07 Nov 2017

The MantisTek GK2 is a popular 104-key mechanical keyboard that costs around $49.99. It has all the bells and whistles that you would expect from a keyboard aimed at gamers. It even comes with a keylogger, free of charge. Our colleagues from Tom’s Hardware reported a rather disturbing story around this particular model. With the amount of stuff you can do on gaming keyboards nowadays, the majority comes with some kind of software for user customization. The MantisTek GK2 is no different. However, there have been multiple reports from owners claiming that the keyboard’s software is actually a front to steal your valuable information.Apparently, the keyboard’s “Cloud Driver” is the culprit responsible for sending user information to a pair of IP addresses linked to Alibaba servers. Nevertheless, that doesn’t mean Alibaba is stealing your data. Since the company also sells cloud services, it’s quite possible that someone is using Alibaba servers to pull off the heist. After analyzing the software’s online activity, users have discovered that the data being sent also included key presses. If you’re one of the unlucky owners, it’s recommended that you uninstall the software entirely. Make sure you block the CMS.exe executable and MantisTek Cloud Driver with your firewall as well.

The data being sent—in plaintext, no less— has been identified as a count on how many times keys have been pressed.

How To Stop The Keylogger

The first way to stop the keyboard from sending your key presses to the Alibaba server is to ensure the MantisTek Cloud Driver software isn’t running in the background.

The second method to stop the data collection is to block the CMS.exe executable in your firewall. You could do this by adding a new firewall rule for the MantisTek Cloud Driver in the “Windows Defender Firewall With Advanced Security.”

If you want a one-click method, you can also download the free GlassWire network monitoring tool. GlassWire will show you all the apps making connections to the internet in the “Alerts” tab and let you block those connections in the “Firewall” tab. It can also be used for other types of connections, such as all the connections Windows 10 makes to Microsoft’s servers even when you have most or all data tracking disabled.

IT Security Professional – Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester.

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.