Source code of a NSA keylogger named QWERTY is contained in documents from the Snowden archive published by Der Spiegel. It’s a piece of software designed to surreptitiously intercept all keyboard keys pressed by the victim and record them for later inspection. It is an ordinary, indeed rather dated, keylogger. Similar software can already be found in numerous applications, so it doesn’t seem to pose any acute danger — but the source code contained in it does reveal some interesting details. They suggest that this keylogger might be part of the large arsenal of modules that that belong to the WARRIORPRIDE program, a kind of universal Esperanto software used by all the Five Eyes partner agencies that at times was even able to break into iPhones, among other capabilities. The documents published by SPIEGEL include sample code from the keylogger to foster further research and enable the creation of appropriate defenses.
Strings in one of the QWERTY binaries suggest that the Australian Defense Signals Directorate (DSD), now known as Australian Signals Directorate (ASD), might have had a part in the development:
Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform. The QWERTY keylogger doesn’t function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225. Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.
Related Link: NSA’s XKeyscore Source Code Targets Tor and Tails Users