Recent Keylogger Attributed to North Korean Group Andariel Analyzed Through A Hybrid Analysis Perspective

Author: Vlad Pasca

• A technical deep dive into the new North Korean keylogger from a Hybrid Analysis perspective
• The keylogger incorporates junk code to hinder analysis and logs keystrokes and mouse activity, storing the data in a password-protected, encrypted archive
• The malware has been associated with a North Korean group targeting U.S. organizations

A new keylogger, attributed to the North Korean group Andariel (also known as APT45, Silent Chollima, or Onyx Sleet) has been recently disclosed and linked to targeted attacks against U.S. organizations. Using Hybrid Analysis we reveal some of the malware’s capabilities, including its ability to capture sensitive information through keystroke and mouse activity logging. Additionally, we conduct a deep dive into the keylogger’s anti-analysis techniques, such as code obfuscation through the use of junk code, implemented in an effort to hinder analysis. 

A Hybrid Analysis Perspective

Right at the top of the Hybrid Analysis report, the “Risk Assessment” section reveals that the malware sets a global Windows hook to intercept keystrokes and mouse events:

Figure 1 – Keylogger sets global hooks to intercept keystrokes and mouse events

Another important find in the Malicious Indicators section is that the keylogger installs a hook procedure monitoring low-level mouse input events (WH_MOUSE_LL), as highlighted in the figure below.

Figure 2 – API call with the WH_MOUSE_LL parameter

Expanding the “Spyware/Information Retrieval” malicious indicator reveals  that a hook procedure that monitors low-level keyboard input events (WH_KEYBOARD_LL) is also installed (Figure 3).

Figure 3 – API call with the WH_KEYBOARD_LL parameter

Moving forward to the Suspicious Indicators section and expanding the “Tries to save executable or command in registry” indicator, we notice the malicious process modifies the “(Default)” value found under the Run registry key in order to achieve persistence on the machine:

Figure 4 – Registry value modification detected by Hybrid Analysis

Expanding the “Found strings related to keylogger” indicator under the Spyware/Information Retrieval category part of the Informative indicators reveals multiple strings indicative of keylogger activity:

Figure 5 – Strings related to a potential keylogger were identified 

Finally, checking the Extracted Files section of the Hybrid Analysis report reveals the malware creates an archive called “DT_0004.tmp” in the “%TEMP%” directory, which may indicate where the keylogger logs are stored:

Figure 6 – A new file is created in the TEMP folder

A Deeper Dive into The Keylogger

Taking the sample apart by performing some additional manual analysis reveals an anti-analysis technique that is used to obscure the program’s execution flow and make malware analysis more difficult. This technique consists of adding a lot of junk code as shown in the instructions presented in Figure 7.

Figure 7 – Junk code seen in x64dbg

Payload Decryption

The binary stores a custom encrypted payload at a specific location found after 84 NULL bytes. It uses the ReadFile function to read the buffer:

Figure 8 – ReadFile API used to read the encrypted payload

The content is decrypted and an executable is revealed (see Figure 9). The PE file header is removed, and the rest of the content is copied to a new memory area.

Figure 9 – New executable is decrypted in memory

Moving forward, we have used PE-sieve to dump the malicious executable. The execution flow is redirected to the newly decrypted code using the instruction displayed below, where the target address (stored in  RSP+60) of the CALL instruction points to an executable address in the decrypted payload range.

Figure 10 – Redirect the execution flow to the decrypted payload

The SetErrorMode method is utilized to avoid displaying error message boxes when certain errors occur (0x8007 = SEM_NOOPENFILEERRORBOX | SEM_NOALIGNMENTFAULTEXCEPT | SEM_NOGPFAULTERRORBOX | SEM_FAILCRITICALERRORS):

Figure 11 – SetErrorMode API call

Persistence

Part of the persistence mechanism, the process opens the “Software\Microsoft\Windows\CurrentVersion\Run” registry key via a function call to RegCreateKeyExW:

Figure 12 – RegCreateKeyExW API call

It then modifies the “(Default)” registry value using the RegSetValueExW function to establish persistence on the machine.

