In recent years, mobile Trojans have been actively replacing Trojans for personal computers, so the emergence of new malware for the good old “cars” and their active use by cybercriminals, although unpleasant, is still an event. Recently, CERT Group-IB's 24/7 information security incident response center detected an unusual phishing email that was hiding a new PC malware that combines the functions of Keylogger and PasswordStealer. Analysts' attention was drawn to how the spyware got onto the user's machine - using a popular voice messenger. Ilya Pomerantsev
, a malware analysis specialist at CERT Group-IB, explained how the malware works, why it is dangerous, and even found its creator in distant Iraq.
So, let's go in order.
Under the guise of an attachment, such a letter contained a picture; when clicked, the user was taken to the website cdn.discordapp.com
, and a malicious file was downloaded from there.
Using Discord, a free voice and text messenger, is quite unconventional. Typically, other instant messengers or social networks are used for these purposes.
During a more detailed analysis, a family of malware was identified.
It turned out to be a newcomer to the malware market - 404 Keylogger
.
The first advertisement for the sale of a keylogger was posted on hackforums
by user under the nickname “404 Coder” on August 8.
The store domain was registered quite recently - on September 7, 2019.
According to the developers on the website
404projects[.]xyz
,
404
is a tool designed to help companies learn about the activities of their clients (with their permission) or it is needed by those who want to protect their binary from reverse engineering.
Looking ahead, let's say that 404
definitely doesn't cope with the last task.
We decided to reverse one of the files and check what “BEST SMART KEYLOGGER” is.
Malware ecosystem
Loader 1 (AtillaCrypter)
The source file is protected using EaxObfuscator
and performs a two-step
AtProtect
from the resources section. During the analysis of other samples found on VirusTotal, it became clear that this stage was not provided by the developer himself, but was added by his client. It was later determined that this bootloader was AtillaCrypter.
Bootloader 2 (AtProtect)
In fact, this loader is an integral part of the malware and, according to the developer’s intention, should take on the functionality of countering analysis.
However, in practice, the protection mechanisms are extremely primitive, and our systems successfully detect this malware.
The main module is loaded using Franchy ShellCode
different versions.
However, we do not exclude that other options could have been used, for example, RunPE
.
Consolidation in the system
Attachment to the system is ensured by the AtProtect
if the appropriate flag is set.
- The file is copied to the path %AppData%\\GFqaak\\Zpzwm.exe
. - The file %AppData%\\GFqaak\\WinDriv.url
, which launches
Zpzwm.exe
.
A key to launch
WinDriv.url
in the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run .
Interaction with C&C
Loader AtProtect
If the appropriate flag is present, the malware can launch the hidden iexplorer
and follow the specified link to notify the server of successful infection.
DataStealer
Regardless of the method used, network communication begins with obtaining the victim’s external IP using the [http]://checkip[.]dyndns[.]org/
.
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
The general structure of the message is the same.
Header present |——- 404 Keylogger — {Type} ——-|
, where
{type}
corresponds to the type of information being transmitted.
The following is information about the system:
_______ + VICTIM INFO + _______
IP: {External IP} Owner Name: {Computer Name} OS Name: {OS Name} OS Version: {OS Version} OS PlatForm: {Platform} RAM Size: {RAM Size} ______________________________
And finally, the transmitted data.
SMTP
The subject of the letter is as follows: 404 K |
{Message Type} | Client Name: {Username} .
Interestingly, to deliver emails to the client 404 Keylogger
The developers' SMTP server is used.
This made it possible to identify some clients, as well as the email of one of the developers.
FTP
When using this method, the collected information is saved to a file and immediately read from there.
The logic behind this action is not entirely clear, but it creates an additional artifact for writing behavioral rules.
%HOMEDRIVE%%HOMEPATH%\\Documents\\A{Arbitrary number}.txt
Pastebin
At the time of analysis, this method is only used to transfer stolen passwords. Moreover, it is used not as an alternative to the first two, but in parallel. The condition is the value of the constant equal to “Vavaa”. Presumably this is the client's name.
