A Python MP3 Player with Builtin Keylogger Capability, (Thu, Feb 8th)

Category :

SANS Full Feed

Posted On :

I don’t know if there is a trend but I recently found some malicious Python scripts (targeting Windows hosts) that include a GUI. They don’t try to hide from the victim but, on the opposite, they try to make them confident. One example was the game[1] combined with an infostealer.

Yesterday, I found another one that mimicks an MP3 player:

This is very easy to do in Python, create a TK GUI and use pygame[2] to handle the MP3 files:


This simple MP3 player has a gift for you: It includes a keylogger based on another popular library: pynput[3]. All recorded keystrokes are sent to a simple TCP connection established with the C2. There is no encryption, nothing. Just raw keycodes are sent.

This is a perfect opportunity to show you how powerful keyloggers are. Even, if you use robust passwords, everything is exfiltrated to the attacker’s computer. I made a quick video to demonstrate how it works[4]. I just modified the C2 details to match my lab and let’s play some music:

The Python script (SHA256:4f6388fa03aaff486886ca09bc1047b109c92451618d90b4aaef2e89ce14a0af) has a very low VT detection score (2/61)[5].

[1] https://isc.sans.edu/diary/Shall+We+Play+a+Game/30510
[2] https://pypi.org/project/pygame/
[3] https://pypi.org/project/pynput/
[4] https://youtu.be/4fViSafrjnY
[5] https://www.virustotal.com/gui/file/4f6388fa03aaff486886ca09bc1047b109c92451618d90b4aaef2e89ce14a0af/details

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.