In recent years, mobile Trojans have been actively replacing Trojans for personal computers, so the emergence of new malware for the good old "cars" and their active use by cybercriminals, although an unpleasant event, is still an event. Recently, the CERT Group-IB XNUMX/XNUMX Information Security Incident Response Center detected an unusual phishing email that was hiding a new malware for PCs that combines the functions of Keylogger and PasswordStealer. Analysts' attention was drawn to how the spyware got onto the user's machine - using a popular voice messenger. Ilya Pomerantsev, an expert in the analysis of malicious code CERT Group-IB, told how the malware works, why it is dangerous, and even found its creator - in distant Iraq.
So, let's go in order. Under the guise of an attachment, such a letter contained a picture, by clicking on which the user got to the site cdn.discordapp.com, and a malicious file was downloaded from there.
Using Discord, a free voice and text messenger, is pretty out of the box. Usually other messengers or social networks are used for these purposes.
During a more detailed analysis, a family of malware was identified. It turned out to be a newcomer to the malware market - 404 Keylogger.
The first announcement about the sale of a keylogger was posted on hackforums user under the nickname "404 Coder" on August 8.
The store's domain was registered quite recently - September 7, 2019.
According to the developers on the site 404projects[.]xyz, 404 is a tool created to help companies learn about the actions of their customers (with their permission) or for those who want to protect their binary from reverse engineering. Looking ahead, let's say that with the last task 404 definitely doesn't work.
We decided to resolve one of the files and check what "BEST SMART KEYLOGGER" is.
HPE ecosystem
Loader 1 (AtillaCrypter)
The original file is protected with EaxObfuscator and performs two-stage loading AtProtect from the resources section. During the analysis of other samples found on VirusTotal, it became clear that this stage was not envisaged by the developer himself, but was added by his client. Later it was found that this bootloader is AtillaCrypter.
Loader 2 (AtProtect)
In fact, this loader is an integral part of the malware and, according to the developer, should take on the functionality of countering analysis.
However, in practice, protection mechanisms are extremely primitive, and our systems successfully detect this malware.
The main module is loaded using Franchy ShellCode various versions. However, we do not rule out that other options could be used, for example, RunPE.
Configuration file
Fixing in the system
Fixing in the system is provided by the bootloader AtProtectif the corresponding flag is set.
- The file is copied along the path %AppData%GFqaakZpzwm.exe.
- A file is created %AppData%GFqaakWinDriv.url, launching Zpzwm.exe.
- In branch HKCUSoftwareMicrosoftWindowsCurrentVersionRun start key is generated WinDrive.url.
Interaction with C&C
AtProtect Loader
If the corresponding flag is present, malware can launch a hidden process iexplorer and follow the link provided to notify the server of a successful infection.
datastealer
Regardless of the method used, network communication begins with obtaining the external IP of the victim using the resource [http]://checkip[.]dyndns[.]org/.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
The general structure of the message is the same. Title present
|ββ- 404 Keylogger β {Type} ββ-|Where {type} corresponds to the type of information being transmitted.
The following is information about the system:
_______ + VICTIM INFO + _______
IP: {External IP}
Owner Name: {Computer name}
OS Name: {OS name}
OS Version: {OS Version}
OS Platform: {Platform}
RAM Size: {RAM size}
______________________________
And finally, the transmitted data.
SMTP
The subject of the email looks like this: 404K | {message type} | Client Name: {username}.
Interestingly, to deliver letters to the client 404 Keylogger the developer's SMTP server is used.
This made it possible to identify some clients, as well as the mail of one of the developers.
FTP
When using this method, the collected information is saved to a file and immediately read from there.
The logic of this action is not entirely clear, but it creates an additional artifact for writing behavioral rules.
%HOMEDRIVE%%HOMEPATH%DocumentsA{Custom number}.txt
Pastebin
At the time of analysis, this method is used only for the transfer of stolen passwords. Moreover, it is used not as an alternative to the first two, but in parallel. The condition is the value of the constant equal to "Vavaa". Presumably this is the customer's name.
The interaction takes place over the https protocol via the API pastebin... Value api_paste_private equally PASTE_UNLISTED, which prevents such pages from being searched in pastebin.