Interaction occurs via the https protocol via the pastebin
.
The value of api_paste_private
is
PASTE_UNLISTED
, which prevents such pages from being searched in
pastebin
.
How to remove a keylogger
Phishing: How to Detect and Protect Against Online Scams
A comprehensive anti-keylogger should check all processes running on your computer: BIOS, operating system, background services. As well as network settings, plugins and browser settings.
To get rid of the keylogger, you may have to reinstall your operating system.
Many keyloggers are rootkits. Therefore, a specialized utility against this type of virus may also be required. Below is a list of programs that help you remove keyloggers.
SpyShelter
The utility has several levels of anti-keylogger resistance. After installation, this program will work continuously. Thus, it will be able to block the installation of keyloggers on the PC.
SpyShelter's second line of defense is to check for suspicious transactions. If SpyShelter detects malware, it will attempt to remove it.
To fully protect your computer, SpyShelter will encrypt all keystrokes to make reading them pointless for keyloggers.
Zemana
Zemana provides a full suite of anti-malware tools. But they do a worse job of identifying keyloggers compared to the previous utility.
Zemana also includes a data encryption tool, an ad blocker, and a malware scanner.
This utility constantly runs in the background, monitoring activity and scanning downloads for malware.
Malwarebytes Anti-Rootkit
How can you detect hidden cameras without special equipment?
The application scans the operating system for a range of rootkit viruses, not just keyloggers.
The utility scans the system on demand and does not work in constant mode. If the cleaning operation cannot solve all problems, you can use the fixdamage tool. It will help you configure your firewall effectively.
Norton Power Eraser
Norton Power Eraser scans your computer more deeply than regular antivirus programs. If the program detects suspicious ones, the utility immediately deletes them. This approach can lead to unexpected loss of needed applications. Therefore, when using Norton Power Eraser, you will have to reinstall the required software.
Bitdefender Rootkit Remover
Bitdefender detects new rootkits before its competitors. As soon as its scanners detect a new virus, it enters the spyware database.
aswMBR Rootkit Scanner
Brute force is terrible power!
This rootkit scanner is a product of Avast. You can use it completely free.
GMER
GMER is an alternative to aswMBR.
Sophos Rootkit Removal
This program scans the operating system on demand and removes any rootkits, including keyloggers.
Kaspersky Security Scan
The free version of Kaspersky Security Scan scans your computer for malware. Paid software products from this developer include personal data protection modules.
McAfee Rootkit Remover
Another free rootkit removal tool developed by one of the industry leaders. The on-demand utility will scan the system and remove all viruses found on it.
Encryption algorithms
Retrieving a file from resources
The payload is stored in the AtProtect
in the form of Bitmap images. Extraction is carried out in several stages:
- An array of bytes is extracted from the image. Each pixel is treated as a sequence of 3 bytes in BGR order. After extraction, the first 4 bytes of the array store the length of the message, the subsequent ones store the message itself.
- The key is calculated. To do this, MD5 is calculated from the value “ZpzwmjMJyfTNiRalKVrcSkxCN” specified as the password. The resulting hash is written twice.
- Decryption is performed using the AES algorithm in ECB mode.
Keylogger Free keylogger.
Can intercept characters from the keyboard, data contained in the clipboard and network addresses from the browser address bar. There are a couple of inconspicuous functions, for example, a hidden operating mode (Ctrl+Shift+Alt+U), removing program shortcuts and hiding from the list of installed and uninstalled programs. Disadvantage of the program: in its free version, the most important function - hiding from the user's eyes - cannot be enabled. Autorun in Windows is possible, but the running program will blink treacherously from the tray. You can’t hide it from view - a window pops up notifying you that the function is available in the paid version. As are some others.
