![]() Stolen data was packed and sent encrypted over HTTP random ports. The code itself had the same obfuscation technique, though traffic was not transferring in clear text. The last sample we tested had still more complicated behavior. The PE file then contains another packer with an even more challenging obfuscation technique. One instance had a random key generator which sets an initialization vector of the first 4 bytes of the executable file and appends a random 5 byte key that unpacks another PE file, less than 20Kb in size. The DarkComet samples are more complicated than the traditional HawkEye logger. This convenient “choose your RAT” functionality plays a very important role in the malware infection, routine and survival on the victim’s machine. One of the threat actor’s successful implementations contained the well-known DarkComet. It seems to support three types of delivery: FTP, SMTP and Web-Panel.Īs seen, the malware uses a number of RATs to control its victims or track their activity. In the website, the product shows great versatility as it contains many types of RATs, features and functionality, such as the traditional HawkEye Logger or other types of remote administration tools like Cyborg Logger, CyberGate, DarkComet, NanoCore and more. HawkEye is a commercial tool that has been in development for a few years now it appeared in 2014, as a website called HawkEyeProducts, and made a very famous contribution to the hacker community. HawkEye_Keylogger_Execution_Confirmed_ 6 : 08 : 31 PM The file names contain a very informative string: Looking into the “call home” traffic, the Keylogger functionality prepares files that act as a container for keyboard interrupts, collecting hostnames, application names, usernames and passwords. A well trained knight would never go to war with a blazing shield and yet a stick for a sword. It means that whoever programmed the malware did not write all the code from scratch. Taking that into an equation, it seems that the threat actors are sending a “weak knight in a heavy armor” to war. In addition, the files themselves were not programmed to make any kind of registry maneuvers that would hide them from Windows Explorer. This type of work is known as a mitigation factor for threat actors to keep their code hidden from analysts’ eyes.ĭuring our research, dynamic analysis showed that the malicious software’s “call home” functionality communicates over obvious channels and does not go the extra mile to hide its activity. ASLR is also enabled, which might point to an open source RAT or even a commercial framework that packed the malicious software in a well written structure. The proprietary obfuscated string, methods and classes made it rather challenging to analyze. Looking at the chart, it is interesting to see the modus operandi as the threat actor consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation.Īlong with these different sizes, activities and obfuscation, a serious encryption algorithm was also implemented in each one of them. The smallest sample (0.52Mb) and the largest (1.57Mb) were both created on the same day, which could indicate experiments made by the group to test features, packers and “dead code” implementations. The following chart illustrates how the group or individual created the samples, the size of each sample, the time of the day when each was compiled and the time lapses between each compilation. Files were compiled over the course of three days, between March 7th and 9th of 2015. As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.Īll of the dozens of samples we managed to collect were programmed in Windows machine 32bit processor, over the Microsoft. Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March. The timestamp seems valid and close to the documented infection timeline. Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar. The malware calls itself Grabit and is distinctive because of its versatile behavior. Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |