.NET Keylogger: Watching Attackers Watch You

Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.


Figure 1 — Screenshot of phishing email

From a binary perspective, we can confirm that the malware was written in .NET. The highlighted string in Figure 2 is a version of .NET.


Figure 2 — .NET version in binary data

Once executed, the malware sends an email via SMTP to the attackers to let the attackers know they have an infection (Figure 3). This is where the fun begins.


Figure 3 — First beacon via SMTP

For this sample, there are several places where the attacker messed up. First, the attacker chose to hard-code email credentials for validation. The traffic can be seen in Figure 4, decoded data in Figure 5.


Figure 4 — Successful SMTP authentication


Figure 5 — Attacker using the password “1xdancer” for the email account

By searching for strings in the malware, we can also see that this keylogger has been posted on Hack Forums, and someone even asked about troubleshooting code they stole from someone else.


Figure 6 — Screenshot of Hack Forums thread asking about stolen code

This was even described as an old technique, and the author of the original post was shot-down, due to his lack of understanding of the code.


Figure 7 — Original poster being shot-down for lack of understanding of the code

Another Hack Forums post referenced this malware as Dynasty Keylogger (Figure 8), and this person also included a screenshot of Predator Dynasty (Figure 9).


Figure 8 — Hack Forums post containing the same string as malware sent


Figure 9 — Screenshot of Predator Dynasty, email keylogger from http://imgur.com/pvg00

This malware is even able to scrape passwords that have been stored in a web browser and other forms of media (Figure 10). The attackers even took a screenshot of the desktop (Figure 11).


Figure 10 — Screenshot of web and mail messenger password recovery

Figure 1

Figure 11 — Attackers taking a screenshot and logging keystrokes

I also managed to carve “screenshot1.jpeg” out of the SMTP stream by using a few lines of python code. Needless to say…I hope they enjoy screenshots of me capturing their packets (Figure 12).


Figure 12 — Carved screenshot sent back to the attackers

For protecting your enterprise, make sure that servers that need to speak SMTP are the only ones that are speaking out via SMTP. For this malware, the malware spoke via port 587, and the attacks were in the clear. For signature creation and detection, the highlighted strings over port 587 could be used to create IDS signatures, as these strings will be in the clear.

Phishing email delivers keylogger malware, also takes screenshots
National Cybersecurity Awareness Month 2014