A Different Take on Keystroke Logging

On March 29th a file was uploaded to VirusTotal containing a fake Microsoft Update Authenticode certificate. Soon thereafter, RSA Research investigated the sample based on certain artifacts that matched those present on Shell_Crew malware RSA Research previously reported on. This Windows DLL file was compiled on October 28th, 2014 at 06:35:47 GMT (Table 1).

File Details
File Name:   32.dll
File Size:   1466880 bytes
MD5:         3f3a3bfb28481ba023f1526f9de126d6
SHA1:         16262d0628a6556296baa46b20e6ff4c2958c3af
PE Time:     0x544F3943 [Tue Oct 28 06:35:47 2014 UTC]
PEID Sig:     Microsoft Visual C++ v6.0 DLL
PEID Sig:     Microsoft Visual C++ v7.0 DLLSections (5):
Name     Entropy      MD5
.text        5.97             f20d0ccf6df7c0175407868642f1f768
.rdata     4.94             da2c40e898d6bf6fcee18e42de311140
.data       7.47             f29698706c0b8d31cd0b85a2f52cd004
.rsrc        2.89            4308a3eae6d4bca5b3055a04896859f7
.reloc     4.34             b8dd2e49c9b741d390fd02eb1765e875

Table 1 Dropper Details

The file is surprisingly large as it appears to have OpenSSL 0.9.8y 5 Feb 2013 statically linked at compile time. When the file is executed with rundll32.exe and the DllRegisterServer named export, it entrenches on the target system. The malware (Table 2) extracts a DLL to C:\Windows\System32\winms2[xxxx].dat, where x is a random digit (e.g., winms22353.dat). To maintain persistence, the malware adds an entry to the Windows registry as a service. The malware also finds the timestamp of Kernel32.dll and timestomps its $SI Create attribute (Figure 1).

File Details
File Name: winms22353.dat
File Size: 641024 bytes
MD5:         58c8f068d6dcb88a8aec26ac3e2c95ad
SHA1:         8b49f973f079010a2bbc707b515819953cde0119
PE Time:   0x544F3940 [Tue Oct 28 06:35:44 2014 UTC]
PEID Sig:   Microsoft Visual C++ v6.0 DLL
PEID Sig:   Microsoft Visual C++ v7.0 DLLSections (5):
Name     Entropy        MD5

.text         6.54             ce08d9111915d0ca6892a93d05014123
.rdata      6.01             4e6322bc8a3dcf8f5e9338dddaddb985
.data        5.82            cb8454a51c87896f944f8a52c2a41800
.rsrc         2.89            50ffaa50a471d19ef267ec57c10d24c4
.reloc       6.48            e75602226b0ab2721285c8a64ac9c1d8

Table 2 Service DLL Details


Figure 1 Service DLL Timestomping

When executed, the malcode begins in DllMain with a call to Kernel32!CreateThread() to an offset in the portable executable (PE) that starts a decoding function (Figure 2).


Figure 2 Decoding Function

These two decoders carve out two small DLLs (Tables 3 and 4) from the .data section of the PE.


Table 3 Keylogger #1 Details


Table 4 Keylogger #2 Details

Both DLLs export a named export labeled “Func” and are nearly identical with the only real difference in functionality being the keylogger text output (Figure 3).


Figure 3 Keylogger BinDiff Results


Figure 4 Malware Communications over Named Pipe

The striking detail is in how the malware communicates with these two DLLs. Notice the named pipe calls in the assembly in Figure 4. The malware and the keylogger DLLs communicate via this named pipe. The malware does not load these DLLs in the service DLL address space. Instead, it injects the DLLs directly into explorer.exe after finding its Process ID, then creates a remote thread at the offset of the “Func” named export. This is detected in RSA NetWitness® Endpoint via several methods.

Floating code attributed to the two keyloggers injected into explorer.exe is suspicious as it uses the target application as a host and lives within its memory space. RSA NetWitness Endpoint alerts and shows the injected code (Figure 5).


Figure 5 Floating Code in explore.exe

Also suspicious is a service DLL with a .dat extension, with a forged Authenticode certificate. Service DLL’s always have the .dll extension and you will find legitimate DLL’s with expired or self-signed certificates but rarely with an invalid certificate signature (Figure 6).


Figure 6 Malicious Service

We observed the malware opening a handle to explorer.exe and creating a remote thread (Figure 7). RSA NetWitness Endpoint filters the API call OpenProcess() based on arguments passed to the function via the stack in the case of 32-bit code, or registers in the case of 64-bit code.


Figure 7 Malware Entrenchment and Code Injections

The named pipe appears in the svchost.exe process as a handle (Figure 8).


Figure 8 Named Pipe Communications

The output from the keyloggers can be seen in memory strings in the address space allocated within explorer.exe (Figures 9 and 10).


Figure 9 Injected Code Segment


Figure 10 Keylogger Output Visible in Memory

The malware also writes this information to disk in C:\Windows\Temp\ directory with a filename DMIF[xxx].tmp, where x is a random digit. These are specified by the malware using an encoded Registry entry in SOFTWARE\Microsoft\RPC\Level01 (Figure 11).


Figure 11 Malware Registry Configuration

The Registry entries are single byte XOR’d with 0xA0, but the malware takes an interesting approach to calculate this. Instead of XOR’ing with 0xA0, the malware XORs with 0x5F (Figure 12) and then NOTs the result to get 0xA0, as decoded in Figure 13.


Figure 12 Registry XOR Routine


Figure 13 Registry Entry Decoded

In addition to the keylogger files, there are seven distinct 64 byte null-terminated blocks of information. These blocks are encoded and decoded at runtime with the 4 byte rotating XOR function, below. The config is 784 bytes long and the shift right rotates through the DWORD, in orange (Figure 14). The command and control (C2) functionality reads from the second block looking for the string http:// or https:// to match a URL. This malware fails to decode a valid URL with its own algorithm, but, nonetheless, continues collecting keylogger data and capturing RDP logins.


Figure 14 Configuration Decoder

During execution the malware creates three threads. The first decodes the keyloggers and then creates the remaining two threads. The second created thread is on a ten second timer to call the Malware_Main function that controls malware’s interaction with the C2. The final thread is on a five second timer and connects to the named pipe created by the keylogger. The malware seemingly operates without a valid C2 URL or email address for the SMTP data exfiltration capability. This may indicate intentional configuration on the target system by the actor who would, presumably, return at a later date to manually retrieve the files.


Figure 15 Main Malware Functions

The file was originally submitted to VirusTotal from Malaysia, which could indicate the location of the entity targeted. With only 11 detections, none from the larger antivirus (AV) vendors, this suggests it may be an effective tool to surveil human interaction on a targeted machine. The installation by a DLL with a named export of DllRegisterServer also indicates it is a second-stage tool used for reconnaissance once the actor has a foothold in the targeted network.

Using the YARA signature (below), RSA NetWitness Endpoint can be configured to find this automatically. An analyst may also combine the scan data indicating floating code and follow along in Tracking Data to manually discover this type of behavior. The verbosity and level of detail available in Tracking Data cannot be understated. Malware is regularly tweaked to avoid signature-based technology, as well as heuristics-based detection engines. What can’t be hidden are the end results, injected code and an unknown, suspicious service DLL running in the environment. The level of detail provided by RSA NetWitness Endpoint gives an analyst many options for finding malware in their environment.


No Comments