If the logfile does not exist or the setting is not yet available in Windows registry, all keystrokes are passed to the OutputDebugString API, which enables any process in the current user-context to capture keystrokes without exposing malicious behavior. In addition to the handling of hotkey/function key strokes, all key-scancode information is written into a logfile in a world-readable path (C:\Users\Public\MicTray.log). Monitoring of keystrokes is added by implementing a low-level keyboard input hook function that is installed by calling SetwindowsHookEx(). The program monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys. The infection method seems simple enough:Ĭonexant's MicTray64.exe is installed with the Conexant audio driver package and registered as a Microsoft Scheduled Task to run after each user login. It’s still there today with driver Version 1.0.0.46. Modzero says it found evidence of the problematic behavior going all the way back to December 2015. It's an impressive lineup, including many current models.
The Security Advisory goes on to list almost 30 HP machines known to use the bad drivers, including EliteBook, ProBook, ZBook, and Elite x2 models running both Windows 10 and Win7. Probably other hardware vendors, shipping Conexant hardware and drivers.Recent and previous (Q2/2017) HP Audiodriver Packages / Conexant High-Definition (HD) Audio Driver Version 10.0.931.89 REV: Q PASS: 5 ().According to modzero, the keylogger is part of the driver set for Conexant audio chips.
0 kommentar(er)