The only program window where:
- Allows the program to start immediately when the system starts
- Hide the program in the Start
- It will also allow you to intercept addresses in the browser and (to the right) the names of running programs
- We will notify you daily at the postal address specified in the field.
During installation, you will have to fight with the antivirus for several minutes, because neither the setup nor the launch of the utility will escape it.
Malicious functionality
Downloader
Implemented in the AtProtect
.
- A request to [activelink-repalce]
requests the server's status regarding readiness to send the file.
The server should return “ON”
. - [downloadlink-replace]
link downloads the payload. - FranchyShellcode
used to inject the payload into the
[inj-replace]
.
An analysis of the 404projects[.]xyz
on VirusTotal identified additional instances of
404 Keylogger
, as well as several types of downloaders.
Conventionally, they are divided into two types:
- Downloading is carried out from the resource 404projects[.]xyz
.Data is Base64 encoded and AES encrypted.
- This option consists of several stages and is most likely used in conjunction with the AtProtect
.
- In the first stage, the data is loaded from pastebin
and decoded using the
HexToByte
. - In the second stage, the download source is 404projects[.]xyz
. However, the decompression and decoding functions are similar to those found in DataStealer. It was probably originally planned to implement the bootloader functionality in the main module. - At this stage, the payload is already in the resource manifest in a compressed form. Similar extraction functions were also found in the main module.
njRat
,
SpyGate
and other RATs were found
Keylogger
Log sending period: 30 minutes.
All characters are supported. Special characters are escaped. There is processing for the BackSpace and Delete keys. Case sensitive.
ClipboardLogger
Log sending period: 30 minutes.
Buffer polling period: 0.1 seconds.
Implemented link escaping.
ScreenLogger
Log sending period: 60 minutes.
Screenshots are saved in %HOMEDRIVE%%HOMEPATH%\\Documents\\404k\\404pic.png
.
After sending the 404k
is deleted.
PasswordStealer
| Browsers | Mail clients | FTP clients |
| Chrome | Outlook | FileZilla |
| Firefox | Thunderbird | |
| SeaMonkey | Foxmail | |
| IceDragon | ||
| PaleMoon | ||
| Cyberfox | ||
| Chrome | ||
| BraveBrowser | ||
| QQBrowser | ||
| IridiumBrowser | ||
| XvastBrowser | ||
| Chedot | ||
| 360Browser | ||
| ComodoDragon | ||
| 360Chrome | ||
| SuperBird | ||
| CentBrowser | ||
| GhostBrowser | ||
| IronBrowser | ||
| Chromium | ||
| Vivaldi | ||
| SlimjetBrowser | ||
| Orbitum | ||
| CocCoc | ||
| Torch | ||
| UCBrowser | ||
| EpicBrowser | ||
| BliskBrowser | ||
| Opera |
Counteraction to dynamic analysis
- Checking whether a process is under analysis
Carried out using process search taskmgr,
ProcessHacker
,
procexp64
,
procexp
,
procmon
. If at least one is found, the malware exits. - Checking if you are in a virtual environment
Carried out using process search vmtoolsd,
VGAuthService
,
vmacthlp
,
VBoxService
,
VBoxTray
. If at least one is found, the malware exits. - Falling asleep for 5 seconds
- Demonstration of various types of dialog boxes
Can be used to bypass some sandboxes. - Bypass UAC
Performed by editing the registry key EnableLUAin Group Policy settings.
- Applies the "Hidden" attribute to the current file.
- Ability to delete the current file.
Keylogger KidLogger
Free, open source. It already knows how to work with USB devices. Records audio from a microphone and works with Skype. Log files can be viewed locally and remotely using a specially created online account. It works in hidden mode, but can be seen from the Task Manager. You can protect it with a password, but you will have to launch it from a shortcut, which in principle is not a problem, by registering the launch in Windows startup. You can download it from the link and select the desired operating system there (I have the Windows version in the archive):
Inactive Features
During the analysis of the bootloader and the main module, functions were found that were responsible for additional functionality, but they are not used anywhere. This is probably due to the fact that the malware is still in development and the functionality will be expanded soon.
