.NET Keylogger: Watching Attackers Watch You

Share Now

Facebook
Twitter
LinkedIn

Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.

Figure-1-Phishing-Screenshot
Figure 1 — Screenshot of phishing email

From a binary perspective, we can confirm that the malware was written in .NET. The highlighted string in Figure 2 is a version of .NET.

Figure-2-Net-version
Figure 2 — .NET version in binary data

Once executed, the malware sends an email via SMTP to the attackers to let the attackers know they have an infection (Figure 3). This is where the fun begins.

Figure-3-first-beacon
Figure 3 — First beacon via SMTP

For this sample, there are several places where the attacker messed up. First, the attacker chose to hard-code email credentials for validation. The traffic can be seen in Figure 4, decoded data in Figure 5.

Figure-4-successful-SMTP
Figure 4 — Successful SMTP authentication
Figure-5-1xdancer
Figure 5 — Attacker using the password “1xdancer” for the email account

By searching for strings in the malware, we can also see that this keylogger has been posted on Hack Forums, and someone even asked about troubleshooting code they stole from someone else.

Figure-6-Hack-Forums-screenshot
Figure 6 — Screenshot of Hack Forums thread asking about stolen code

This was even described as an old technique, and the author of the original post was shot-down, due to his lack of understanding of the code.

Figure-7-original-poster-being-shot-down
Figure 7 — Original poster being shot-down for lack of understanding of the code

Another Hack Forums post referenced this malware as Dynasty Keylogger (Figure 8), and this person also included a screenshot of Predator Dynasty (Figure 9).

Figure-8-Hack-Forums-post-containing-same-malware-string
Figure 8 — Hack Forums post containing the same string as malware sent
Figure-9-Predator-Dynasty
Figure 9 — Screenshot of Predator Dynasty, email keylogger from http://imgur.com/pvg00

This malware is even able to scrape passwords that have been stored in a web browser and other forms of media (Figure 10). The attackers even took a screenshot of the desktop (Figure 11).

Figure-10-Password-Recovery-screenshot
Figure 10 — Screenshot of web and mail messenger password recovery
Figure 1
Figure 11 — Attackers taking a screenshot and logging keystrokes

I also managed to carve “screenshot1.jpeg” out of the SMTP stream by using a few lines of python code. Needless to say…I hope they enjoy screenshots of me capturing their packets (Figure 12).

Figure-12-screenshot-sent-back-to-attackers
Figure 12 — Carved screenshot sent back to the attackers

For protecting your enterprise, make sure that servers that need to speak SMTP are the only ones that are speaking out via SMTP. For this malware, the malware spoke via port 587, and the attacks were in the clear. For signature creation and detection, the highlighted strings over port 587 could be used to create IDS signatures, as these strings will be in the clear.

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.