When it comes to new types of malware, there is always the question of what their objectives are. At the moment we are monitoring a new .NET spyware that has not yet been reported. It distinguishes itself by using persistent anti-analysis techniques implemented by utilizing the Confuser packer. Apart from that, the spyware does not put a lot of effort into disguising itself during runtime, thus revealing its intentions. This malware collects login details from many different programs and uses a keylogger to gather information.

 

This .NET spyware that we named Camolog is spreading due to an ongoing phishing campaign and it uses a keylogger to collect login details from mail clients, browsers, FTP and instant messenger clients. After these campaigns collect information, the access data gathered is usually sold by cybercriminals or used for later attacks.

 

In the individual emails of a large wave of spam emails, the subject headings (see screenshot) and attachments are slightly different. Most of the time, the attachments that deliver the malware are between 400KB and 1.3MB in size. In the following screenshot, you can see one of these phishing e-mails with the contact information crossed out, because in many cases, these are the information stolen from real people.

 

Example of a phishing mail that delivers malware.

Example of a phishing mail that delivers malware

 

The phishing email fools the recipients into believing that they are going to receive a price quote or an offer of some kind and this motivates them to open the attachment. However, it contains a RAR archive named “Sample Product 9076_pdf.rar”. The archive hides the executable .NET file “SampleProduct9076_pdf.exe” which serves as a dropper for the spyware and is secured by a version of the publicly available cover-up tool Confuser.

 

When opening the malware in the .NET decompiler dotPeek, the usage of Confuser becomes apparent. The project name “dimineata” is noticeable and can be used to identify the malware and is displayed in the screenshot below.

 

The .NET Decompiler dotPeek lets you analyze the Confuser.

The .NET Decompiler dotPeek lets you analyze the Confuser.

 

On the other hand, the application of both anti-decompiler and anti-debugger techniques makes it harder to analyze the malware. The analysis tool IDA Pro will crash when loading the binary file, specific .NET decompilers do not function properly and debuggers used in dynamic analyses fail, which means that manual analyses will rarely provide information. It’s likely that this is also one of the reasons why there is an absence of this spyware being publicly reported so far.

 

Bypassing security measures

 

The only way to obtain an overview of this malware’s behavior is to run it in a safe and controlled environment. In doing so, you can observe that the malware runs as a process named “chrome.exe” with the description “Accu-Chek 360˚ diabetes management software”. This process starts another sub-process with the same name. After a few moments, the original binary file generates a copy of itself as AppData\Local\Temp\iaq\iaq.exe, starts its sub-process and subsequently deletes itself.

 

At the time the sub-process is loaded, its binary data must be fully extracted and decrypted in the memory. The transfer takes place in the form of a byte array to the AppDomain.Load() function. This function is not affected by the anti-analysis methods of the cover-up tool because it belongs to the .NET framework. Unlike the malware functions, it can be easily analyzed. Thus, with a debugger such as dnSpy it is possible to set a breakpoint on this function and dump the binary file of the malware that is loaded by the dropper. But, let’s have a closer look into the malware itself.

 

Analysis of spyware.

Analysis of spyware.

 

The binary file of the dropped spyware is only masked by randomly renaming the functions and variables, not by additional anti-analysis methods. Therefore, it is possible to generate readable source code with a .NET decompiler again and thus reveal the behavior of the malware.

 

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

What information is collected?

 

The spyware collects numerous information: Next to the FTP Client SmartFTP’s connection data, which are saved in the favorites, but also passwords from the client WS_FTP, recently used connections from FileZilla, connections of saved sessions from WinSCP and the connection data from FTPWare.

 

Additionally, the account data saved in the Instant Messenger Pidgin and the passwords from the video chat tool Paltalk are read out. Camolog also diligently collects account data from the Outlook and Thunderbird mail clients as well as the login details from the YandexBrowser, ChromePlus and Chromium browsers. The spyware can also record all kind of data and password input with a keylogger.

 

The Spyware nests itself within the system by creating registry keys for Windows Autorun (see list of indicators). The malware is pretty good at identifying itself in the system through these registry keys and the running process “chrome.exe”.

 

Cloud protection by Hornetsecurity products

 

Through the use of our cleverly designed spam filter mechanisms, Hornetsecurity has been detecting the emails of this campaign since they first appeared and we have been filtering them out in the cloud. As a result, there is no way for the spyware to get close to our customers’ business infrastructure.

 

With Hornetsecurity Advanced Threat Protection, our customers benefit from being protected against any variation of this malware. Through the use of behavioral analysis, the level of protection Hornetsecurity ATP provides exceeds that of a conventional spam filter.