Loader AtProtect
A function was found that is responsible for loading and injecting an arbitrary module into the msiexec.exe
.
DataStealer
- Consolidation in the system
- Decompression and decryption functions
It is likely that data encryption during network communication will soon be implemented.
- Terminating antivirus processes
| zlclient | Dvp95_0 | Pavsched | avgserv9 |
| egui | Ecengine | Pavw | avgserv9schedapp |
| bdagent | Esafe | PCCIOMON | avgemc |
| npfmsg | Espwatch | PCCMAIN | ashwebsv |
| olydbg | F-Agnt95 | Pccwin98 | ashdisp |
| anubis | Findvir | Pcfwallicon | ashmaisv |
| wireshark | Fprot | Persfw | ashserv |
| avastui | F-Prot | POP3TRAP | aswUpdSv |
| _Avp32 | F-Prot95 | PVIEW95 | symwsc |
| vsmon | Fp-Win | Rav7 | norton |
| mbam | Frw | Rav7win | Norton Auto-Protect |
| keyscrambler | F-Stopw | Rescue | norton_av |
| _Avpcc | Iamapp | Safeweb | nortonav |
| _Avpm | Iamserv | Scan32 | ccsetmgr |
| Ackwin32 | Ibmasn | Scan95 | ccevtmgr |
| Outpost | Ibmavsp | Scanpm | avadmin |
| Anti-Trojan | Icload95 | Scrscan | avcenter |
| ANTIVIR | Icloadnt | Serv95 | avgnt |
| Apvxdwin | Icmon | Smc | avguard |
| ATRACK | Icsupp95 | SMCSERVICE | avnotify |
| Autodown | Icsuppnt | Snort | avscan |
| Avconsol | Iface | Sphinx | guardgui |
| Ave32 | Iomon98 | Sweep95 | nod32krn |
| Avgctrl | Jedi | SYMPROXYSVC | nod32kui |
| Avkserv | Lockdown2000 | Tbscan | clamscan |
| Avnt | Lookout | Tca | clamTray |
| Avp | Luall | Tds2-98 | clamWin |
| Avp32 | MCAFEE | Tds2-Nt | freshclam |
| Avpcc | Moolive | TermiNET | oladdin |
| Avpdos32 | MPftray | Vet95 | sigtool |
| Avpm | N32scanw | Vettray | w9xpopen |
| Avptc32 | NAVAPSVC | Vscan40 | Close |
| Avpupd | NAVAPW32 | Vsecomr | cmgrdian |
| Avsched32 | NAVLU32 | Vshwin32 | alogserv |
| AVSYNMGR | Navnt | Vsstat | mcshield |
| Avwin95 | NAVRUNR | Webscanx | vshwin32 |
| Avwupd32 | Navw32 | WEBTRAP | avconsol |
| Blackd | Navwnt | Wfindv32 | vsstat |
| Blackice | NeoWatch | Zonealarm | avsynmgr |
| Cfiadmin | NISSERV | LOCKDOWN2000 | avcmd |
| Cfiaudit | Nisum | RESCUE32 | avconfig |
| Cfinet | Nmain | LUCOMSERVER | licmgr |
| Cfinet32 | Normist | avgcc | sched |
| Claw95 | NORTON | avgcc | preupd |
| Claw95cf | Nupgrade | avgamsvr | MsMpEng |
| Cleaner | Nvc95 | avgupsvc | MSASCui |
| Cleaner3 | Outpost | avgw | Avira.Systray |
| Defwatch | Padmin | avgcc32 | |
| Dvp95 | Pavcl | avgserv |
- Self-destruction
- Loading data from the specified resource manifest
- Copying a file to the path %Temp%\\tmpG\\[Current date and time in milliseconds].tmp
Interestingly, an identical function is present in AgentTesla malware. - Worm functionality
The malware receives a list of removable media. A copy of the malware is created in the root of the media file system with the name Sys.exe.