Figure 13 – Persistence is achieved by modifying the registry value

Keylogging Installation

The binary installs two hook procedures that monitor low-level keyboard and mouse input events, as in the following pseudocode:

// Keyboard hooking

1. KeyboardHook = SetWindowsHookEx(

WH_KEYBOARD_LL, 

HookProcedure,

NULL,

   NULL 

);

2. MSG Msg;

3. while (GetMessageW(&Msg, NULL, 0, 0) > 0)

At line 1, the sample calls the  SetWindowsHookExW API specifying the following parameters:

• RCX: WH_KEYBOARD_LL (0xD), to monitor low-level keyboard input events
• RDX: the pointer to the hook procedure (described below in “Keylogger Routine”)
• R8: NULL, since the hook routine is within the code associated with the current process
• R9: NULL, to monitor all the existing threads running in the same desktop as the calling thread

At line 3., the binary uses the GetMessageW API to to obtain messages from the calling thread’s message queue, which will be stored in the first parameter (RCX: &Msg). Since the rest of the parameters are NULL,  the function retrieves all the messages for any window that belongs to the current thread and any thread messages, allowing keyboard events to be handled by the hooking procedure.

The installation of the hook procedure for mouse input events is very similar, with the first parameter being WH_MOUSE_LL (0xE).

Interestingly, a similar implementation of the keylogger mechanisms can also be found on GitHub. 

The new thread creates a file called “DT_0004.tmp” in the temporary folder. The file is a password protected archive that extracts a file called “a04.log”. The password is “Pass@w0rd#384”.

Figure 14 – A new file is created and will store the keylogger logs

In the new thread, the sample retrieves the current local date and time using the GetLocalTime method to track the starting time of the keylogger. It converts the output to file time format using SystemTimeToFileTime. The result will be stored in the log file before new keystrokes or mouse events are written.

Figure 15 – Local date and time will be written to the file when new events occur

The malware writes content to the archive one byte at a time. The first two written bytes are “PK”, which indicate that the file will be a ZIP archive:

Figure 16 – New file is populated

Keylogging Routine

When detecting new keystrokes or mouse events (see Figure 17), the keylogger hooking procedure (specified in the second parameter of  SetWindowsHookEx) extracts the text of the foreground window:

Figure 17 – Foreground window’s title is obtained using multiple APIs

The virtual-key code corresponding to keyboard keys or mouse buttons is compared with multiple values, as highlighted below:

Figure 18 – Virtual-key codes are compared with specific values

A partial list of virtual-key codes corresponding to special keys is displayed in the figure below.

Figure 19 – Special keys are recorded by the keylogger

The malicious process obtains the active input local identifier by calling the GetKeyboardLayout API:

Figure 20 – GetKeyboardLayout API call

ToUnicode is utilized to translate virtual-key codes and keyboard states to the corresponding Unicode character. For example, 0x50 key is translated to the “P” character:

Figure 21 – Virtual-key codes translation

On finishing the hook routine, the information is passed to the next hooking procedure in the hook chain using CallNextHookEx (Figure 22).

Figure 22 – Pass the hook information to the next hook procedure

The keylogger also steals data from the clipboard. It uses the OpenClipboard and GetClipboardData methods to achieve its objective:

Figure 23 – OpenClipboard and GetClipboardData API calls

An example of a log file is displayed below. Strings such as “[Lm]” and “[Rm]” are recorded when pressing the left mouse button and right mouse button, respectively.

Figure 24 – Example of a log file created by the keylogger

Through the Eyes of Hybrid Analysis

Hybrid Analysis has been able to identify the API calls used to install hook procedures and strings that might indicate keylogger activity, presenting all that information in a rich, detailed, and structured report. The keylogger’s persistence mechanism and the file created for storing logs are both revealed in the report, enabling threat hunters, analysts and researchers to quickly assess the impact and capabilities of the threat.

Hybrid Analysis is an ideal platform for identifying and analyzing  malware both sophisticated and mundane. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.

