Incident Response, Malware, TDR

Phishing email delivers keylogger malware, also takes screenshots

Malware attached to a phishing email received by PhishMe late last week takes screenshots of infected systems and sends the images back to the attackers; however, a researcher was able to flip that around and essentially watch the watchers.

The phishing email, which is fairly convincing and purports to come from HSBC, contains an attachment that infects the system with Dynasty Keylogger – also known as Predator Dynasty – when run, according to a Thursday post.

The malware has a keylogging feature, but also includes the ability to start persistently, take screenshots and bypass user access controls, Ronnie Tokazowski, senior researcher with PhishMe, told in a Thursday email correspondence.

Additionally, the malware will send web browser, mail messenger, Internet Download Manager, and JDownloader passwords back to the attackers, as well as disable controls such as regedit, task manager, MSconfig and command prompt, Tokazowski said.

The malware was being examined on a virtual machine, so screenshots taken would have shown Tokazowski performing his analysis – however, he was able to flip it around and essentially watch back.

“To watch them, I ran a live network capture while the virtual machine under my control was infected,” Tokazowski said. “After capturing these packets, I could see how the malware worked, information which can be translated into signatures for enterprises, making it harder for the attackers to continue using this malware.”

The attackers made some mistakes.

When the file is downloaded and executed, the malware alerts the attackers to an infection in an email sent via SMTP, the post indicates, explaining that choosing to hard-code email credentials for validation was a big blunder.

“When an attacker hard-codes credentials into a binary file, they are handing their username and password over on a silver platter,” Tokazowski said. “From the SMTP stream, the attackers were using an email and password combination to send information to the email address. With this, someone could easily log into their command-and-control email address and harvest everything the attackers have done with this account.”

Tokazowski added, “The second place they messed up was clear-text command-and-control. This is where enterprises can easily create signatures, making it difficult for attackers to reuse the code.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.