on

Malware grabbers and their behavior

Malware is made to serve very different kinds of purposes, which depend on the objective of the authors. Nowadays, there is a very large number of samples that exist and it is common to classify them into different categories based on their behavior. This post provides an overview of different malware families that have stolen their victim’s information as their primary objective and main feature (A.K.A grabbers). Note however that they are not limited to this functionality only.

The information stolen by these samples can be classified by its nature. The most common ones are:

  • Credentials: Username and/or passwords used to access restricted sites directly stolen from applications such as web browsers.
  • Vaults: Files used by several applications, like email clients, connection managers (ftp, ssh, etc) and password databases (among others), to store credentials in the machine.
  • Wallets: Files inside an operating system which contain information about a digital currency account. The best-known cryptocurrency is Bitcoin, but the “wallet” files are used as well by other cryptocurrencies.
  • Screenshots/screen recordings: Screen recording (images or videos) can allow the malware to steal information of any kind: emails, confidential documents, or user personal data.
  • Keystrokes: Any key typed on the keyboard is stored by the malware and sent back to the command and control server periodically. This feature has been found on other malware that is not focused on grabbing.
  • Clipboard monitoring: Credentials that are difficult to memorize and are often stored inside text files or password managers. To use these credentials, it’s common to copy them to the clipboard and paste them into the application in which the user wants to log in. By monitoring the clipboard, the malware can extract this information (including the window name and/or window class of the application where the information was copied/pasted).

The following image shows an old Spy Eye panel. As you can see it already has some of the capabilities of grabbers, such as to steal FTP/email credentials and screenshots:

Imagen

Source: http://4.bp.blogspot.com/-x1jSgLJwTz8/Tjx8Qm34ejI/AAAAAAAAB3Y/QIUYqz2AQ5c/s1600/sansresh.png

Because malware has become modular, it may include several functionalities to perform different actions. Therefore, a malware sample may belong to multiple categories such as:

  • Credential grabbers: Malware focused on stealing credentials from the infected system.
  • PoS (Point of Sale): Machines that process sales inside stores are known as PoS. These machines capture credit card information and use them to bill users. PoS malware takes advantage of this and uses memory scrapping techniques to obtain and exfiltrate credit card data.
  • Trojan bankers: Malware that is specialized in stealing banking credentials of a machine is classified in this category. This malware often uses specific techniques to steal information (such as hooking browser calls or performing the web injects) that are not usually seen in credential grabbers.
  • RAT (Remote Access Trojan): General purpose malware, which is focused on gaining control of the infected machine and then to perform any desired action by the malware administrator.

Take into account that malware belonging to these categories performs more actions than solely grabbing information. It can also carry out DDoS attacks, deploy new malware or use the resources of the machine for cryptocurrency mining.

We have analyzed the behavior of some samples of different families to try to detect which credentials or services are being targeted by grabbers, and if they can be effectively detected using behavioral analysis. The results of the behavior of the samples have been filtered out, removing actions not used for grabbing purposes (like for example common operating system calls or other functionalities, such as persistence or auto-replication), and splitting the results in registry keys queries or file operations.

For each service group analyzed, the results will show the application affected, how many times any of its registry/file system entry has been accessed among the analyzed group, and the registry/file system entries related to that application. Results have been sorted from least to most accessed:

EMAIL CLIENTS ACCESSED VALUES:

EmailClients

Email clients analyzed are Windows mail, Outlook, Thunderbird, Incredimail, Google Desktop, The Bat! and Pocomail. Some of the browsers’ resources are only accessed by registry key (such as Outlook) and others are accessed only through file system (such as Pocomail).

The following tables describe the traces analyzed for these applications:
 Email clients 1Email clients2

WEB BROWSER ACCESSED VALUES:

Browswe

Several web browsers’ resources are accessed, but in this case, not every accessed key contains credentials. Some of these keys contain information about the application itself, such as if it’s installed and where. The sample uses this information to know the exact path of the file it needs to extract the credentials.

The following tables describe the traces analyzed for these applications:

Web browser1

WebBrowser2

INSTANT MESSAGING ACCESSED VALUES:

Instant

The most relevant applications here are Google Talk, followed by Yahoo and MSN Messenger. Other IM applications less common but also supported are QIP, ICQ and Pidgin (purple).

The following tables describe the traces analyzed for these applications:

Instant Messaging

FTP CLIENTS ACCESSED VALUES:

Clients

Many FTP clients are affected by these grabbers: TurboFTP, LeapFTP, ALFTP, SmartFTP, CuteFTP, FTPRush and Filezilla. Not all FTP clients are targeted by every grabber family analyzed however, there are a few grabber families that are very specialized in FTP client applications.

The following tables describe the traces analyzed for these applications:

FTP Clients1

1

2

3

Analyzing the behavior of a sample also allows the analyst to detect keylogging functionalities, thanks to the usage of SetWindowsHookEx, GetMessage and PeekMessage functions.

