Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld. The patching subscription model may be a burden to some enterprise environments, but its underworld equivalent is a significant boon to law enforcement and network defenders. Personnel tasked with combating nefarious software can leverage the patching and licensing mechanisms of subscription-based malware to track down distributors.
The Reasons Behind The Model
Much like with legitimate software, threat actors decide what malware to buy based on several factors including the reviews, price, type (such as a keylogger or a Remote Access Tool (RAT), developer, and marketing. However, to make money in this competitive environment, malware developers need to take different approaches, such as:
- Sell the product for much less than similar malware.
- Give the product away. While this strategy may appear to be a good deal, malware developers have been known to include a back door enabling them to steal their “customer’s” stolen data.
- Base the new malware on a pre-existing and well-known malware, such as WSH RAT. As discussed in a previous CofenseTM report, the developers of this RAT billed it as a “new” RAT with advanced features and offered it at a starting subscription price of only $50 per month. However, in reality, WSH RAT wasn’t new at all and was a variant of the pre-existing and long-lived Houdini Worm with some minor feature improvements.
- Focus on spending heavily on marketing. While concentrating on marketing can be profitable, it is likely the reason that some malware perceived as the “next big threat” disappears shortly after making headlines – probably because the budget was spent mainly on marketing rather than development.
Possibly taking a lesson from legitimate software companies and the frequent failure of the options mentioned above, more and more malware developers have started to adopt the patching subscription model. This model allows them to take the middle road, charging relatively smaller subscriptions (in the case of Alpha Keylogger, $13 per month) while claiming to deliver more and being able to delay feature release.
The glut of available products, however, often leads malware developers to over-promise on features for which they then must include a basic test or example of in their code. Expedited or rushed releases of the software lead to buggy code, in turn hurting the credibility of malware authors. For instance, Alpha Keylogger claims to have a suite of features including the ability to exfiltrate data over email, FTP, or via the API of the messaging company Telegram. In practice, customers (threat actors) can choose FTP or email, and the keylogger will still attempt to exfiltrate information via Telegram API even when the configuration data is blank. This attempt creates a distinct and apparent HTTPS request on infected machines that do not successfully exfiltrate data and can be used to help identify this malware in network traffic.
Why Network Defenders Like Updates
The “bug” in Alpha Keylogger that causes extraneous network traffic could allow network defenders to look for such malformed URLs as signs of malicious activity despite the involvement of a legitimate domain. Even intentional updates on the part of malware developers can assist network defenders. An example of this is when the Geodo/Emotet botnet began distributing a new module. The nature of this deployment allowed Cofense to correctly assess and prepare for the delivery of more sophisticated phishing emails. If the changes had been made by a new family of malware rather than as part of an update that Cofense was looking for, it would have been more challenging to prepare.
Why Law Enforcement Likes Licensing
The bugs and hints provided via malware updates are helpful to network defenders, but the licensing system behind these updates can be even more useful to law enforcement. Many RATs store the license key of the individual that purchased the malware builder as a registry entry on infected computers. Depending on the method used to obtain this license key, the payment information may be associated with the key even if it is not directly associated with the individual who purchased the key. Subsequentially, a receipt of some sort may be sent to an account that is accessed by the threat actor who bought the license key. Under the right circumstances, a license key saved as a registry entry on a victim’s computer could be linked with a receipt in a threat actor’s inbox, attributing them to the attack. Law enforcement organizations could then build a case using this link and additional information, such as the IP address used to access the inbox.
Applicability In Enterprise Environments
Organizations with enterprise-scale infrastructure often encounter “shadow IT” software or malware applications that can be difficult to spot and eradicate. The licensing mechanisms found in subscription-based malware—to include potential receipts in email—can be used by threat hunters to identify insider threats. Organizations impacted by malware akin to Alpha Keylogger can weed out further infections by leveraging incident response tools and YARA rules (such as the ones provided by Cofense IntelligenceTM) which inspect registry keys. Furthermore, the potential for attribution and legal action against a threat actor through license tracking provides large corporations with enhanced defensive capabilities.
Table 1: Malware Artifacts
| Filename | MD5 |
| Company Profile.doc | b46396f32742da9162300efc1820abb3 |
| bukak.exe | 3ceb85bcd9d123fc0d75aefade801568 |
Table 2: Network IOCs
| IOC |
| biz[@]Bootglobal[.]com |
| kamonubilel[@]gmail[.]com |
| hxxp://ktkingtiger[.]com/bukak[.]exe |
HOW COFENSE CAN HELP
Cofense Intelligence processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.
The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.
Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM. It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.
Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.
Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekeTM.
Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
