Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Pwning a Spammer's Keylogger

Recently, while scrounging around our spam traps, I spotted this ordinary piece of malicious spam. It uses a very simple social engineering trick, speculating about Obama's sexual orientation and a link to a supposed picture to prove it.

BSL_10477_8b7cc13b-14d4-4686-9cee-06419511753e

There was nothing special about this spam but the link with a double extension file named "you.jpg.exe" was something worth investigating. So out of curiosity, I downloaded the file and checked out what it does.

First thing I did was to find out what the file really was. Of course, it was not an image file of Obama but rather a self-extracting RAR file.

11373_b5a5cacd-1f20-4b0b-9447-28d1bab407db

Opening the file through a RAR extracting tool revealed the files inside it.

11922_d02d173e-5b26-4ab5-8646-9a178a7b206f

I extracted "you.jpg.exe" and inspected each of the files inside it but found they were actually encoded. So I run "you.jpg.exe" in our test machine and observed. When run, the image below popped up. Hmmm, definitely not Obama.

12637_f1efa493-fa84-497d-891e-3adf3647c2ec

In the background, the following files were installed in the Windows System32 folder:

  • bpk.dat
  • bpk.exe
  • bpkhk.dll
  • bpkr.exe
  • inst.dat
  • pk.bin

Also an autorun registry was created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
bpk = <%windir%\System32\bpk.exe>

Googling for the dropped files gave me a hint that what was installed was a keylogger and in particular a commercial version from Blazing Tools called Perfect Keylogger (PK). This keylogger program can be legitimately purchased and used, ostensibly for monitoring your kids' or employees' browsing habits, etc. As you can imagine, PK can also be used for badness.

I almost ended the analysis here. But a moment later, more interesting stuff appeared. The keylogger connected to a remote FTP server, and this allowed me to intercept the attacker's FTP credentials.

12761_f7be0edc-58f7-43d5-ad90-ff5464d940e3

Using the intercepted credentials, I logged in to the FTP server and found many folders containing monitoring logs and screenshots of victim's desktop. That number of logs shows just how effective the spammer's social engineering trick was.

10407_8794ed31-5e72-4483-ae10-fe49d27cb84d

Here is the WHOIS info of the FTP server:

12696_f464ec1b-6402-4220-ba20-c559dfae1619

Not wanting to stop here, I did a little more investigation on the PK installation files in my hope to uncover who was behind the campaign.

According to PK's Online Help webpage, the program uses a hotkey to unhide the admin window or the system tray icon. The default hotkey combination is CTRL+ALT+L, but this didn't work. So brute forcing different hotkey combinations enabled me to retrieve the correct hotkey. But to my dismay, this window popped up:

11651_c3d3b57c-5a3d-4403-acbf-6af6497e5467

Before getting dirty by reverse engineering the keylogger and trying to crack the password, I scrounged around the net for more clues. I found a personal blog by a colleague here at Trustwave SpiderLabs who previously encountered this keylogger. In his blog, he noted that the password and other configurations were stored in an encoded file named PK.BIN, and the monitored data is stored in an encoded file named BPK.DAT. He also noted that the files can be decoded with a simple XOR using the key 0xAA.

I supposed that the PK version that Chris analysed was an older version, hence the XOR key 0xAA didn't decode our configuration file. Well, for the dump file BPK.DAT, the XOR key partially worked, but to make it more readable I XORed it using two bytes 0xAA, 0x00:

11985_d353bea5-2f47-44b8-abb5-84c9ccaf9a7d

But I was more interested in the file PK.BIN, because it stores the configuration details of the keylogger including perhaps the details of the attacker. But the file needed some extra work because of the fact that it can't be decoded by simply XORing it with 0xAA. So my best guess was that it used a different XOR key.

This is what the file looks like in text mode, hhmmm look at that repetitive pattern!

9097_4a0661c4-8a3c-42e0-af2a-1a9a67147171

In HEX mode, I took that repetitive string and made it our XOR key:

11785_c996ca29-d852-4c69-9eee-71eb45c40e75

With the help of some python script, it helped me decode the file:

if len(sys.argv) > 1:
pkhandle = open(sys.argv[1],'rb')
pkbuffer = pkhandle.read()
pkhandle.close()

key=[0x0D,0x0A,0x08,0x05,0x01,0x02,0x06,0x03,0x03,0x0E,0x01,0x08,0x03,0x0C,0x09,0x07,0x05,0x0D,0x0C,0x0B,0x03]
dec = ''
ctr = 0
for i in range(11,len(pkbuffer)):
a= ord(pkbuffer[i])
b =key[ctr%len(key)]
x = a^b
dec = dec+(chr(x))
ctr+=1

dechandle = open('pk.dec','wb')
dechandle.write(dec)
dechandle.close()

And voila! (note: I needed to blur some details to protect the victim's data in the FTP server)

9873_700ed69f-d90c-477e-bdae-fc1148d47929

The decoded PK.BIN shows enough details to get inside the PK admin panel, including the keylogger's admin password, FTP server/credentials, PK license name and license key. I typed in the admin password and it was successful, giving me more understanding about what the attacker is capturing and more of his keylogger configuration.

8963_43b41155-6d1b-4c9f-90c9-611a85f66290

In the configuration file, it revealed the name Charles Onuigbo as the PK license name.

Now, I don't conclude that Charles Onuigbo is the attacker or indeed if he is a legitimate person. The only thing interesting about the name is that it appears to be fairly common in Nigeria, the home of email scams!

I have reported the FTP site to its ISP through abuse email, and am looking forward to this site being taken down ASAP.

UPDATE: I have received an email from the company who hosted the FTP server in question and they wrote :

"Hello- 
I'm unsure if my co-workers wrote you back regarding this.
We have stopped access to the account being used for this
on the server in question... "

I have checked the FTP server and can confirm that the malicious FTP account has been disabled. Thank you Alex Kwiecinski of Liquid Web Inc. and your team for taking immediate action.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More