Autorun is implemented using the autorun.inf
.
Attacker profile
During the analysis of the command center, it was possible to establish the email and nickname of the developer - Razer, aka Brwa, Brwa65, HiDDen PerSOn, 404 Coder. Next, we found an interesting video on YouTube that demonstrates working with the builder. This made it possible to find the original developer channel.
It became clear that he had experience in writing cryptographers. There are also links to pages on social networks, as well as the real name of the author. He turned out to be a resident of Iraq.
This is what a 404 Keylogger developer supposedly looks like. Photo from his personal Facebook profile.
CERT Group-IB has announced a new threat - 404 Keylogger - a 24-hour monitoring and response center for cyber threats (SOC) in Bahrain.
Recording keyboard on Android: review of the 5 best keyloggers
One of the most reliable and easiest ways to monitor your phone is to install the specialized Keylogger Android application (keylogger for Android) on it. It will allow, without external intervention, to record the keyboard even on modern Androids with a touch screen.
Such programs must be manually installed on the device once. After installation, they immediately begin automatically recording actions on the keyboard and record everything where your finger touches during correspondence, login, games, calculations on a calculator and much more. However, not all keyloggers work flawlessly. To reduce your time searching for something that actually works, we have collected the five best programs for recording keyboard strokes - time-tested and tested by users.
Pros and cons of keyloggers for Android
Pros of keyboard recording software
Data archiving. A keyboard recording program will allow you to literally save every keystroke. Therefore, you will have all your actions saved, from which you can restore deleted correspondence or payments.
Litigation. In our practice, there have been many cases when a program that records keystrokes on the keyboard helped to gain access to the text that a suspect typed on his phone. This is especially true for accounting calculations, which simply cannot be intercepted in any other way. Screenshots and a record of keystrokes on the keyboard come here.
Corporate control of employees. Identifying “unclean” employees, leaking confidential information, selecting a login and password (the employee enters various options many times), searching for a job, wasting time while working - these are not all the problems that keystroke monitoring can help identify.
Parental control for children. Here, a program for recording keystrokes is simply necessary. Full-fledged programs for parental control (we do not take into account ordinary trackers) will be able to track the child’s location, show his correspondence on social networks and photographs that he receives or takes himself, deletes after viewing or saves in the gallery. However, the keylogger option will undoubtedly provide you with more - correspondence in games that the child conducts on his phone or tablet. It's truly priceless! This will 100% allow you to find out the real character of the child and his level of communication (see Which parental controls on the phone are better ).
Recovering deleted correspondence. Since keyboard strokes are recorded immediately after a person presses a button on the screen of his phone or tablet, then it becomes important whether he deleted this message from the chat or not.
Tracking without Root rights. As you know, rooting a phone on the latest versions of Android is becoming more and more difficult. Therefore, developers of specialized programs are introducing recording of keyboard keys - this is a unique opportunity to see all the correspondence of a person without root rights.
Disadvantages of the program for recording keys
Hidden unnoticed work. In the overwhelming majority, remembering the keys pressed on the keyboard occurs unnoticed and programs with this option work in the background (hidden) mode. It is this fact that can become the main disadvantage of using this program.
Consequences of installation. If you install the program incorrectly, and the person for whom you wanted to remember the keys on the keyboard somehow discovers it, there will be, at the very least, a scandal. So be sure to tell the person that they have software installed on their phone that allows them to record all keystrokes on the touch screen, and that all their actions are archived. That, if necessary, he can see all his calculations, remote correspondence and other actions.
Top 5 best keyloggers for Android for 2020
FlexiSPY. Basic limited version and premium plan
This program, which records all keystrokes, is an excellent monitoring of absolutely all actions on the phone. Has a multilingual interface. Easy to install. Millions of users around the world. Initially, a free demo version is offered, which is greatly reduced in functionality. Then you can pay for the “basic” one, but it will also be limited in capabilities. If you want to use the program to its fullest, then you will need to pay $68 per month or $199 for 3 months, depending on the chosen tariff.
