Watch Your Six! Minerva Prevented a Built-in Keylogger in HP Driver

Recently as COVID-19 spreads, more organizations are enforcing remote work-from-home, making employees home computers more vulnerable than ever to cyberattacks.

Minerva is the only vendor that eliminates this risk by providing a unique, install-free Endpoint Protection for unmanaged devices (such as home PCs) throughout the entire remote VPN session without compromising user’s privacy.

One of the cool features of the Minerva Remote User Protection is Keylogger Protection. In the COVID-19 reality, this is a necessity to safeguard valuable and sensitive information, such as ­credentials, and it is the perfect timing to enhance the protection of our customers.

A few days ago, one of our customers, a global financial institution, that recently deployed Minerva Remote User Protection informed us about the following event in which Minerva PREVENTED a keylogger:

Although the VirusTotal score is perfect, we are looking at an unpatched HP vulnerability that was published by the Swiss security firm Modzero AG back in the middle of 2017. According to the publication, some HP audio drivers were released with a built-in keylogging functionality – affecting more than 50 different models. It took a few turnarounds till HP released a driver without the keylogging functionality, but eventually, they did.

In an enterprise network, such vulnerability would have been eliminated or least mitigated and managed, but no one can manage the home computers or users. This specific finding is easily exploitable, as explained text file located in the “”world readable”” path, C:\Users\Public\MicTray.log and if the file is not there, they elaborate:

If the logfile does not exist or the setting is not yet available in Windows registry,
all keystrokes are passed to the OutputDebugString API, which enables any process
in the current user-context to capture keystrokes without exposing malicious behavior. Any framework and process with access to the MapViewOfFile API should be able to silently capture sensitive data by capturing the user’s keystrokes.

In addition, as published by Diablohorn, it’s easy to enable the keylogger and report all the keystrokes remotely.

In this sheer example, the attacker doesn’t even need to implement his own keylogging functionality, evading from casting suspicion on his activity and being detected. Diablohorn’s post sums it up:

• Execute the MicTray application on user login
• Run the MicTray application without it being visible as a tray icon
• Pack it all into a single executable

Minerva’s Remote User Protection is built to eliminate such threats (keylogger) and other cyber threats by providing unique, install-free Endpoint Protection. The solution integrates with any VPN as part of the security policy (Host Checker) defined by the organization. The protection is active throughout the entire remote VPN session. Once the session is over, Minerva Remote User Protection disappears, therefore it is not compromising user’s privacy.

Click here to learn more!

Want to know more about Minerva? Schedule a demo now!