Keyloggers and stealers

[Mutt]

The article is presented for informational purposes only and does not call for action!

In this article, we will raise the issue of keyloggers and stealers. This is a fairly simple way to get data if you have access to the device or to the location of the computer. It is also possible to carry out infection through the network.
But first things first.

Keyloggers
A keylogger is a software or hardware device that is designed to record keyboard presses as well as mouse movements and clicks. Additionally, keyloggers can record the date and time of pressing, as well as take screenshots and video recordings of the screen. It is also possible to copy data from the clipboard. It turns out that even password managers are vulnerable to such things.

There are only three types of keyloggers: software, hardware and acoustic. In practice, I've only met the first two. Therefore, in the article we will talk about them in detail.

Software keyloggers exercise full control over the user's activities. Now the software can freely intercept information from windows, read clicks, intercept a buffer, take screenshots and screen recordings, track mail, as well as intercept data from a webcam, printer, etc. A very important point - even if you have anti-virus protection, then there is a possibility of detection only at the time of launch. It is quite difficult to notice the reading afterwards.

Hardware keyloggers are usually placed between the computer and the keyboard. Or they can be built into the keyboard itself to intercept data. Hardware keyloggers do not require registration or additional installation of drivers. Typically, it has enough memory to record about 20 million keystrokes. They are quite difficult to define.

Basically, these click logs are transmitted via E-mail, FTP and HTTP.

Examples of software keyloggers

Windows Spy Keylogger
Free software that allows you to track activity and keep a log of files of keystrokes on the keyboard. You can intercept information such as chat conversations, social networks, as well as logins and passwords. You can hide the keylogger in the operating system. The developers of this program are the SecurityXploded group. Supported versions Windows XP, 2003, Vista, Windows 7, 8, 8.1, 10.

Windows Spy Keylogger

This software does not have much functionality, you can only configure automatic launch, hidden mode, and check for updates.

The data log is stored at this address:

c: \ temp \ winspykeylogger

The report file has the name:

winsyslog101.txt

If you decide to use this program, it is better to change the location and names to others in order to reduce the paleness.

JETLOGGER
Strong enough in functionality, shareware. Allows you to get a general summary: activity time, programs, search queries, take screenshots, and also capture the clipboard. All features are available in the free version, except for the full hidden mode.

This software is really very powerful and can leave dozens of competitors behind. If it is possible to secretly install and run, then you can get all the data and files.

Test results on the machine.
Configuring sending data to mail.
Trial Watching Alert.

Observer
For mobile devices, the best program is Observer. The program is shareware and has good functionality. It can record calls, SMS, eavesdrop on a microphone, answer calls unnoticed by a person, show movement around the world map and satellites, photos and videos, correspondence, voice memos, documents, etc.

Additionally, you can find out if the SIM card will be changed. There is a list of applications, access to the calendar, etc. You can control it via SMS and the Internet.

Stealer consists of two programs: OBServer and Server. The first program is installed on the phone, the second on the second device or computer. The developers are really working on the product.

I think the essence is clear and simple, if you need something more serious, go to private boards and look for paid software.
Its main feature is encryption and the absence of signatures in the database. Thus, the likelihood that he will be burned is almost minimal.
Those that I described above are working, only they are detected by antiviruses.

Stealer
Stealer (from English to steal, to steal) is a certain class of Trojans (malware, viruses - whatever you want), the functionality of which consists entirely of stealing passwords stored in the system and sending them to the "author".

Logs are sent to FTP and mail.

UFR Stealer v4
The program is quite interesting, but it was last updated in 2013. Therefore, there may be problems with newer versions of Google Chrome. Of the useful functions: the ability to paste with other files, sending by mail and FTP. The program is really not bad, but it is fired by antiviruses.

After formation, the executable file can be sent to a USB flash drive or via the Internet. Passwords will be stolen after launch.

XSTEALER
Stiller has a fairly simple functionality. After downloading, a panel opens that allows you to generate an executable file.

XSTEALER interface

When building the stealer itself, you can select a lot of parameters and make a similar shortcut to some program. To do this, you can specify a name, organization, description, and also choose a convenient icon. If you don't have time to mess with it, then you can generate it randomly. We indicate the connection:
127.0.0.1
Port: 8500

XSteal program interface

In the screenshot, all parameters are randomly generated and the connection parameters are indicated. After that, you need to generate an .exe file.

Saving the executable file
Before running the file, you need to configure "Listening". We indicate the data that was when the file was built. After that, you can add notifications about the new log file.

Configuring "Listening ports"

Opening a log file

After the connection is established, the information is displayed in the Logs file. To do this, double-click on the file and open the log file. After that, all passwords from browsers appear in the list. You can look at it in a text file or copy it to a USB flash drive.

