Author: Vlad Pasca
- A technical deep dive into the new North Korean keylogger from a Hybrid Analysis perspective
- The keylogger incorporates junk code to hinder analysis and logs keystrokes and mouse activity, storing the data in a password-protected, encrypted archive
- The malware has been associated with a North Korean group targeting U.S. organizations
A new keylogger, attributed to the North Korean group Andariel (also known as APT45, Silent Chollima, or Onyx Sleet) has been recently disclosed and linked to targeted attacks against U.S. organizations. Using Hybrid Analysis we reveal some of the malware’s capabilities, including its ability to capture sensitive information through keystroke and mouse activity logging. Additionally, we conduct a deep dive into the keylogger’s anti-analysis techniques, such as code obfuscation through the use of junk code, implemented in an effort to hinder analysis.
A Hybrid Analysis Perspective
Right at the top of the Hybrid Analysis report, the “Risk Assessment” section reveals that the malware sets a global Windows hook to intercept keystrokes and mouse events:
Figure 1 – Keylogger sets global hooks to intercept keystrokes and mouse events
Another important find in the Malicious Indicators section is that the keylogger installs a hook procedure monitoring low-level mouse input events (WH_MOUSE_LL), as highlighted in the figure below.
Figure 2 – API call with the WH_MOUSE_LL parameter
Expanding the “Spyware/Information Retrieval” malicious indicator reveals that a hook procedure that monitors low-level keyboard input events (WH_KEYBOARD_LL) is also installed (Figure 3).
Figure 3 – API call with the WH_KEYBOARD_LL parameter
Moving forward to the Suspicious Indicators section and expanding the “Tries to save executable or command in registry” indicator, we notice the malicious process modifies the “(Default)” value found under the Run registry key in order to achieve persistence on the machine:
Figure 4 – Registry value modification detected by Hybrid Analysis
Expanding the “Found strings related to keylogger” indicator under the Spyware/Information Retrieval category part of the Informative indicators reveals multiple strings indicative of keylogger activity:
Figure 5 – Strings related to a potential keylogger were identified
Finally, checking the Extracted Files section of the Hybrid Analysis report reveals the malware creates an archive called “DT_0004.tmp” in the “%TEMP%” directory, which may indicate where the keylogger logs are stored:
Figure 6 – A new file is created in the TEMP folder
A Deeper Dive into The Keylogger
Taking the sample apart by performing some additional manual analysis reveals an anti-analysis technique that is used to obscure the program’s execution flow and make malware analysis more difficult. This technique consists of adding a lot of junk code as shown in the instructions presented in Figure 7.
Figure 7 – Junk code seen in x64dbg
Payload Decryption
The binary stores a custom encrypted payload at a specific location found after 84 NULL bytes. It uses the ReadFile function to read the buffer:
Figure 8 – ReadFile API used to read the encrypted payload
The content is decrypted and an executable is revealed (see Figure 9). The PE file header is removed, and the rest of the content is copied to a new memory area.
Figure 9 – New executable is decrypted in memory
Moving forward, we have used PE-sieve to dump the malicious executable. The execution flow is redirected to the newly decrypted code using the instruction displayed below, where the target address (stored in RSP+60) of the CALL instruction points to an executable address in the decrypted payload range.
Figure 10 – Redirect the execution flow to the decrypted payload
The SetErrorMode method is utilized to avoid displaying error message boxes when certain errors occur (0x8007 = SEM_NOOPENFILEERRORBOX | SEM_NOALIGNMENTFAULTEXCEPT | SEM_NOGPFAULTERRORBOX | SEM_FAILCRITICALERRORS):
Figure 11 – SetErrorMode API callPersistence
Part of the persistence mechanism, the process opens the “Software\Microsoft\Windows\CurrentVersion\Run” registry key via a function call to RegCreateKeyExW:
Figure 12 – RegCreateKeyExW API call
It then modifies the “(Default)” registry value using the RegSetValueExW function to establish persistence on the machine.
