This Trend Micro research paper reveals the operations behind Predator Pain and Limitless keyloggers, both of which are easily obtainable from underground forums. These remote access tools (RATs) possess similar functions: standard keylogging behaviors with several data-exfiltration methods. Our researchers studied these keyloggers for only a few months, but have found a number of noteworthy features.
General attack scenario
The common attack scenarios by cybercriminals using these toolkits involve sending out business-themed messages to publicly listed email addresses—methods that are very similar or related to what is known as a Business Email Compromise (BEC) scheme. The emails contain a keylogger that sends information back to the cybercriminal via email, FTP, or Web panel (PHP): system information, keystrokes, browser-cached account credentials, and screenshots.
Predator Pain and Limitless have the capability to steal a lot of information and exfiltrate them back to the cybercriminals. These are off-the-shelf tools and are easily obtainable for US$40 or less in underground forums orwebsites run by their creators.
Predator Pain has been around since 2008 and is regularly updated. Its notable features include retrieving affected users’ last Minecraft log-in file and stealing Bitcoin wallets. Limitless samples are continuously being used for data exfiltration.
Based on our research and investigation, the Predator pain and Limitless operators mostly target corporate users in specific regions, usually spreading the malware through spam campaigns.
Investigations on several Predator Pain and Limitless attacks were conducted to find out how the keyloggers were used and what the operators' end goal is. Findings revealed that most but not all of the operators were involved in utilizing the following:
The 419 or Nigerian scams through easy-to-deploy, high-volume attacks
Scammed corporate emails that convince recipients to deposit payment to specially crafted accounts
The attack targets were not ordinary home users nor employees of Fortune 500 companies or government institutions. The cybercriminals instead went after SMBs (small and medium-sized businesses), which led us to realize how vulnerable they are to the threats featured in this paper. SMBs may not be involved in multimilliondollar deals but they do conduct transactions worth tens to hundreds of thousands of dollars. Even worse, their employees may not even be aware of general IT security best practices. And based on this paper’s findings, they are indeed attractive and vulnerable targets.