• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Data Backup • Data Loss Prevention • Malware • Spyware  /  MassLogger: An Emerging Spyware and Keylogger
MassLogger: An Emerging Spyware and Keylogger
31 July 2020

MassLogger: An Emerging Spyware and Keylogger

Written by Aniruddha Dolas
Aniruddha Dolas
Data Backup, Data Loss Prevention, Malware, Spyware
Estimated reading time: 7 minutes

Summary:

We have been dealing with a new spyware for the past two months, named MassLogger. This advanced keylogger and spyware are distributed via MalSpam attachments and has more features than other present keylogger tools. It has been observed that this campaign is using several different file types as malicious attachments as an initial infection vector. Also, the dynamic behaviour of this camping is not constant across multiple samples. It comes with several functionalities like keylogger, Windows Defender exclusion, taking Screenshots, spreading via USB, clipboard stealing, VM detection, etc.

 Technical Details:

Here are different file types used as spam attachments in this campaign:

  • zip
  • rar
  • gz
  • 7z
  • img
  • iso
  • doc
  • arj
  • xz
  • ace
  • docm
  • z
  • xlsm
  • cab

 After looking at the above list, we can see two major categories of attachment— first is archive file and second is a document file. In the case of archive files, there is .NET masslogger payload after extraction, while in the case of document file it contains VBA macro and exploit which downloads masslogger payload from a remote server.

Polymorphic Process Chain:

We have seen different variants of dynamic behaviour across multiple samples in this campaign. Below are snapshots of a few process chains:

Fig 1: Process Chain. Ref. https://app.any.run/
Fig 1: Process Chain. Ref. https://app.any.run/
Fig 2: Process Chain. Ref. https://app.any.run/
Fig 2: Process Chain. Ref. https://app.any.run/
Fig 3: Process Chain. Ref. https://app.any.run/
Fig 3: Process Chain. Ref. https://app.any.run/
Fig 4: Process Chain. Ref. https://app.any.run/
Fig 4: Process Chain. Ref. https://app.any.run/

Document analysis:

In some cases, threat actors have used office document file as initial infection vector with VBA macro and equation editor exploit. The following figure shows the extraction of Excel document having embedded OLE storage containing 2 VBScripts and 1 file of CVE-2017-11882 exploit and VBA Project stream containing VBA macros.

 Fig 5: OLE Streams and Storages

Fig 5: OLE Streams and Storages

The following figure shows multiple OLE streams each containing different data.

Fig 6: Ole Embeddings
Fig 6: Ole Embeddings

The first stream oleObject1.bin is a VB script file contains renamer code and after which it executes VBS file using Wscript.

 Fig 7: VBS Job

Fig 7: VBS Job

OleObject2.bin stream is also a VB script which is highly obfuscated and having code to download a payload from C2 server.

Fig 8: VBS downloader
Fig 8: VBS downloader

The excel sheet containing stack-based buffer overflow editor exploit of the equation editor renames and executes VB Scripts using WinExec api (0x00430C12) post-exploitation.

Fig 9: Shellcode
Fig 9: Shellcode

 

“1C00” is the header of Equation Editor, in the right side, the shellcode is present containing cmd.exe initially renames the VB script and passes it to Wscript to execute that VB Script. After overflow occurs, this whole data is passed to WinExec function which does the further activity. For more info related to CVE-2017-1182 exploit, please refer our blog post.

To increase to chances of payload delivery, the attacker uses both exploit and VBA macros. When exploit fails on a patched system, another component, VBA macros are also present in the document file. The similar VBS code is present in VBA macros and macro code has the responsibility of dropping the VBS file in “C:\programdata\” folder and execute it as VBS Job which does further similar activity as that of the Equation Native exploit.

Payload Analysis:

The payload is downloaded from different initial attack vectors as discussed above when it executes and goes in sleep for a few seconds. There is a lot of sleep code present in this binary. There are a total of 4 components present with 2 layers of the packed file.

Stage 1 layer:

In the 1st layer, when it gets executed it has a simple code hidden in a Form() component. This code is responsible to extract a dll file from resource directory in present in reverse data in Base64 format which further gets resolved and dumps a dll with name AndroidStudio.dll.

Fig 10: Fetch data from resources
Fig 10: Fetch data from resources

AndroidStudio.dll have a responsibility to decompress and decrypt a buffer which passes to it.

Fig 11: Android Studio code
Fig 11: Android Studio code

GZip decompression method is used to decompress the buffer passed from the resource directory. This dll is used to dump another PE file which is responsible for further activity.

Stage 2 Layer: Lazarus.exe

The Lazarus.exe gets dumped which is highly obfuscated .NET file which is now unpacked from the parent file. We have decoded this file using de4dot tool successfully. In execution, it goes in sleep for a few seconds, it checks if it’s own copy is present at “%appdata%” location. If not, it drops a self-copy at “%appdata%” location. After that, to stay persistent in the system, it creates an entry in task scheduler. For this, it creates and drops a.XML config file at “%temp%” location which is the input for creating task scheduler. The metadata for XML file is hardcoded and stored in PE resource. All data gets replaced at runtime.

Fig 12: Task Scheduler XML
Fig 12: Task Scheduler XML

The name of starts with string “Update\” followed by file name dropped at %appdata% location.

Following command gets executed to add an entry in task scheduler.

“C:\Windows\System32\schtasks.exe” /Create /TN “Updates\<filename>” /XML “C:\Users\<username>\AppData\Local\Temp\tmp<USERID>.tmp”

Now time to move to the final payload which is MassloggerBin.exe. Using Process Hollowing technique, it injects code into its own process. Following image shows the use of the self-hollowing technique to do its further activity.

