proud to confirm that PhishMe has been named as a finalist in two categories at the 2016 Computing Security Awards. PhishMe Simulator is shortlisted for ‘Anti Phishing Solution of the Year’ and ‘The Human Factor Award’ at a ceremony set to take place at London’s Cumberland Hotel on October 13th, 2016.

The Computing Security Awards champions the solutions and providers that help to keep organizations secure. Shortlisted for two distinct categories, PhishMe has been recognized not only for developing innovative human phishing defense and intelligence solutions, but also for its services to help organizations reduce phishing risk and susceptibility of human error-related data breaches.

With over 20 million employees trained in 160 countries, PhishMe Simulator has been proven to reduce the threat of employees falling victim to advanced cyber-attacks by up to 95%. The shortlisting at the Computing Security Awards is a credit to the hard work of the PhishMe research teams who use real phishing emails to create timely examples and content focused on today’s greatest threats such as Business Email Compromise (BEC) and Ransomware, transforming the entire workforce into an empowered line of defense against phishing.

Voting is open to the public so don’t forget to lend your support for us here and you can share on Twitter @PhishMe to help spread the word! The winners will be announced on 13 October at the Cumberland Hotel in Marble Arch, London.

Computing Security Awards Finalist

PhishMe Announces New Excellence Awards Program for Customers

PhishMe is proud to announce our first-ever PhishMe Excellence Awards, taking place at our inaugural phishing defense summit and user conference, PhishMe Submerge, this September.

The PhishMe Excellence Awards showcase the outstanding achievements of security professionals to defend their companies against the damages of phishing. The companies and individuals recognized by the PhishMe Excellence awards are industry leaders, chosen for their innovative, successful programs to combat phishing attacks and protect their enterprise from the risks of malware infiltration and fraud loss.

Awards are distributed for performance excellence in three categories:

  • Phishing Defense Program of the Year: The most effective all-around, top performing, defensive phishing program across a comprehensive list of components including detection, alerting, reporting, employee training, employee participation, and results.
  • Incident Response Team of the Year: The top incident response team based on either of the following:
    • 1) Single Incident: scope of the incident, potential for damage, response strategy and cost/time saving value of the resolution; or
    • 2) Overall Process: the incident response team with the best ongoing process, system of detecting and deflecting the incident and minimizing the overall impact of phishing in the organization on an ongoing basis.
  • Most Innovative Phishing Defense Program: The most innovative phishing program implementation across an organization which could include contests, gamification, incentives, and other fresh approaches to improve training effectiveness and boost participation throughout the company.

All award submissions will be reviewed by an un-biased, anonymous panel of judges comprised of PhishMe product experts, industry leaders and security professionals.

Award entries open today, September 1st 2016. Deadline for submission is September 19th, 2016.

Don’t delay – download the official PhishMe Awards Form 2016 and submit your nomination.

Winners and finalists will be recognized on-stage at the PhishMe Submerge Conference Awards Opening Session on Thursday, September 29 in Orlando, Florida. You do not have to be present to win. Winners will be included in PhishMe Excellence Awards press releases, media announcement and featured on the PhishMe website. Each category winner is asked to select a charity of choice to receive a contribution in appreciation of their success.

To register for PhishMe Submerge, please visit

Macro Based Anti-Analysis

Over the past several months PhishMe research has noticed an increase with Anti-Analysis techniques being included within Office macro and script files. This is the first post in a series where we look at the inclusion and effectiveness of these methods. Although the use of Anti-Analysis techniques is not new, they are generally observed within the packed payload in an effort to avoid detection by endpoint security solutions.

Most recently we came across a campaign of emails which included a malicious Microsoft Word document. The document contains a standard lure using an image instructing the user to enable active content as it was authored with a newer version of Microsoft Office.

figure 1

Once macros are enabled during analysis we generally see activity as the execution is triggered when the document is opened or an object is initialized and the script begins extracting or downloading a malicious payload, but we noticed with samples from this campaign that there was no activity when the macro was enabled.

Using oletools to quickly scan the document we see that the hook to trigger the macro code is using the Document_Close event instead of an event triggered using document open or object initialization. Running the sample in a sandbox further confirmed that dynamic analysis results were not available as the session timed out and the macro code was never executed.

figure 2

Visualizing the call-graph shows that the macro is composed of one main function and a de-obfuscation routine which allows us to quickly focus on the calls within the ijPql function. Analysis led us to find additional anti-analysis checks within the Macro before the payload was downloaded and executed.

figure 3

The macro first checks that the current username is not ‘USER’ and then checks that the RecentFiles count is > 3

figure 4

The macro then makes a HTTP GET request to with the following custom headers:

  • Referer: ‘’
  • User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

A successful request returns a JSON object which includes a traits structure containing information about the ISP, Orgainization and ASN.

figure 5

The result is then checked if any of the following strings exist within the JSON string.


If any of the checks fail, the macro will exit and not download the configured payload.


We see another example of attackers migrating anti-analysis techniques that are traditionally seen included within a packed payload, up the stack into the initial infection script. The use of a finalization event (on_close) to trigger execution, demonstrates that attackers understand the default capabilities of sandboxes and are implementing techniques to bypass automated analysis. Additionally, the inclusion of network source checks focusing on security and hosting infrastructure further indicates awareness of cloud based services being leveraged by researchers and security companies.

Although the checks are easily bypassed by researchers and analysts because they are implemented in a scripting language. They have been observed to be effective in circumventing dynamic analysis in common sandbox deployments.

Document Samples  

  • 683154fa03f494bd368042b3546f7b04
  • 3bb6807d88a7ee359d7d813e01700001
  • 4c59ccbc0c524069e46ad8d92e65a14c

PhishMe Triage™ Advances Malware Investigation with Lastline Analyst

Phishing Incident Response – Through Automated Malware Analysis

Conditioning employees to detect and report suspicious email is a strategy security leaders have adopted through PhishMe’s innovative solutions. CISOs have realized that while technology continues to get better at preventing malware, the attackers continue to elevate their game and never rests, and neglecting people as defenders would be a mistake.

Reality-checking Mr.Robot Ransomware


USA Network’s television show, Mr.Robot, kicked off Season 2 with a BANG!   The program features the exploits of a hacker named Elliot Alderson (Rami Malek) who uses the alias “Mr.Robot” to work with a team of hackers who call themselves F-Society and have as their mission the destruction of a major corporation that they call “Evil Corp,” whose logo calls back to the Big Corporate Corruption of Enron. In this episode, the attack is against the “Bank of E.”