When the file is downloaded and executed, the malware alerts the attackers to an infection in an email sent via SMTP.
When the file is downloaded and executed, the malware alerts the attackers to an infection in an email sent via SMTP.

Malware attached to a phishing email received by PhishMe late last week takes screenshots of infected systems and sends the images back to the attackers; however, a researcher was able to flip that around and essentially watch the watchers.

The phishing email, which is fairly convincing and purports to come from HSBC, contains an attachment that infects the system with Dynasty Keylogger – also known as Predator Dynasty – when run, according to a Thursday post.

The malware has a keylogging feature, but also includes the ability to start persistently, take screenshots and bypass user access controls, Ronnie Tokazowski, senior researcher with PhishMe, told SCMagazine.com in a Thursday email correspondence.

Additionally, the malware will send web browser, mail messenger, Internet Download Manager, and JDownloader passwords back to the attackers, as well as disable controls such as regedit, task manager, MSconfig and command prompt, Tokazowski said.

The malware was being examined on a virtual machine, so screenshots taken would have shown Tokazowski performing his analysis – however, he was able to flip it around and essentially watch back.

“To watch them, I ran a live network capture while the virtual machine under my control was infected,” Tokazowski said. “After capturing these packets, I could see how the malware worked, information which can be translated into signatures for enterprises, making it harder for the attackers to continue using this malware.”

The attackers made some mistakes.

When the file is downloaded and executed, the malware alerts the attackers to an infection in an email sent via SMTP, the post indicates, explaining that choosing to hard-code email credentials for validation was a big blunder.

“When an attacker hard-codes credentials into a binary file, they are handing their username and password over on a silver platter,” Tokazowski said. “From the SMTP stream, the attackers were using an email and password combination to send information to the email address. With this, someone could easily log into their command-and-control email address and harvest everything the attackers have done with this account.”

Tokazowski added, “The second place they messed up was clear-text command-and-control. This is where enterprises can easily create signatures, making it difficult for attackers to reuse the code.”