malware’s most wanted: nighthunter. a massive campaign to steal credentials revealed
DESCRIPTION
Cyphort Labs has discovered an extensive data theft campaign that we have named NightHunter. The campaign, active since 2009, is designed to steal login credentials of users. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype. Attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks.TRANSCRIPT
NightHunter: A Massive Campaign to Steal Credentials Revealed
Cyphort Labs Malware’s Most Wanted Series July 2014
Your speakers today
Nick BilogorskiyDirector of Security Research
Shel Sharma
Agenda
o What is NightHuntero NightHunter timelineo Dissecting the malwareo Wrap-up and Q&A
Cyph
ort L
abs T
-shi
rt
We work with the security ecosystem
•••••
Contribute to and learn from malware KB
•••••
Best of 3rd Party threat data
We enhance malware detection accuracy
•••••
False positives/negatives
•••••
Deep-dive research
Threat Monitoring & Research team
•••••
24X7 monitoring for malware events
•••••
Assist customers with their Forensics and Incident Response
About Cyphort Labs
NightHunter – Name explained
We called it NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
What is NightHunter?
Campaign began 2009, still ongoings
Malware coded in .NETs
Extensive data theft campaign using SMTP and more than 3,000 unique keylogger binaries
sSteals login credentials of users, Google, Facebook, Dropbox,
Skype and other servicess
At least 1,800 infections
NightHunter C&C protocol: poll question
What do you think is the Command and Control protocol for updating of
NightHunter?
A HTTPB HTTPSC FTPD IRCE None of the above
NightHunter C&C protocol
None! NightHunter does not use a command and control
protocol.
Instead each variant simply sends stolen data to the hard-coded email server.
By using Email - it hides in plain sight as organizations beef up web anomaly detection
First variants of NightHunter appear
Malware starts using AOL, Microsoft email servers
Malware starts using mx1.3owl.com
Starts using Comcast, Yahoo email servers
Cyphort discovers NightHunter
NightHunter History
2009
2010
2012
2013
2014
NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350
200
150
100*
60
Number of unique infections per email server
NightHunter Infections To Date
Samples using Gmail servers
2013-07 2013-08 2013-09 2013-10 2013-11 2013-12 2014-01 2014-02 2014-03 2014-04 2014-05 2014-060
50
100
150
200
250
300
350
400
450
500
smtp.gmail.com
Time
Coun
t
df
Malware Architecture
UserReceives a
phishing email with a DOC/ZIP
attachment
Stage 1 –EXEDecrypts the DLL from a resource
section and loads it from memory
AttackerReceives stolen credentials in
the email server
*Stage 2 – DLLRuns from EXE’s
process memory and Sends out credentials
via SMTP
* Some samples did not need use Stage 2
NightHunter Delivery
o Delivered mostly through phishing emails with DOC/ZIP/RAR attachments.
o User gets infected by opening a malicious document with scripting enabled.
o Emails were targeted towards personnel in finance/sales/HR departments
NightHunter Delivery
Email subject/attachment names:• Jobs List• Inquiry• Order• PO• Purchase Order• Payment Slip• Reconfirm Pls• Remittance Payment
Slip• WireSlip
NightHunter Data Theft
NightHunter steals credentials for many services, for example:o Googleo Facebooko Dropbox
In addition they are interested in :o Bitcoin Stealingo Password managerso Firefox/Google Chrome/IE/Safari/Operao Outlooko Pidgin/Trillian/Paltalk/AIM/IMVUo Various Games and Game Botso Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander
o Yahooo Hotmailo Amazon
o Skypeo LinkedIno Banks, and others
NightHunter Malware Components
NightHunter is the name of the campaign. It includes more than 3,000 unique malware binaries, keylogger trojans including the following families:
o Predator Pain o Limitless logger lite o Keylogger Logları (SlloTBan)o Spyrex o FEDERIKOs Loggero Unknown Logger Publico Aux Loggero Neptuneo Mr. Clyde Loggero Ultimate Loggero MY Ultimate Jobeo Sysloggero Syndicate Logger
PredatorPain keylogger
PredatorPain keylogger
www.predatorpain.com
PredatorPain keylogger
Limitless Logger keylogger
www.limitlessproducts.org
Federiko’s Logger
NightHunter binary analysis
Second level .NET assembly decoded and loaded from memory.
Killing security products feature
Poll question #2
What is the purpose of string obfuscation in malware?
A: Make malware run more efficientlyB: For copyright reasonsC: Deter reverse engineeringD: Prevent static signature detectionE: C and D
NightHunter binary analysis
- .Net classes uses non-printable characters.
- Here are 2 of the ten different string obfuscation techniques
NightHunter binary analysis
It even steals credentials of Game Banks
Steals data from various browsers
Conclusions1. NightHunter is a major data
exfiltration that went undetected for 5 years.
2. Enterprises should monitor SMTP and other protocols for data theft.
3. Intent of data collection is unknown; it appears campaign is building up a heap of stolen credentials to enable new damaging cyber threats.
4. Change your passwords frequently.
Q and Ao Information sharing
and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!