Encryption algorithms
Retrieving a file from resources
The payload is stored in the loader resources AtProtect in the form of Bitmaps. Extraction is carried out in several stages:
- An array of bytes is extracted from the image. Each pixel is treated as a sequence of 3 bytes in BGR order. After extraction, the first 4 bytes of the array store the length of the message, the next - the message itself.
- The key is calculated. To do this, MD5 is calculated from the value "ZpzwmjMJyfTNiRalKVrcSkxCN" specified as the password. The resulting hash is written twice.
- Decryption is performed by AES algorithm in ECB mode.
Malicious functionality
Downloader
Implemented in the bootloader AtProtect.
- Appeal to [activelink-repalce] the status of the server about the readiness to give the file is requested. The server should return "ON".
- Link [downloadlink-replace] the payload is downloaded.
- With FranchyShellcode payload is injected into the process [inj-replace].
During domain analysis 404projects[.]xyz additional instances have been identified on VirusTotal 404 Keylogger, as well as several types of loaders.
Conventionally, they are divided into two types:
- Loading is carried out from the resource 404projects[.]xyz.
The data is Base64 encoded and AES encrypted. - This option consists of several stages and is most likely used in conjunction with the bootloader AtProtect.
- At the first stage, the data is loaded from pastebin and decoded using the function HexToByte.
- In the second stage, the download source is itself 404projects[.]xyz. At the same time, the decompression and decoding functions are similar to those found in DataStealer. Probably, it was originally planned to implement the loader functionality in the main module.
- At this point, the payload is already in the resource manifest in compressed form. Similar extraction functions were also found in the main module.
Loaders were found among the analyzed files njRat, SpyGate and other RATs.
Keylogger
Log sending period: 30 minutes.
All characters are supported. Special characters are escaped. There is a processing of the BackSpace and Delete keys. Register is taken into account.
clipboardlogger
Log sending period: 30 minutes.
Buffer polling period: 0,1 seconds.
Implemented link escaping.
ScreenLogger
Log sending period: 60 minutes.
Screenshots are saved in %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
After sending the folder 404 k removed.
Password Stealer
| Browsers | Email clients | FTP Clients |
|---|---|---|
| Chrome | Outlook | fileZilla |
| Firefox | Thunderbird | |
| SeaMonkey | Foxmail | |
| Icedragon | ||
| PaleMoon | ||
| Cyberfox | ||
| Chrome | ||
| BraveBrowser | ||
| QQBrowser | ||
| IridiumBrowser | ||
| XvastBrowser | ||
| Chedot | ||
| 360Browser | ||
| ComodoDragon | ||
| 360Chrome | ||
| SuperBird | ||
| CentBrowser | ||
| GhostBrowser | ||
| IronBrowser | ||
| Chromium | ||
| Vivaldi | ||
| SlimjetBrowser | ||
| orbitum | ||
| CocCoc | ||
| Torch | ||
| UCBrowser | ||
| EpicBrowser | ||
| BliskBrowser | ||
| Opera |
Opposition to dynamic analysis
- Checking if a process is under analysis
Carried out by searching for processes taskmgr, ProcessHacker, processx64, procedure, procmon. If at least one is found, the malware exits.
- Checking if you are in a virtual environment
Carried out by searching for processes vmtoolsd, VGAuthService, vmacthlp, VBoxService, VBoxTray. If at least one is found, the malware exits.
- Fall asleep for 5 seconds
- Demonstration of various types of dialog boxes
Can be used to bypass some sandboxes.
- Bypass UAC
Performed by editing a registry key EnableLUA in group policy settings.
- Apply the Hidden attribute to the current file.
- Ability to delete the current file.
Inactive Features
During the analysis of the loader and the main module, functions were found that are responsible for additional functionality, but they are not used anywhere. This is probably due to the fact that the malware is still under development and the functionality will be expanded soon.
