Disclaimer

Wednesday, December 11, 2019

Deep Dive - Phoenix Keylogger and Its Autoit Cryptor

Today I want to share some interesting code and behavior of Phoenix Keylogger including its Cryptor to evade virtual machine and to inject the actual malware to a normal process.

Autoit Cryptor:

This malware uses an autoit cryptor because of the flexibility of the autoit scripting language. This cryptor is obfuscated and has a feature to evade virtual machine (which is common in sandbox) and process injection.

I used python script to simulate the decryption routine of this cryptor (named as HWRZDRXVUHRI). Upon decrypting it, you can see right away how it works, how it checks process for known virtual machine which is common in some sandbox system, obfuscated script and loading the actual malware that are located in resource section by building some shellcode to load it.

figure 1 - Checking Virtual Machine Process

figure 2 - theencrypted phoenix keylogger in .rsrc section


PHOENIX KEYLOGGER:

The actual keylogger is compiled with .NET and confuser obfuscator. Upon de-obfuscating it using de4dot the following are the noteworthy behavior of this malware:

Hooking Keyboard Event (KeyLogging):

It does the keylogging by hooking the Keyboard Event Key_Press_Down and Key_Press_Up and log it to send to its C&C server through SMTP protocol.

figure 3 - Keylogging function

figure 4 - hooking Keyboard Event using SetWindowsHookExA Api.

Screenshot:

It also has a feature of doing a screenshot to the infected machine save it as a bitmap file then send it to its C&C server as a smtp file attachment.



figure 5 - the screenshot features of this malware


Parsing Browser Credential:

It also capable of parsing several browser credentials that has no master password on it since most of the browser now are using database like sqlite to save all the browsing history ,cookies and credentials of the user.

 Targeted Browser:

  • \360Browser\Browser\User Data\Default\Login Data
  • \Tencent\QQBrowser\User Data\Default\EncryptedStorage
  • \CocCoc\Browser\User Data\Default\Login Data
  • \Vivaldi\User Data\Default\login data
  • \BraveSoftware\Brave-Browser\User Data\Default\login data
  • \Blisk\User Data\Default\Login Data
  • \AVAST Software\Browser\User Data\Default\Login Data
  • \Chromium\User Data\Default\Login Data
  • \Torch\User Data\Default\Login Data
  • \Orbitum\User Data\Default\Login Data
  • \UCBrowser\User Data_i18n\Default\UC Login Data.18
  • \Slimjet\User Data\Default\Login Data
  • \Comodo\Dragon\User Data\Default\Login Data
  • \Epic Privacy Browser\User Data\Default\Login Data
  • \Google\Chrome\User Data\default\Login Data
  • \Opera\ Software\Opera Stable\ wand.dat
  • \Mozilla\Firefox\Profiles
  • \Mozilla\SeaMonkey\Profiles
figure 6 - parsing browser credential

Parsing Outlook Signature:

It also parse some Outlook signature through registry that may use for more phishing attack.

  • -          Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
  • -          Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
  • -          Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
  • -          Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

SMTP C&C server and Telegrambot:

This malware use an smtp C&C server to send its exfiltrated data. it is bhavnatutor[.]com:587. it laso get the external ip address of the machine by access third party website ifconfig[.]me/ip.The SMTP information is encrypted with base64 + AES encryption. Below is the encrypted string info. of its SMTP protocol and the decrypted version. It also include some information of the machine as a part of the body of the SMTP message.

The Subject of the SMTP message is depends on the data it tries to send (screenshots, browser PWD, logs)

figure 7 - smtp C7C server and its info (subject is depends on the data it send)

 It can also use telegram to send all the information parse within the infected machine like, Document, Message, Photo and etc.

figure 8 -telegram bot

Notes:

So many malware now are using autoit script as cryptor or injector to evade detection and hide the actual malware from incident responder. we also learn from here that this keylogger has so many capability to spy on the infected machine and use different platform for its exfiltrated data.

IOC:

Files: packed malware: https://app.any.run/tasks/99d3b9a4-1b0a-4e4b-b5af-abcde517e4e5/
md5: 08d4206063429e7569d55c7f33eb3df1
sha1: 288a57aa7045333242f31c869b9fda624ae02b9b
sha256: df2c30b42d5139620b97b5fd86f009568ecad116fbe76848171366e9633bffeb
 

C&C server:

Bhavnatutor[.]com:587
masseystephen8@gmail[.]com
testing@bhavnatutor[.]com
http://ifconfig[.]me/ip
113452:https://api.telegram.org/bot
113510:/sendMessage?chat_id=

Information it parse:

109546:+------------- Client INFO -------------+
109632:IP:
109648:HWID:
109662:Owner Name:
109688:Full OS Name:
109718:OS Platform:
109746:OS Version:
109772:System Boot Mode:
109810:Physical Memory:
109846: GB
109856: Available Of
109886:Virtual Memory:
109920:Date:
109934:-----------------------------------------

SMTP message Subject & others:

112022:|------- Phoenix Keylogger - Screenshot -------|
112244:|------- Phoenix Keylogger - Clipboard -------|
112600:|------- Phoenix Keylogger - Logs -------|
112700:\Debug2.txt
112724:PX | Logs | Client Name:
112776:PXLogs
112790:5/22/2019
112810:/C choice /C Y /N /D Y /T 3 & Del "
113214:|------- Phoenix Keylogger - Passwords -------|
113314:Passwords
113334:\Debug.txt
113356:PX | PSWD | Client Name:

outlook registry:

118083:Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
118262:Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
118509:Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
118688:Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676





"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...