Keyloggers have always been present in attackers’ toolkits. They give attackers the power to record every keystroke from a victim’s machine and steal sensitive information. Zscaler ThreatLabZ recently came across a signed keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious commercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords and screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple subscription packages as shown in Figure 1.
Figure 1: iSpy keylogger subscription packages
iSpy keylogger infection
Figure 2: Certificate used by .Net Crypter
The malware sample we analyzed was packed with a VB6 (native) custom packer. The packer uses the XOR-based method to decrypt the payload and contains obfuscated zombie code between instructions to slow down analysis. Figure 3 shows the installation and functionality overview of iSpy.
Figure 3: Installation workflow and functionality overview of iSpy
The second layer of packing contains multiple anti-VM and anti-analysis tricks, some of which include:
- Checks PEB flags for debugger presence
- Checks for sandbox and debugger using GetTickCount and Sleep
- Loops until cursor movement is detected
- Checks if screen resolution is 800 x 600 or more
Finally, it decrypts the payload file and injects the decrypted file into another instance of the same process using process hollowing technique as seen below:
Figure 4: Spawns process in Suspended mode for injection
The decrypted file is a loader file that contains a DLL and .NET binary in its resource section. It first loads the DLL file that further loads the final iSpy payload (.NET binary) using LoadDotNetPE export function.
The malware checks configuration settings to select the folder for dropping the executable. Based on the configuration, it drops itself into one of the following locations:
Figure 5: Installation function
After copying itself into any of the above mentioned locations, it deletes “Zone.Identifier” flag from Alternate Data Stream (ADS) to disable the security warning message that is displayed every time the malware file is executed.
It creates an entry in “SOFTWARE\Microsoft\Windows\CurrentVersion\Run” key under HKLM or HKCU, based on configuration settings, to execute the malware on system startup.
iSpy has many customizable features (Figure 6) including the functionality to record keystrokes, recover passwords, and retrieve serial keys from various software, then sending the stolen data over SMTP, HTTP, or FTP. It also has a web panel that helps the attacker to monitor the activity of iSpy infections.
Figure 6: iSpy configuration class
As mentioned earlier, depending on the configuration, it can send stolen data via three different methods: HTTP, SMTP, or FTP. FTP and SMTP credentials, directly encoded in the file, are encrypted using a custom encryption method. Function decrypt, in the class StringCipher, is used for the decryption of credentials as well as other strings. MUTEX value from the configuration is used as the key for decryption. For the HTTP method, iSpy uses the PHP_KEY authentication to upload data to C&C server.
The current sample, discussed in this blog, uses FTP for sending the stolen data to attacker. The FTP account – ftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the ftp credentials are embedded in the file itself. The website resolves to IP address “126.96.36.199” which belongs to comxa.com, which is owned by 000webhost Network, a provider of free hosting. We have notified comxa.com of the offending account.
After successful installation, iSpy collects computer information such as username, Windows version, and installed program details (AV, firewall, browser, etc.), and sends this information along with install notification (Figure 7) to a C&C server.
Figure 7: Installation notification contents
Keylogging code is the main component of this malware. It logs timestamped key presses and sends them to the attacker. It also contains code to steal the license keys of application software, such as Adobe Photoshop, Microsoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook), FTP clients (like FileZilla and CoreFTP), and games like Minecraft.
iSpy has the functionality to disable antivirus programs by creating a sub-key of the program name under registry key, “Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\” and then setting “rundll32.exe” as the value of “Debugger” under that key. It also disables access to that newly created registry key by setting all RegistryRights to deny so it cannot be easily removed. After this change in registry, Windows will load “rundll32.exe” when the targeted process is started. As a result, the given AV process will not start. Below is the list of AV processes that iSpy targets:
"rstrui.exe", "AvastSvc.exe", "avconfig.exe", "AvastUI.exe", "avscan.exe", "instup.exe", "mbam.exe", "mbamgui.exe", "mbampt.exe", "mbamscheduler.exe", "mbamservice.exe", "hijackthis.exe", "spybotsd.exe", "ccuac.exe", "avcenter.exe", "avguard.exe", "avgnt.exe", "avgui.exe", "avgcsrvx.exe", "avgidsagent.exe", "avgrsx.exe", "avgwdsvc.exe", "egui.exe", "zlclient.exe", "bdagent.exe", "keyscrambler.exe", "avp.exe", "wireshark.exe", "ComboFix.exe", "MSASCui.exe", "MpCmdRun.exe", "msseces.exe", "MsMpEng.exe"
WebCam Snapshot & Screen grabber
If the webcam logger is configured, it will capture snapshots using the victim’s webcam. It saves the snapshot in %TEMP% folder with the prefix “snapshot” with the .PNG extension. It can then uploads the snapshot to “http://uploads.im/api?upload” (a legitimate image hosting website). It logs the URL path of uploaded snapshot and uploads the log’s data on a C&C server using the configured method.
Similarly, iSpy takes screen shots using .NET API CopyFromScreen and saves them to a file with the name “img.png” under the %TEMP% folder. Saved images are uploaded to the website mentioned above and a log of URL paths of uploaded files is sent to attacker.
Other features of iSpy:
- Website blocking (based on host file modification)
- File downloading
- Bot killer
- Fake message (it displays this message every time malware starts execution)
- Disabler (Taskmgr, Regedit, CMD)
- Runescape PinLogger(RuneScape is a fantasy MMORPG developed and published by Jagex, A Bank PIN is a security feature provided in game that players can use to protect their, virtual in game, banks.)
- Run Bind file (file to run along with malware)
Web panel interface
The current version of iSpy has a web panel where the attacker can monitor the infected system.
Figure 8: iSpy web panel
Commercial keyloggers are general-purpose data stealing tools used by criminals to collect as much data as possible about a victim. There are many commercially available keyloggers in the underground market and, unfortunately, using them is fairly easy, requiring little technical knowledge. In spite of the increased use of specialized tools, the keylogger remains a common, and quite potentially damaging, tool. Zscaler ThreatLabZ will continue to monitor keyloggers and provide coverage for customers who may be targeted.
Indicators of compromise:
URL serving iSpy sample- gratja[.]top/gff/trf.exe
MD5 - ca66771aaaf3e6b4be57f09d9cfabcc1
Table 2: Other iSpy Samples seen in the wild
Blog by: Atinderpal Singh, Nirmal Singh