Figure 13 – Persistence is achieved by modifying the registry value
Keylogging Installation
The binary installs two hook procedures that monitor low-level keyboard and mouse input events, as in the following pseudocode:
// Keyboard hooking
1. KeyboardHook = SetWindowsHookEx(
WH_KEYBOARD_LL,
HookProcedure,
NULL,
NULL
);
2. MSG Msg;
3. while (GetMessageW(&Msg, NULL, 0, 0) > 0)
At line 1, the sample calls the SetWindowsHookExW API specifying the following parameters:
- RCX: WH_KEYBOARD_LL (0xD), to monitor low-level keyboard input events
- RDX: the pointer to the hook procedure (described below in “Keylogger Routine”)
- R8: NULL, since the hook routine is within the code associated with the current process
- R9: NULL, to monitor all the existing threads running in the same desktop as the calling thread
At line 3., the binary uses the GetMessageW API to to obtain messages from the calling thread’s message queue, which will be stored in the first parameter (RCX: &Msg). Since the rest of the parameters are NULL, the function retrieves all the messages for any window that belongs to the current thread and any thread messages, allowing keyboard events to be handled by the hooking procedure.
The installation of the hook procedure for mouse input events is very similar, with the first parameter being WH_MOUSE_LL (0xE).
Interestingly, a similar implementation of the keylogger mechanisms can also be found on GitHub.
The new thread creates a file called “DT_0004.tmp” in the temporary folder. The file is a password protected archive that extracts a file called “a04.log”. The password is “Pass@w0rd#384”.
Figure 14 – A new file is created and will store the keylogger logs
In the new thread, the sample retrieves the current local date and time using the GetLocalTime method to track the starting time of the keylogger. It converts the output to file time format using SystemTimeToFileTime. The result will be stored in the log file before new keystrokes or mouse events are written.
Figure 15 – Local date and time will be written to the file when new events occur
The malware writes content to the archive one byte at a time. The first two written bytes are “PK”, which indicate that the file will be a ZIP archive:
Figure 16 – New file is populated
Keylogging Routine
When detecting new keystrokes or mouse events (see Figure 17), the keylogger hooking procedure (specified in the second parameter of SetWindowsHookEx) extracts the text of the foreground window:
Figure 17 – Foreground window’s title is obtained using multiple APIs
The virtual-key code corresponding to keyboard keys or mouse buttons is compared with multiple values, as highlighted below:
Figure 18 – Virtual-key codes are compared with specific values
A partial list of virtual-key codes corresponding to special keys is displayed in the figure below.
Figure 19 – Special keys are recorded by the keylogger
The malicious process obtains the active input local identifier by calling the GetKeyboardLayout API:
Figure 20 – GetKeyboardLayout API callToUnicode is utilized to translate virtual-key codes and keyboard states to the corresponding Unicode character. For example, 0x50 key is translated to the “P” character:
Figure 21 – Virtual-key codes translation
On finishing the hook routine, the information is passed to the next hooking procedure in the hook chain using CallNextHookEx (Figure 22).
Figure 22 – Pass the hook information to the next hook procedure
The keylogger also steals data from the clipboard. It uses the OpenClipboard and GetClipboardData methods to achieve its objective:
Figure 23 – OpenClipboard and GetClipboardData API calls
An example of a log file is displayed below. Strings such as “[Lm]” and “[Rm]” are recorded when pressing the left mouse button and right mouse button, respectively.
Figure 24 – Example of a log file created by the keylogger
Through the Eyes of Hybrid Analysis
Hybrid Analysis has been able to identify the API calls used to install hook procedures and strings that might indicate keylogger activity, presenting all that information in a rich, detailed, and structured report. The keylogger’s persistence mechanism and the file created for storing logs are both revealed in the report, enabling threat hunters, analysts and researchers to quickly assess the impact and capabilities of the threat.
Hybrid Analysis is an ideal platform for identifying and analyzing malware both sophisticated and mundane. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
Indicators of Compromise
SHA 256
File created
%TEMP%\DT_0004.tmp
