Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

How I Cracked a Keylogger and Ended Up in Someone's Inbox

It all started from a spam campaign. Figure 1 shows a campaign we picked up recently from our spam traps with a suspicious document file attachment. Notice how poor the English is; this shall serve as a sign of warning to the email recipients.

9948_7395d2ea-ca12-4065-b2ae-e8543b88f37d
Figure 1: Spam Sample

 

The attachment uses the ".doc" file extension but is actually an RTF (rich text file) file format. The file contains a specially crafted RTF stack overflow exploit. This was determined to be the CVE-2010-3333 that exploits the Microsoft Word RTF parser in handling the "pFragments" shape property. This vulnerability had been patched more than half a decade ago.

8098_17be184f-bcc7-4da9-a430-5894b76179de
Figure 2. Obfuscated shellcode in a specially crafted RTF file

 

As you can see in Figure 2, the exploit and the shellcode were obfuscated to avoid antivirus detection. After extracting, cleaning up and decoding the exploit, I figured out that the shellcode would download and execute a file from the domain volafile[.]io

13548_1949
Figure 3. Shellcode HEX dump

 

THE PAYLOAD

9954_73d32fc5-dbdf-4ca8-b0b0-4dd5eba3e412
Figure 4. The downloaded executable file

 

The downloaded file is a Microsoft .NET Win32 executable. A quick hex dump preview of the file gave a very interesting clue that I am dealing with a HawkEye keylogger build.

7973_10d5a4af-7918-4a91-a1b6-0ad5911c1b8f
Figure 5. Hawkeye Keylogger string in the malware body

 

And with a little bit of Google-Fu, the string pointed me to a website which develops this keylogger. In the website, they've listed all of its "awesome features".

12776_f887310a-748d-4106-9553-8b55efd81a5e
Figure 6. HawkEye Keylogger Features

 

In my quick dynamic analysis, the keylogger drops a copy of itself to the Application Data (%appdata%) folder and uses the filename WindowsUpdate.exe. It sets an autorun registry to facilitate persistency in the Windows system even after reboot.

12670_f36ad9eb-5c26-40cb-a6c3-5260eb02ee97
Figure 7. Keylogger's Installation routine

 

It also drops the following files in the infected system:

  • %Temp%\Sysinfo.txt – the dropped malware executable path
  • %Appdata%\pid.txt – the malware process ID
  • %Appdata%\pidloc.txt – the malware process executable location

I then observed network activity from the keylogger process that tries to obtain the infected system's external IP address from checkip.dyndns.com. This legitimate website is commonly used by malware to determine the IP address of the infected system.

12015_d4d5274a-486e-4bbd-8454-be925e52e110
Figure 8. Get infected machine's IP address packet capture

 

After a short while, SMTP network activity was observed where the system information of the infected system was sent to the attacker's email address.

9894_71139e6c-0bce-44fb-85f0-43a7c7fb115d
Figure 9. Email sent by the keylogger to the attacker's email address that contains the system information

 

The information may include:

  • CPU Name (computer name)
  • Local Date and Time
  • Installed Language
  • OS Installed
  • Platform
  • OS Version
  • Memory installed
  • .Net Framework Installed
  • System Privileges
  • Default Browser
  • Installed Firewall
  • Internal IP Address
  • External IP Address
  • Recovered Email settings and passwords
  • Recovered Browser and FTP passwords

As previously mentioned, the keylogger was compiled with Microsoft .NET. So the next thing I did is to decompile the executable. I used an open-source .NET Decompiler called ILSpy to accomplish this task.

7697_0460a078-21b2-48a6-a964-ae089d23a297
Figure 10. Hawkeye keylogger decompiled source code

 

I took a closer look in the decompiled source code and compared it to its list of "Awesome Features". I can confirm that its claim is 100% legit. I found the following features in its code like:

Keylogging.

10932_a0561792-0fb0-4d4b-b831-bcdba1ef480e
Figure 11. Keylogging routine

 

A clipboard stealer/logger.

12589_f0258d15-67e1-4d8a-83cb-2de76432a6b3
Figure 12. Clipboard logging routine

 

A browser, FTP, and Mail Client password stealer. It also attempts to steal password manager credentials and Windows keys.

12782_f8e2ab12-1210-4389-a7b2-b2a011a56116
Figure 13.

 

A worm-like USB infection routine that will allow the keylogger to spread to other Windows machine.

7749_072700f3-8010-46cc-a048-ff1103ff1cbd
Figure 14. USB infection routine

 

It may also target the users of online gaming platform Steam. It deletes the configuration data and login data files so that the user will be forced to login again. This is an opportunity for the keylogger to steal the user's Steam credentials.

11399_b6dd0f3b-fb44-4515-8fe5-af0674f8cedc
Figure 15. Steam deletion routine

 

The stolen information including the desktop screenshot are sent to either to the attacker's email address or FTP server depending on how the keylogger was configured.

7928_0f1bd34c-74b8-49a4-83af-ce9696437221
Figure 16. Email sending routine

 

The attacker may also configure the keylogger to upload the stolen information through a HTTP tunnel to a PHP host, but the code seems to be voided.

11259_b0a58e46-7d17-46e0-a635-245526958f4d
Figure 17.

 

The most interesting part I've found in the decompiled code however is a C# constructor named Form1(). This is where the keylogger configuration was stored. But to secure the attacker's email and FTP credentials, these data were encrypted using Rijndael algorithm and Base64.

BSL_12247_e18bf090-75bb-489e-ab3b-942f61347733
Figure 18. The keylogger configuration

 

As you may know, those encrypted data are not always secure, especially if the decryption routine is in the decompiled source code!

10926_a02e8523-1b09-4fe9-8df2-c1def1780020
Figure 19. The keylogger calls the Decrypt method

 

The image below is the "Decrypt" method where it accepts two string parameters: the encryptedBytes and the secretKey. The secret key happens to be a hardcoded string HawkSpySoftwares

9587_61af0d5c-c351-40e4-919d-430948ceb6ff
Figure 20. The decryption routine

 

As mentioned, the keylogger uses the Rijndael algorithm and the secret key is salted with the Unicode string "099u787978786", also hardcoded.

9373_5656310b-3d9b-416e-9ff5-b0fa3b49a42c
Figure 21. The keylogger uses Rijndael algorithm

 

Out of curiosity, I copied the decryption part of the code, modified it accordingly and compiled it in MS Visual Studio, and of course the decryption was successful. (sorry, I need to blur the credentials :))

10319_8303dadb-282f-4dfa-8ebe-40eba8b5e1cb
Figure 22. The decrypted email and FTP credentials

 

They appear to be email accounts on compromised systems. The emails sent to this inbox are rerouted automatically to the attacker's Gmail account.

 

9298_52dc32ca-4081-452e-96b3-98da801f8886
Figure 23. Emails are rerouted to the attacker's own email address

 

CONCLUSION

Perhaps the attacker knows that the HawkEye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address.

We have reported the compromised email accounts to their rightful owners, in order for them to change their passwords and remove the attacker's email address from their reroute message settings.

Since this was written, we received similar spam messages with RTF attachments but this time containing the CVE-2012-0158 exploit. The payload is the same keylogger but they have used different email credentials.

The two vulnerabilities used in these attacks are old, but still widely used in email attacks. As usual, it is advisable to update your systems with the latest patches, to protect you from these old exploits used by cybercriminals. Trustwave Secure Email Gateway's AMAX (Advanced Malware and Exploit Detection) was able to detect these attached RTF exploit in the email gateway.

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More