SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Emissary Keylogger (May 20, 2010)


SonicWALL UTM Research team received reports of a new KeyLogger seen in the wild called Emissary Keylogger. This Keylogger builder has a free version and a paid version being sold in a hacker forum.

The Keylogger builder comprises of two files-- Emissary.exe and Stub.exe. Emissary.exe as shown below is the first released version of the keylogger builder. It requires a malicious user to input email address where the captured keylogs will be sent, the keylogger server name to build, a Fake Message that will popup when the server runs, and system options such as blocking AV sites, adding entry to startup and disabling administrative tasks such as the task manager and Registry editor.


The builder will generate the keylogger server server.exe from Stub.exe, which the malicious user will use to target a victim.


An updated Emissary Builder v3.0 is also available with added features and functionalities such as:

  • Supports Gmail, Hotmail and AOL email account
  • FTP Backup
  • Icon Changer
  • Screenshot capture
  • Execute Batch file
  • Opening Webpage
  • Start a Process
  • Change Desktop Wallpaper
  • Auto Startup Technique
    • Adds Startup Registry entry
    • Copy itself to Startup folder
  • Sends logs in HTML format
  • Can Spread via USB
  • Download and Execute trojans
  • Deletes Cookies
  • Logs Clipboard
  • Block Websites by modifying LocalHost File

    Default entries of this keylogger in Local Hosts file blocks the following security related websites:

  • Sends System Information such as:
    • Username
    • Machine Name
    • Installed logical drives
    • IP
    • Installed Softwares.

  • Disables the following Windows Features by adding registry entries such as:
    • Task Manager
      • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
        Value: DisableTaskMgr
        Data: dword:00000001
    • CMD
      • Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
        Value: DisableCMD
        Data: dword:00000001
    • Registry Editor
      • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
        Value: DisableRegistryTools
        Data: dword:00000001
    • Control Panel
      • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
        Value: NoControlPanel
        Data: dword:00000001
    • Folder Options
      • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
        Value: NoFolderOptions
        Data: dword:00000001
    • Run
      • Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
        Value: NoRun
        Data: dword:00000001
    • Firewall
      • Key: HHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
        Value: EnableFirewall
        Data: dword:00000000
    • Safeboot
    • Deletes the following registry entry:
      • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    • User Account Control (UAC)
      • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
        Value: EnableLUA
        Data: dword:00000000
    • Right Click on Desktop and Windows Explorer
      • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
        Value: NoViewContextMenu
        Data: dword:00000001

  • * Startup Folder is usually \Documents and Settings\Username\Start Menu\Programs\
    * LocalHost is {System Directory}\Drivers\etc\hosts

Shown below are the screenshots of Emissary Builder v3:




Infection Cycle

Malware authors use different infection vectors to target as many unsuspecting users as possible. They employ social engineering techniques to lure the users into downloading and installing their malware. In one such instance of social engineering tactics used for Emissary keylogger, we saw the malware author use popular video sharing site YouTube which further contained link to a site where the keylogger was being hosted.

1. The Malware author will upload a video on The Youtube video can pertain to anything that an unsuspecting user might be interested. It will lure the user to click the download link of the video which in fact is a link where the actual keylogger server can be downloaded. In this case, its the website.


2. With the use of the URL shortening tool, the user have no idea where the download link will be redirected. Once the user clicks the download link, it will be redirected to the website that hosts the keylogger server. The user will then download the file and executes it.


3. The keylogger will then start infecting the system and gathers information and sends it to the author's email. Shown below is an email account of the malware author showing the list of computer machine's infected.


SonicWALL Gateway AntiVirus provides protection against this Keylogger via GAV: EmissaryKeyLogger (Trojan) and GAV: EmissaryKeyLogger_2 (Trojan) signatures.

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.18 | S2MSW04