Fig 13: Process Hollowing
Fig 13: Process Hollowing

When it successfully writes and creates a new process, the parent process gets terminated and code injected process runs as an orphan. The code of this process is also highly obfuscated. All function and class names are modified to random/obfuscated string.

Stage 3 layer: MassLoggerBin.exe

With the start, it extracts a dll file having name “Ionic.Zip.Reduced.dll” from its resources. The Ionic.Zip.Reduced.dll is a DotNetZip free fast class library used for manipulating zip files. The code used by the attacker in Masslogger is available on this site. The main motive of using this dll is to create a zip file containing a compressed package of files like snapshots, keyloggers, user info etc.

The internal config-based functionality is used by MassLogger to fetch the required accordingly which is then assigned to a specific variable.

Following are the variables that fetch data stored in its internal config fig — by going to particular offset is the first parameter and the config array from where data gets fetched is the second parameter

Fig 14: Retrieves Config data
Fig 14: Retrieves Config data
Fig 15: Config Data
Fig 15: Config Data

It starts collecting system information like name of the system, Windows version, CPU, GPU, AV installed, Public IP which it gets from URL: “hxxp[:]//api[.]ipify[.]org”, also gets running process information.

Fig 16: Running Processes
Fig 16: Running Processes

MassLogger also stores a running process windows name in its log file.

 MassLogger Functionality:

1. Application Data Stealer:

Following are some list of applications where it tries to steal user data and which further sends to its C2 server.

By checking data from hardcoded path stored in this binary, it checks for particular data and installation of these applications, if it does not find any details, it creates an entry in the following format,

<|| Application-name ||>

Not Installed

The following modules are present in MassLogger binary. Following is the list of that:

2. Windows Defender Exclusion

It has a module named as “WD Exclusion” which is a Windows Defender Exclusion. Using command “Add-MpPreference –ExclusionPath <path>“, it exclude it-self from Windows Defender Anti-Virus.

3. USB Spread

Another module, USB Spread, it uses an open-source code of LimeUSB available on GitHub. It is used to infect files stored on the USB drive. When files on USB gets executed, it executes its own code as well as infected code.

Fig 17: USB Spread Module
Fig 17: USB Spread Module

4. Keylogger and Clipboard

It has a key log capture module, using “SetWindowHookEx” api it captures all keyboard keys and logs it.

Fig 18: Keyboard Hooking
Fig 18: Keyboard Hooking

5. Anti VM

It also has Anti-VM techniques by checking for Video_Controller adapter using WMI “Select * from Win32_VideoController” which retrieves which information related to the graphics card. If the process is executing on Virtual Box then it returns “Virtual Box Graphics Adapter”.

Fig 19: Video Adapter
Fig 19: Video Adapter

6. Search And Upload

As per config file, it searches for some file which it wants to send to the C2 server that stores in “SearchAndUpload.zip” archive.

All data is stored and retrieved from its config file. Following is the view of MassLogger config file.

Fig 20: Config File
Fig 20: Config File

Once all data collection is done, it creates a log file containing all data like when Masslogger Process is started and ended and other collected details. After that, it compresses using ZIP and gets stored at the location “C:\Users\<USERNAME>\AppData\Local”.

Following is an image showing MassLogger log file.

Fig 21: MassLogger log file
Fig 21: MassLogger log file

Conclusion:

Masslogger is a highly configurable and modular keylogger and spyware. The author behind Masslogger tried to make it more sophisticated in features than other keyloggers, these features make it hard to detect this advanced malware.

IoCs:

4A199C1BA7226165799095C2C2A90017 (XLSM)

D1FFF0C0782D08ED17387297369797E0 (XLSM)

31B65A54940B164D502754B09E3E9B63 (PE)

37958546CB6DC41F505FDCB3430CEE3B (PE)

Subject Matter Experts:

Aniruddha Dolas

Pawan Chaudhari

 

 Previous PostIs your router exposed to cyber threats? Here is how to safeguard...
Next Post  Legacy Systems longing for enterprise attention?
Aniruddha Dolas

About Aniruddha Dolas

Aniruddha Dolas is part of the HIPS (Host-based Intrusion Prevention System) team in Quick Heal Security Labs. He has worked on various security vulnerabilities...

Articles by Aniruddha Dolas »

Related Posts

  • Calling from the Underground: An alternative way to penetrate corporate networks

    January 11, 2023
  • Advisory on Russia-Ukraine Conflict-Related Cyberattacks

    March 15, 2022
  • Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies

    October 22, 2021

No Comments

Leave a Reply.Your email address will not be published.
Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018
  • Uncovering LockBit Black’s Attack Chain and Anti-forensic activity Uncovering LockBit Black’s Attack Chain and Anti-forensic activity February 1, 2023
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..
  • Jayesh Kulkarni
    Jayesh Kulkarni

    Jayesh is working as a Security Researcher for a couple of years. He likes to...

    Read more..
Stay Updated!
Topics
apt (11) Cyber-attack (32) cyber-attacks (56) cyberattack (11) cyberattacks (12) Cybersecurity (301) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (15) EPS (10) Exploit (12) firewall (11) hackers (11) IoT (10) malware (64) malware attack (23) malware attacks (12) MDM (25) Microsoft (14) Network security (18) Patch Management (12) phishing (18) Ransomware (60) ransomware attack (29) ransomware attacks (30) ransomware protection (12) security (10) Seqrite (26) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (15) windows (11)
Products
  • Seqrite MSSP Portal
  • HawkkScan
  • HawkkProtect
  • HawkkHunt XDR
  • HawkkEye
  • HawkkEye Endpoint Security Cloud
  • HawkkEye mSuite
  • HawkkEye Workspace
  • Endpoint Security (EPS)
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category

© 2022 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.