A Backdoor with Smart Screenshot Capability

From isc.sans.edu

Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions.

For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer. To take a screenshot in Python is easy as this:

import pyautogui
screenshot = pyautogui.screenshot(‘screenshot.png')

You have two approaches to record screenshots:

  1. On-demand, when the C2 server issues a command like “TAKE_SCREENSHOT”
  2. At regular intervals (every x seconds)

In the first case, the attacker needs to interact with the malware and can miss interesting “screens”. In the second one, the technique will generate a lot of overloads (CPU, storage, bandwidth, …)

Read more…