AtProtect Loader
A function was found that is responsible for loading and injecting into the process msiexec.exe arbitrary module.
datastealer
- Fixing in the system
- Decompression and decryption functions
It is likely that data encryption during network interaction will be implemented soon. - Ending Antivirus Processes
| zlclient | Dvp95_0 | Pavsched | avgserv9 |
| egui | Ecengine | pavw | avgserv9schedapp |
| bdagent | Esafe | PCCIOMON | avgemc |
| npfmsg | Espwatch | PCCMAIN | ashwebsv |
| olydbg | F-Agnt95 | pccwin98 | ashdisp |
| anubis | Findvir | Pcfwallicon | ashmaisv |
| wireshark | fprot | Persfw | ashserv |
| Avastui | F-Prot | POP3TRAP | aswUpdSv |
| _Avp32 | F-Prot95 | PVIEW95 | symwsc |
| vsmon | Fp Win | Rav7 | norton |
| mbam | frw | Rav7win | Norton Auto-Protect |
| keyscrambler | F-Stopw | Rescue | norton_av |
| _Avpcc | imapp | SafeWeb | nortonav |
| _Avpm | Iamserv | Scan32 | ccsetmgr |
| Ackwin32 | Ibmasn | Scan95 | ccevtmgr |
| Outpost | Ibmavsp | Scanpm | avadmin |
| Anti Trojan | Icload95 | Scrscan | avcenter |
| ANTIVIR | Icloadnt | Serv95 | avgnt |
| Apvxdwin | icmon | smc | avguard |
| ATRACK | Icsupp95 | SMCSERVICE | avnotify |
| autodown | Icsuppnt | Snort | avscan |
| Avconsol | face | Sphinx | guardgui |
| Ave32 | Iomon98 | Sweep95 | nod32krn |
| Avgctrl | Jedi | SYMPROXYSVC | nod32kui |
| Avkserv | lockdown2000 | Tbscan | clamscan |
| Avnt | Lookout | approx | clamTray |
| avp | Luall | Tds2-98 | clamWin |
| Avp32 | MCAFEE | Tds2-Nt | freshclam |
| Avpcc | Moolive | TermiNET | oladdin |
| Avpdos32 | mpftray | Know95 | sig tool |
| Avpm | N32scanw | Vettaray | w9xpopen |
| Avptc32 | NAVAPSVC | Vscan40 | Close |
| Avpupd | NAVAPW32 | Vsecomr | cmgrdian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserv |
| AVSYNMGR | Navnt | Vsstat | mcshield |
| Avwin95 | NAVRUNR | webscanx | vshwin32 |
| Avwupd32 | Navw32 | WEBTRAP | avconsol |
| blackd | Navwnt | Wfindv32 | vsstat |
| Blackice | neowatch | ZoneAlarm | avsynmgr |
| cfiadmin | NISSERV | LOCKDOWN2000 | avcmd |
| Cfiaudit | Nisum | RESCUE32 | avconfig |
| Cfinet | n main | LUCOMSERVER | licmgr |
| Cfinet32 | normist | avgcc | sched |
| Claw95 | NORTON | avgcc | preupd |
| Claw95cf | Nupgrade | avgamsvr | MsMpEng |
| Cleaner | Nvc95 | avgupsvc | MSASCui |
| Cleaner3 | Outpost | avgw | Avira.Systray |
| Defwatch | admin | avgcc32 | |
| Dvp95 | Pavcl | avgserv |
- Self-destruction
- Loading data from the specified manifest resource
- Copying a file along the path %Temp%tmpG[Current date and time in milliseconds].tmp
Interestingly, an identical function is present in the AgentTesla malware. - Worm functionality
The malware receives a list of removable media. A copy of the malware is created in the root of the media file system with the name Sys.exe. Autostart is implemented using the file autorun.inf.
Attacker Profile
During the analysis of the command center, it was possible to establish the mail and nickname of the developer - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Further, an interesting video was found on YouTube, which demonstrates the work with the builder.
This made it possible to find the original developer channel.
It became clear that he had experience in writing cryptors. There are also links to pages on social networks, as well as the real name of the author. It turned out to be a resident of Iraq.
This is what a 404 Keylogger developer supposedly looks like. Photo from his personal Facebook profile.
CERT Group-IB has announced a new threat - 404 Keylogger - a XNUMX/XNUMX Cyber ββThreat Monitoring and Response Center (SOC) in Bahrain.
Source: habr.com