Lastly, it has also been possible to detect which samples have the capabilities to perform screenshots by taking a look at the functions resolved by it. For example, in the following sample behavior, the malware is loading the functions GdilsMetaPrintDC, GetDC, ReleaseDC, GdipCreateBitmapFromScan0, GdipGetImagePixelFormat, among others:

  • sample1:930:[ 2/697][ 1940]=>DROPPED.EXE NtReadVirtualMemory(GDI32.dll,0x20c,0x48ee98) => 0x0
  • sample1:941:[ 2/708][ 1940]=>DROPPED.EXE NtReadVirtualMemory(C:\Windows\system32\GDI32.dll,0x20c,0x48ee70) => 0x0
  • sample1:3742:[ 2/3509][ 1940]=>DROPPED.EXE NtReadVirtualMemory(GDI32.dll,0x210,0x48ee98) => 0x0
  • sample1:3753:[ 2/3520][ 1940]=>DROPPED.EXE NtReadVirtualMemory(C:\Windows\system32\GDI32.dll,0x210,0x48ee70) => 0x0
  • sample1:5613:[ 2/5380][ 1940]=>DROPPED.EXE LdrLoadDll(2940780,0x76f30000,gdi32.dll) => 0x0
  • sample1:5792:[ 2/5559][ 1940]=>DROPPED.EXE LdrGetDllHandle(0x76f30000,gdi32.dll) => 0x0
  • sample1:5794:[ 2/5561][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdiIsMetaPrintDC,0x76f38d55,0x76f30000) => 0x0
  • sample1:5865:[ 2/5632][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GetDC,0x75c6544c,0x75c50000) => 0x0
  • sample1:6017:[ 2/5784][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,ReleaseDC,0x75c65421,0x75c50000) => 0x0
  • sample1:6202:[ 2/5969][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdipCreateBitmapFromScan0,0x73f0620a,0x73ed0000) => 0x0
  • sample1:6203:[ 2/5970][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdipGetImagePixelFormat,0x73f05571,0x73ed0000) => 0x0
  • sample1:6204:[ 2/5971][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdipGetImageGraphicsContext,0x73f04e06,0x73ed0000) => 0x0
  • sample1:6949:[ 2/6716][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,CreateCompatibleDC,0x76f36888,0x76f30000) => 0x0
  • sample1:7034:[ 2/6801][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,CreateCompatibleDC,0x76f36888,0x76f30000) => 0x0
  • sample1:7111:[ 2/6878][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdiIsMetaPrintDC,0x76f38d55,0x76f30000) => 0x0
  • sample1:7406:[ 2/7173][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,CreateCompatibleDC,0x76f36888,0x76f30000) => 0x0
  • sample1:7408:[ 2/7175][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,CreateCompatibleBitmap,0x76f373ad,0x76f30000) => 0x0
  • sample1:7409:[ 2/7176][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GetDIBits,0x76f3a23b,0x76f30000) => 0x0
  • sample1:7421:[ 2/7188][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdipGetDC,0x73f130e7,0x73ed0000) => 0x0
  • sample1:7426:[ 2/7193][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,GdipReleaseDC,0x73f131ae,0x73ed0000) => 0x0
  • sample1:7430:[ 2/7197][ 1940]=>DROPPED.EXE LdrGetProcedureAddress(0,BitBlt,0x76f372c0,0x76f30000) => 0x0

The process begins by loading the DLL files which contain the functionalities for image processing and enable the creation of Bitmap objects. These objects will later be filled with the results of functions that obtain the properties of the screen and the bytes representing the pixels of the image of the screen, which is basically the same as taking a screenshot.

From this analysis it has been possible to extract some conclusions, first of all, even though keylogging and screen capture functionalities are present in some grabbers, they are not as common as accessing files or registry entries with credentials.

Several samples demonstrated the capability to steal credentials from FTP applications but these aren’t frequently found in grabbers, and the grabbers that do it, usually support a lot of different FTP applications. Instant Messaging applications are also as uncommon as FTP applications, but there are fewer IM applications supported.

Analyzing web browsers, the most common ones (Internet Explorer, Firefox, Chrome) are usually targeted and because of their complexity, several registry keys and files are accessed to extract information about them. Also, ChromePlus and Chromium (variants of Chrome web browser) are often targeted too.

Finally, email clients don’t seem to be very targeted by grabbers, and when targeted, the most affected applications are Outlook, The Bat!, Incredmail and Windows mail.

Please, take into account that simply relying on the behavior of a sample is not the best approach to obtain a precise profile of it, because depending on the system in which the sample is being analyzed, the sample may perform or skip some actions. However, analyzing sample by sample is very time-consuming, so the approach we have used here proves to be a very fast way to analyze samples and have a general idea of what they are capable of.

The fight against cybercrime should take a new direction. Now, more than ever, it is time to socialize the threat intelligence, don’t miss the chance to join our community!

Blueliv Labs

Demo Free Trial Community Newsletter