Log file of received passwords

Conclusion
In any case, such methods can be used in penetration testing. After all, the reliability of the system is determined by the weakest link. This link can be a user who can merge all passwords and data using keyloggers and stealers. You understand the essence of the work, but good software can be found on private boards. There are quite budget versions with a license for one month at a price of $ 10-35.

 

[Father]

Keyloggers
At the end of last year, CERT-GIB analysts got a curious sample of malware - Snake Keylogger. Although in fairness, we note that the object under study was more of a stealer, since KeyLogger is only part of its functionality, which is responsible for logging keystrokes on the keyboard. This instance was not "caught" in its pure form, but already encrypted by the Cassandra crypter.

At the first glance at Snake Keylogger, it seemed that it was in beta testing, since many functions were inactive and entries from the configuration file were not used anywhere. What happened in reality, how this malicious program works, how it penetrates the victim's device and what protection mechanisms it uses, says Aleksey Chekhov, an analyst at CERT-GIB.

Spreading
Snake Keylogger is distributed through the official website, Telegram and Discord. At the moment, none of these communication sources are available, but this does not prevent cybercriminals from using malware in their attacks.

Fixing in the system (inactive in the sample under study)
Implemented trivially: Snake adds itself to autorun by changing the registry key:

HKCU\software\microsoft\windows\currentversion\run

Cnc
Depending on the option selected in the configuration file, there are three options for interacting with CnC:

1. FTP
2. When transferring via FTP, a file named: will be sent to the server {Имя компьютера}{Тип данных}{ID жертвы}{Расширение файла}.
3. The data is not encrypted.
4. The victim ID is formed as follows: the first part is specified in the configuration file, and the second part is a randomly generated 4-byte number.
5. SMTP
6. When transmitting via SMTP, a message of the following format will be generated:
7. Subject: Pc Name: {Username} | Snake keylogger
8. Body of the letter: {Data type} | {Username} | Snake \ r \ n {System Information} "\ r \ n \ r \ n"
9. Attachment: {Data Type}. {Extension}
10. All data is sent as an attachment. There is no encryption.
11. Telegram
12. The data is sent as an attached file.
13. Malicious functionality.
14. Log file attachments have the following format:

1. The very frequent mention of the name of the malware looks rather strange in the logs.

Keylogger
The malware installs its own handler for keypress events on the keyboard. Logging is done as follows:

Backspace, Delete, End, F1-F11
Not recorded
F12
[F12]
TAB
[TAP]
ENTER
[Entr]
SPACE
Another key

Uppercase or lowercase character depending on the position of the Shift and Caps Lock keys

After a certain period of time, the collected data is sent to the CnC. If sending is unsuccessful, the buffer for storing the log is not cleared. An interesting feature is that the malware deletes the cookies of the Chrome and Firefox browsers, as well as data from the general cookie repository in the system. This action, presumably, is performed so that the user has to re-enter accounts on various services - in this case, the data will be intercepted using a keylogger.

ScreenLogger
The configuration file sets the time interval after which the screenshot will be taken. By default, this is 100 seconds. When the screenshot is taken, it is saved to the {My Documents} \ SnakeKeylogger folder with the name Screenshot.png. Then an attempt is made to send the file. The file will be deleted with any result of sending.

Stealer
The malware can download passwords from the following applications:

Browsers
Mail clients
Messengers
7Star
Thunderbird
Discord
Amigo
PostBox
Pidgin
Avast
Foxmail
BlackHawk
Outlook
Blisk
Brave
Cent
FTP clients:
Chedot
FileZilla
Chrome
Chrome_Canary
Chromium
Citrio
CocCoc
Comodo
CoolNovo
Coowon
Elements
Epic
Falkon
Ghost
Iridium
Iron
Kinzaa
Kometa
Liebao
Microsoft
Nichrome
Opera
Torbitum
QIPSurf
QQ
SalamWeb
Sleipnir
Slimjet
Sputnik
Superbird
Torch
UC
Uran
Vivaldi
Xpom
xVast
Yandex
CyberFox
Firefox
IceCat
IceDragon
Palemoon
Slim
WaterFox

Counteraction to Analysis

Anti-VM
The anti-virtualization mechanism is implemented trivially:

Search for processes specific to virtual machines.

Check for the presence of files specific to virtual machines.

Checking processes for the presence of special software, including for analysis.

Anti-Sandbox (inactive)
The method that implements the Anti-Sandbox functionality detects the victim's IP address and checks it against hardcoded IP addresses, some of which refer to the addresses of free VPN services. It also checks the hostname against typical honeypots. If there is a match, the process ends.

Other
To encrypt strings, attackers use the open-source obfuscator Obfuscar. Also, BedsProtector is used to protect against static and dynamic analysis. In the sample under study, two protection functions were applied:

1. The first is the so-called AntiTamper. This function allows you to decrypt the program code after its launch, which makes static analysis of the main part of the program impossible.
2. The second function checks COR_ENABLE_PROFILINGto see if a system variable is set , which allows you to check if the CLR is connected to the profiler.