 

Here is an extract from the ATP behavioral analysis:

 

The detailed evaluation of the sandbox analysis.

The detailed evaluation of the sandbox analysis.

 

List of indicators for the detection of malware

 

Phishing emails

 

Subject lines used in the campaign:

  • Quotation request
  • Quote-Bid Identifier: ITB-0011-0-2018/AM
  • Quote-Bid Identifier: ITB-0014/0015-0-2018/AM
  • Kindly Quote-Bid Identifier: ITB-0016-0-2015/AM
  • Quotation required

 

Attachment of the phishing email – Win32 RAR Archive

 

  • File name: Sample Product 9076_pdf.rar
  • SHA256: 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6
  • Attachments of other emails of this campaign:
    • 30eaa3e9b9390f603d2a349c0a4cf064225eff3ede60a24aab8e69cf67cf83a5  Product sample 0015_pdf.rar
    • 6acf72c636aa9ff2fae225d75eea063c2ee61026151a6c405175dd06e8a5c01f  product sample 0019_pdf.rar
    • a54f7ff3ecf8acccc23fe2c52fd5e58099852f3448dcec67c6deff5fa925a4d5  Sample product 0011_pdf.rar
    • c165676976f9e91738c5b6a3442bf67832a7556e23e49f1a77c115af47b290ee  Sample Product 0014_pdf.rar
    • 97cea5ce28bbebff16251cbde247362915e8f41a89f979ae266c797aff6ef5e6  Sample Product 0016_pdf.rar
    • 5f5e7a57d9500fcece0b7c88c8925bb13243222182e5badddaa2419bda963ca6  Sample Product 9076_pdf.rar
  • File type: RAR archive data, v4, os: Win32
  • Size: 331K
  • Content of the archive, SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6

 

Dropper from out of the archive

 

  • File name: SampleProduct9076_pdf.exe
  • SHA256: 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6
  • Other dropper of the campaign:
    • 38782911f7deca093b0e6018fd6c51122a8211c9c446f89de18e6ada85afa0d1  Product sample 0015_pdf.exe
    • 542b6a778489710994aadfaca3b57e0a9c03d2e3b6d5617e3220f364cbde9a45  product sample 0019_pdf.exe
    • 04381c6ecdf618ce122084a56ca5416c6774cba4b34909e95f7a532523c3e877  Sample product 0011_pdf.exe
    • 42992976461c59a4a52e4bf202d4bfcd738408d729ff9cbc55786016cb4075c3  Sample Product 0014_pdf.exe
    • 2a159afdc686df016ee370aeed134f9c4fe44320a32ec2eb25d76270206b5b5a  Sample Product 0016_pdf.exe
    • 2feb8a19f44c29a83a0561ca7e38492e1a843add08eda2027a8a7c5041af6de6  Sample Product 9076_pdf.exe
  • File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • Size: 429K
  • Process name: chrome.exe
  • Description: Accu-Chek 360˚ diabetes management software
  • Drops the file SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
  • Significant string:  dimineata.exe
  • Stores a copy of itself under C:\Benutzer\analyst\Appdata\Local\Temp\iaq.exe ab

 

Reloaded spyware:

 

  • File name: impartial.exe
  • SHA256: 67c7840eefb640e70473ebc4bb7dec89f8168d679226be0696708e3427956114
  • File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
  • Size: 58K
  • Process name: chrome.exe

 

Registry Keys, of which information have been gathered

 

  • HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook*
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook*
  • HKEY_CURRENT_USER\Software\Paltalk
  • HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
  • HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

 

Files, of which information have been gathered

 

  • C:\Users\Administrator\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
  • C:\Users\Administrator\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
  • C:\Users\Administrator\AppData\Roaming\FileZilla\recentservers.xml
  • C:\Users\Administrator\AppData\Roaming\Thunderbird\profiles.ini
  • C:\Users\Administrator\AppData\Roaming.purple\accounts.xml
  • C:\Users\Administrator\AppData\Local\Chromium\User Data\Default\Login Data
  • C:\Users\Administrator\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
  • C:\Users\Administrator\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data

 

Registry Keys, that have been created to generate persistence

 

  • Autorun entry for the dropper: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iaq
    • reg_value   C:\Users\ADMINI~1\AppData\Local\Temp\iaq\iaq.exe
  • Autorun entry of the spyware: Spyware: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Application
    • reg_value   C:\Users\Administrator\Desktop\chrome.exe -boot