Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin:
As part of the weaponizing phase, attackers often put a payload into a file that, once installed, will connect in the C2 (command and control) phase to the attacker. A very common payload used by many password-stealing malware is a keylogger. The purpose of keylogging is to capture the users’ keystrokes, and gather credentials and links to internal and external resources. The stolen credentials can later be used to weaponize another file or serve as part of the actions phase of the APT kill chain.
One example we recently ran into is the malware Marmoolak, an Iranian keylogger with the MD5 F09D2C65F0B6AD55593405A5FD3A7D91.
We traced the first appearance of this keylogger to a Middle-East forum:
Although some keyloggers may capture keystrokes for legitimate purposes, this one misleads its victims by including a hidden payload. By placing this keylogger on this forum, we believe the developer intended to attack other members of this forum, a popular tactic in that region.
To prevent detection, malware authors often use cheap and easy packer’s, which modify the malware witha runtime compression or encryption program. In this case the files were hidden by a modified version of the well-known packer UPX.
On execution, the file adds a copy of itself into the System32 folder as Mcsng.exe. The malware also launches a process that drops and writes the file 1stmp.sys in the %system32%config folder:
Although the file extension suggests it is a .sys (system) file, it is not. Its purpose is to function as a log file that contains the encrypted keystrokes of the user. Every time a key is pressed, the process records the keystroke, encrypts it and appends it to 1stmp.sys. The next screen shows a section of encrypted strings:
Although the encryption algorithm is simple, it uses “selective encryption,” with two techniques: Each byte is encrypted by technique 1 if it is odd and technique 2 if it is even. Here is an example of a log after decryption:
After decrypting we can see not only keystrokes, but also the time stamps when they were logged. After the keystrokes are logged and encrypted, the malware mails its content to its author. The malware also sends computer name and user name data to its master.
After cleaning up the standard Visual Basic obfuscation we can see the malware uses Sendmail:
In this case the encrypted log is sent to the email address Marmoolak@red-move.tk. This address is hosted on a domain that is very popular in Iran for hosting malware. The McAfee Labs reputation engine has flagged this domain as malicious: http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=red-move.tk
After deobfuscation, we observed strings in Persian that contain the word marmoolak, a frequent derogatory term in Persian to describe their Arabic neighbors.
McAfee detects this Trojan keylogger and its variants as Keylog-FAG! To avoid infection from this and other keyloggers, keep your antivirus system updated and do not download content from untrusted sources. Be especially careful of hacker forums. Some members pretend to be helpful and offer their tools. However, these tools are often backdoor malware and exist solely to access systems and abuse them for various malicious ends.