Indicators of Compromise

SHA 256

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a

File created

%TEMP%\DT_0004.tmp

Hybrid Analysis Partners with Criminal IP, Bringing OSINT-Based Threat Analysis Search

Hybrid Analysis continues to add new features and capabilities, making our free malware analysis service more compelling than ever. As part of this growth, we are pleased to announce integration of the Criminal IP search engine as part of our Quick Scan analysis.

Criminal IP’s search engine is OSINT-based (open source Intelligence) and delivers extensive cyber threat intelligence data for URLs and domains, which can be a valuable tool for threat hunting and attack surface analysis. This includes the DGA (Domain Generation Algorithm) score for the scanned URL, phishing detection, suspicious cookies/apps/HTML on the website, SSL validation and more.

In Hybrid Analysis, simply enter an IP address or website, select Quick Scan, and then you’ll view the Criminal IP Scorecard on the Overview page, which represents the threat assessment level of the scanned domain/IP. Hybrid Analysis users can leverage this new Criminal IP integration to quickly and proactively identify potential threats, helping them make informed decisions about the state of an IP or URL.

Criminal IP Integration: Head For the Analysis Overview Section

Criminal IP is now included among the integrated technology partnerships in the Analysis Overview section, which is part of the Quick Scan analysis feature in Hybrid Analysis. You’ll find the new service as a Scorecard presenting a color-coded rating for the scanned entity. The Scorecard includes a More Details button that provides additional context and detail about the analysis of the scanned domain/IP. You can also click a button on the Scorecard that will take you directly to Criminal IP’s website for additional details of your scan based on the service’s extensive threat intelligence data.

Figure 1: Analysis Overview section showing Criminal IP Scorecard indicating a URL detected as malicious

Figure 2: Clicking More Details on the Criminal IP Scorecard from the previous screenshot brings up the URL Scan Report Summary, showing details 

Happy Hunting!

This new partnership with Criminal IP further enhances the ability of Hybrid Analysis users to identify and assess potential threats and cyber risks. Stay tuned for ongoing updates on the ways that we are continuing to make our platform even stronger – including collaboration and partnership with organizations like Criminal IP – providing the Hybrid Analysis community with the most extensive suite of threat research tools available. 

Analyzing the Newest Turla Backdoor Through the Eyes of Hybrid Analysis

 Author: Vlad Pasca

• A Hybrid Analysis perspective and deep technical dive into the new Turla APT backdoor 

• Turla starts its attack by using shortcut files to infect victims 

• Evasion techniques employed by the group involve unhooking and disabling ETW and AMSI for stealth

• Backdoor implements custom commands for execution of malicious PowerShell scripts and file creation

In a recent campaign, the Russian APT group Turla (also known as Venomous Bear), used shortcut files (.lnk) to infect systems with a fileless backdoor. The malware employs multiple evasion techniques such as disabling ETW and AMSI, and unhooking. Our contribution to existing research consists of analyzing the backdoor from a Hybrid Analysis perspective and presenting the implementation of the malicious routines. We will present the deobfuscation process and perform a complete technical analysis of the malware that reveals its functionalities. 

A Hybrid Analysis Perspective

Turla’s backdoor was obfuscated using the “SmartAssembly” obfuscator to complicate the analysis. It implements evasion techniques to extend malicious activity and influence the logging process. The backdoor commands can be used to create new files and run malicious PowerShell scripts using PowerShell runspaces.

We’ve analyzed an attack that started with a shortcut file called “Advisory23-UCDMS04-11-01.pdf.lnk” detonated via Hybrid Analysis. As shown in Figure 1, the file’s icon is set to PDF in order to trick the user. 

