How I Cracked a Keylogger and Ended Up in Someone's Inbox. It all started from a spam campaign. Figure 1 shows a campaign we picked up recently from our spam traps with a suspicious document file attachment. Notice how poor the English is; this shall serve as a sign of warning to the email recipients.
With winter holidays. Christian Zibreg on November 13, 2012. Just don’t hold your fingers crossed for holiday deals because the 2012 Holiday Gift Guide is. Elite Keylogger perfectly logs all the visited URLs in all the browsers taking part. Resident Evil Operation Raccoon City Keygen For Mac on this page. FTP, LAN or USB device to send the log. Elite Keylogger 5.2.
Figure 1: Spam Sample. The attachment uses the . The file contains a specially crafted RTF stack overflow exploit. This was determined to be the CVE- 2. Microsoft Word RTF parser in handling the . This vulnerability had been patched more than half a decade ago. Figure 2. Obfuscated shellcode in a specially crafted RTF file.
As you can see in Figure 2, the exploit and the shellcode were obfuscated to avoid antivirus detection. After extracting, cleaning up and decoding the exploit, I figured out that the shellcode would download and execute a file from the domain volafile.
Shellcode HEX dump. THE PAYLOADFigure 4. The downloaded executable file.
The downloaded file is a Microsoft . NET Win. 32 executable. A quick hex dump preview of the file gave a very interesting clue that I am dealing with a Hawk. Eye keylogger build. Figure 5. Hawkeye Keylogger string in the malware body. And with a little bit of Google- Fu, the string pointed me to a website which develops this keylogger. In the website, they've listed all of its .
Hawk. Eye Keylogger Features. In my quick dynamic analysis, the keylogger drops a copy of itself to the Application Data (%appdata%) folder and uses the filename Windows. Update. exe. It sets an autorun registry to facilitate persistency in the Windows system even after reboot. Figure 7. Keylogger's Installation routine.
- Keylogger: Step by Step Configuration Tutorial. Step 2: Install Ardamax keylogger. Then in FTp host write ftp.drivehq.
- 3.26.2 (12 June 2017; 43. This FTP client is very quick. In January 2012 cNet.com gave FileZilla their.
- In November 2014, Trend Micro’s. About TrendLabs Security Intelligence Blog; Search. Section 1030(a)(5)(A) and 2.
It also drops the following files in the infected system: %Temp%\Sysinfo. Appdata%\pid. txt – the malware process ID%Appdata%\pidloc. I then observed network activity from the keylogger process that tries to obtain the infected system's external IP address from checkip. This legitimate website is commonly used by malware to determine the IP address of the infected system.
Figure 8. Get infected machine's IP address packet capture. After a short while, SMTP network activity was observed where the system information of the infected system was sent to the attacker's email address. Figure 9. Email sent by the keylogger to the attacker's email address that contains the system information.
The information may include: CPU Name (computer name)Local Date and Time. Installed Language.
OS Installed. Platform. OS Version. Memory installed.
Net Framework Installed. System Privileges.
Default Browser. Installed Firewall. Internal IP Address. External IP Address. Recovered Email settings and passwords. Recovered Browser and FTP passwords. As previously mentioned, the keylogger was compiled with Microsoft . NET. So the next thing I did is to decompile the executable.
I used an open- source . NET Decompiler called ILSpy to accomplish this task. Figure 1. 0. Hawkeye keylogger decompiled source code. I took a closer look in the decompiled source code and compared it to its list of .
I can confirm that its claim is 1. I found the following features in its code like: Keylogging. Figure 1. 1. Keylogging routine. A clipboard stealer/logger.
Figure 1. 2. Clipboard logging routine. A browser, FTP, and Mail Client password stealer. It also attempts to steal password manager credentials and Windows keys. Figure 1. 3. A worm- like USB infection routine that will allow the keylogger to spread to other Windows machine. Figure 1. 4. USB infection routine. It may also target the users of online gaming platform Steam.
It deletes the configuration data and login data files so that the user will be forced to login again. This is an opportunity for the keylogger to steal the user's Steam credentials. Figure 1. 5. Steam deletion routine. The stolen information including the desktop screenshot are sent to either to the attacker's email address or FTP server depending on how the keylogger was configured. Figure 1. 6. Email sending routine. The attacker may also configure the keylogger to upload the stolen information through a HTTP tunnel to a PHP host, but the code seems to be voided.
Figure 1. 7. The most interesting part I've found in the decompiled code however is a C# constructor named Form. This is where the keylogger configuration was stored. But to secure the attacker's email and FTP credentials, these data were encrypted using Rijndael algorithm and Base. Figure 1. 8. The keylogger configuration. As you may know, those encrypted data are not always secure, especially if the decryption routine is in the decompiled source code!
Figure 1. 9. The keylogger calls the Decrypt method The image below is the . The secret key happens to be a hardcoded string Hawk. Spy. Softwares. Figure 2. The decryption routine. As mentioned, the keylogger uses the Rijndael algorithm and the secret key is salted with the Unicode string . The keylogger uses Rijndael algorithm. Microsoft Visual Studio Shell Isolated Download Itunes more.
Out of curiosity, I copied the decryption part of the code, modified it accordingly and compiled it in MS Visual Studio, and of course the decryption was successful. The decrypted email and FTP credentials. They appear to be email accounts on compromised systems. The emails sent to this inbox are rerouted automatically to the attacker's Gmail account. Figure 2. 3. Emails are rerouted to the attacker's own email address. CONCLUSIONPerhaps the attacker knows that the Hawk.
Eye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address. We have reported the compromised email accounts to their rightful owners, in order for them to change their passwords and remove the attacker's email address from their reroute message settings. Since this was written, we received similar spam messages with RTF attachments but this time containing the CVE- 2. The payload is the same keylogger but they have used different email credentials.
The two vulnerabilties used in these attacks are old, but still widely used in email attacks. Trustwave Secure Email Gateway's AMAX (Advanced Malware and Exploit Detection) was able to detect these attached RTF exploit in the email gateway.