.NET Keylogger: Watching Attackers Watch You
Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.
From a binary perspective, we can confirm that the malware was written in .NET. The highlighted string in Figure 2 is a version of .NET.
Once executed, the malware sends an email via SMTP to the attackers to let the attackers know they have an infection (Figure 3). This is where the fun begins.
For this sample, there are several places where the attacker messed up. First, the attacker chose to hard-code email credentials for validation. The traffic can be seen in Figure 4, decoded data in Figure 5.
By searching for strings in the malware, we can also see that this keylogger has been posted on Hack Forums, and someone even asked about troubleshooting code they stole from someone else.
This was even described as an old technique, and the author of the original post was shot-down, due to his lack of understanding of the code.
Another Hack Forums post referenced this malware as Dynasty Keylogger (Figure 8), and this person also included a screenshot of Predator Dynasty (Figure 9).
This malware is even able to scrape passwords that have been stored in a web browser and other forms of media (Figure 10). The attackers even took a screenshot of the desktop (Figure 11).
I also managed to carve “screenshot1.jpeg” out of the SMTP stream by using a few lines of python code. Needless to say…I hope they enjoy screenshots of me capturing their packets (Figure 12).
For protecting your enterprise, make sure that servers that need to speak SMTP are the only ones that are speaking out via SMTP. For this malware, the malware spoke via port 587, and the attacks were in the clear. For signature creation and detection, the highlighted strings over port 587 could be used to create IDS signatures, as these strings will be in the clear.