Let’s say a malicious actor publishes a piece of software that calls a screenshot function (e.g.
Graphics.CopyFromScreen() or the
UIAutomation Framework in .NET) every so often, but doesn’t notify the user of that. I download and install that software.
Assuming that the software is signed with a valid publisher certificate, I have a few questions around that:
- Would that screengrabbing behaviour be detected by an(y) Antivirus solution?
- If yes, do legitimate screengrabbing programs need exceptions in an antivirus program to allow that behaviour?
- If no, will at least the exfiltration of the data be detected by the AntiVirus software? (I guess the exfiltration can happen in so many different ways that it’s a bit of an arms race to see that bytes are being sent that encapsulate/encode the screengrab and not some form of telemetry, for example)
I’ve been googling for a while but can’t seem to find anything on the topic.