Figure 1 - PDF icon set

However, a legitimate PDF called “Advisory23-UCDMS04-11-01.pdf” is displayed during the execution, as seen in the runtime screenshots from the Hybrid Analysis detonation report:

Figure 2 - Legitimate PDF displayed

The detonation report also displays the process tree (Figure 3 ) showing that the initial process creates a file called “ChromeConnection” in the temporary folder. This is executed using the MSBuild tool:

Figure 3 - Process tree

The final payload is a fileless backdoor. The sample executes the Main function of the backdoor with six custom parameters. The presence of these six custom parameters is highly suspicious and should be a first red flag for taking a closer look at this sample. We could identify this operation in the “Extracted Strings” section of the Hybrid Analysis report (see Figure 4).

Figure 4 - Final backdoor is executed with 6 parameters

As shown below, the PDF and the created file can be downloaded from the “Extracted Files” section of the report.

Figure 5 - Extracted Files section on Hybrid Analysis

A Deep Dive into The Dropper

Based on these observations, we are able to  determine that the fileless backdoor is worth a deeper investigation. After finding the final dropped file (SHA256: 7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00) we can download it locally and analyze it using PEStudio. We determine that the sample is a .NET executable obfuscated using the “SmartAssembly” obfuscator (Figure 6).

Figure 6 - PEStudio detects the SmartAssembly obfuscator

Dumbassembly performs initial deobfuscation operations on the malware (Figure 7).

Figure 7 - Dumbassembly tool deobfuscates the backdoor

Simple Assembly Explorer is  used to further deobfuscate the resulting executable, as highlighted in Figure 8.

Figure 8 - Simple Assembly Explorer options

It’s very important that we use the right options for deobfuscating the code.

Finally, de4dot is used to restore the remaining obfuscated code, as displayed in Figure 9 and Figure 10 below, which shows the difference between the decompiled codes. 

Figure 9 - Before deobfuscation

Figure 10 - After deobfuscation

The process creates a mutex called “{C916E9A6-EEDF-4648-9A29-9E5713F4E79A}” to ensure that only one copy of the malware is running at a single time.

The first three parameters passed to the program are Base64-decoded and then decrypted using the XOR operator, with the first byte representing the key. 

Figure 11 - Parameters are passed to the decryption function

Figure 12 - Implementation of the operations

We’ve developed a custom Python script that decrypts the required parameters. The C2 server https[:]//files.philbendeck[.]com is revealed after the decryption.

The last three parameters are used to compute the receive timeout, sleep time, and reconnect timeout, respectively. The default values are 30 seconds for the first two and 30 minutes for the third.

Figure 13 - Last parameters are used to compute the timeouts

The malicious process obtains the network interfaces on the local computer via a function call to GetAllNetworkInterfaces, and then extracts the MAC address. The address is modified to delete the “-“ character and the result is concatenated with the first parameter previously decrypted (Figure 14).

Figure 14 - MAC address extraction

The value computed above is XOR-ed with a randomly generated byte and stored in a variable called “strEncodedID”. This is used to compute a unique identifier of the infected machine.

Figure 15 - Unique identifier stored in strEncodedID variable

The following DLLs are mapped to memory: ntdll.dll, KernelBase.dll, and kernel32.dll. The purpose of this operation is to bypass hooks that might have been installed, by mapping “fresh” (not hooked) DLLs to replace the .text hooked sections with the clean ones . To accomplish that, the memory protections of  .text sections of the loaded DLLs need to be  changed to 0x40 (PAGE_EXECUTE_READWRITE) using VirtualProtect (Figure 16).

Figure 16 - DLLs that will be mapped

Figure 17 - Windows APIs used for mapping

Figure 18 - Memory protection changed using VirtualProtect

The MAC address concatenated with the first parameter described before is set to be an AES-128 key that will be used in upcoming C2 communication activities (Figure 19).

Figure 19 - AES algorithm initialization

The hostname and username are retrieved and encrypted using the AES algorithm. The result is Base64-encoded and exfiltrated to the C2 server using a POST request (see Figure 20 and Figure 21).

Figure 20 - Create a POST request to the C2 server

Figure 21 - AES encryption and Base64 encoding

The process reads the server’s response by calling the GetResponse method. It expects 38 bytes in the response (Figure 22).

Figure 22 - Server’s response is read and verified

If any exception occurs, the binary Base64-encodes the hostname concatenated with the username, and downloads a resource from the C2 server based on the “search=” parameter, as shown below.