Spyzie. Expensive, but nice
This program for recording keystrokes on the keyboard runs in the background and does not show any activity on the phone. Root is not needed, since keyboard interception is carried out on a non-rooted phone too. Installed on all Android devices above version 4. An interesting application with a lot of fans. Quite expensive to use ($40 per month and $50 for 3 months), but reliable and easy to use.
Cocospy. Surveillance you can't see
A modern application with a highly efficient function for recording buttons on the keyboard of an Android smartphone. Saves all characters typed on the keyboard and transmits them in the log. You can find out everything that is written in chats, in games, in private conversations, as well as find out logins and passwords for social networks and other applications. You can download the keyboard recording program for free on the website. There is a free trial period. Positioned as an effective tool for tracking children's phones.
Spyic. It's easy to keep track of conversations
An accessible keylogger for everyone. Easy installation, quick setup. This keystroke memory program will allow you to see every letter and every symbol typed by your child, employee, spouse or loved one on their phones. You will be able to intercept logins and passwords. In addition, you will be able to receive call details, device coordinates, browser history and photos.
Reptilicus. More than 50 functions. Universal spy.
The best keylogger for Android that works without Root. This keyboard recording program is a universal multifunctional application that allows you to fully control the Android phones on which it will be installed. This includes reading correspondence and SMS messages, monitoring photos, determining location, automatic screenshots, recording telephone conversations and voice messages and, of course, memorizing keys on the keyboard. The Reptilicus program is:
- Possibility to record keyboard for free.
- Loyal prices and substantial discounts (up to 60%) for payments over 6 months.
- You can monitor 10 phones at once for the price of 1 account.
- Free trial period.
- Detailed manual in Russian.
- 24/7 technical support and online consultation.
Full parental controls with browsing history, blocking certain applications, turning on the alarm on the phone, turning on the microphone for recording and much more. You can organize a keyboard recording on your computer; to do this, go to the Reptilicus Windows page or contact our consultants.
Top 5 main questions
1. Does the program for remembering keys work on any Android? – It works great on modern phones, but it won’t work on Android versions 3, 2 and 1.
2. What is the difference between a program for recording keystrokes on a keyboard and a spy program? – Practically nothing. There are, of course, programs for remembering keys that replace the keyboard with “your own” and thus record all keystrokes. But for the vast majority it is the same thing.
3. Is the program for recording keystrokes detected by antiviruses? — Yes, some antiviruses can detect software installed on the phone, since I regard it as spyware. But in high-quality services, such as Reptilicus, this vulnerability is closed and the antivirus gets along well with it.
4. Is the keystroke memory program installed remotely? – No, installation is only manual. It's fast and won't take much time.
5. Is it possible to record keystrokes discreetly? - Yes, you can. The keyboard recording program works unnoticed, without outwardly showing its activity. It is almost impossible to detect it on the phone. She will record and send the data to you.
6. Where can I find a program that records all keystrokes for free? – Nowhere or only from scammers. Developing such programs, and even more so adapting them to constantly updated versions of Android, is a complex and painstaking task and it simply cannot be left unpaid. And therefore, be especially careful, or better yet, immediately leave the site that will advertise an absolutely free keyboard recording program.
Conclusion
To summarize all of the above, I would like to note the main aspects:
- This top provides programs only for Android;
- they all really work;
- Keyboard recording works unnoticed in automatic mode;
- You must install the software manually;
- registration, installation and trial period are free;
- If you find a completely free keylogger for Android, then you have ended up with a scammer.
And please remember: to record keystrokes legally, it must be done with mutual consent! Secretly spying on a person without his knowledge violates the law on the secrecy of personal correspondence and confidential data.