Figure 23 - Download a resource if any exception occurs

The value “strEncodedID” is encrypted using the AES algorithm and Base64-encoded. The encrypted data is sent to the C2 server (Figure 24).

Figure 24 - Exfiltration of the unique strEncodedID identifier

The server’s response is decrypted and Base64-decoded. The structure of the result is “value1|value2|…”, where the first value is the command to be executed and the remaining values represent the required parameters.

Figure 25 - Server’s response contains the command to be executed

Turla’s process of encrypting communication between the victim and C2 is a sophisticated attempt to avoid detection by automated cybersecurity solutions and SecOps teams. This method of hiding communications and the exchange between victim and C2 makes the attack very difficult to discover and analyze, even by defenders employing networking tools.  

Custom Backdoor Commands

“uf” command

This command is used to create a new file and populates it with content received from the C2 server. The first parameter is the file path and the second parameter represents the file’s content that is Base64-decoded before being written (Figure 26).

Figure 26 - A new file is created and written on it

“op” command

The command has three subcommands: “rct”, “st” and “rt”. It’s used to modify the reconnect timeout, sleep time, and receive timeout, respectively.

Figure 27 - Reconnect timeout is changed

“cps” command

The process closes a PowerShell Runspace using the Runspace.Close function:

Figure 28 - Close a PowerShell Runspace

“ps” command

The command can be used to run PowerShell scripts. The process disables ETW and turns off AMSI during the malicious activity. 

Figure 29 - Command’s result is sent to the C2 server

The malicious process creates a PowerShell Runspace via a function call to CreateRunspace and an empty PowerShell instance (Figure 30).

Figure 30 - Create a PowerShell Runspace

The following functions will be patched: EventWrite, EtwEventWrite, ReportEventW, AmsiOpenSession, and AmsiScanBuffer. These functions are targeted because they’re used by ETW and AMSI, providing Telemetry to Security Products. 

Figure 31 - Functions used by ETW and AMSI are patched

The patching operation is done by modifying the first instruction of the functions. The backdoor first changes the protection of the region using VirtualProtect, then copies the new instructions and changes the protection back to original(Figure 32).

Figure 32 - Make the code of the functions modifiable

For example, the code of the EventWrite method is modified to always return a value of 0, avoiding to create the ETW events to consume. The bypass of the AmsiScanBuffer function consists of returning the E_INVALIDARG value, as highlighted in the figure below, to avoid sending those buffers to the AMSI Provider.

Figure 33 - New instructions of EventWrite

Figure 34 - New instructions of AmsiScanBuffer

Moreover, the process loads the “System.Management.Automation” assembly and disables ETW of the PowerShell session by setting the value of the “m_enabled” field from the “Tracing.PSEtwLogProvider” class to 0, by leveraging Reflection. 

Figure 35 - Disable ETW of the PowerShell session

If the “ldscr” subcommand is specified, the process can run PowerShell scripts specified in the C2 server’s response. The AddScript and AddCommand functions are utilized to run scripts and collect the output. Finally, the output is exfiltrated to the C2 server.

Figure 36 - Scripts’ output is exfiltrated to the C2 server

Figure 37 - Scripts are passed to the AddScript function

Final Thoughts

Hybrid Analysis is a great platform for identifying and analyzing APT samples. It provides the context and data that can be investigated further during the dynamic analysis of the malware. If you want to perform a more in-depth analysis of the sample, you can download the sample by registering with a Hybrid Analysis account and becoming a vetted user. 

This example highlighting Turla shows the value of the platform. After deobfuscating the backdoor, we were able to analyze its commands that turned out to be intuitive and very effective.  

Indicators of Compromise

C2 server

https[:]//files.philbendeck[.]com

SHA256

cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775

b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441

8d6fe8e336e020410753ff15ece5f36bae992f7f234385a23590a11ed734792d

7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00

Mutex

{C916E9A6-EEDF-4648-9A29-9E5713F4E79A}