Keyloggers and Other Password Snatching Malware
Cybercriminals are motivated by several things, including fun, fame, ideology, revenge, and especially monetary gain. They use many techniques in their quest to achieve these goals, and keylogging malware (aka keyloggers), and other password snatching techniques are among their primary tools.
Understanding the Why of Malware is as Important as Knowing How It Works
Experts often classify malware by how a particular strain works—it’s a virus, Trojan, worm, or uses a rootkit. These technically oriented taxonomies are of course very important, but it’s also useful to categorize malware by its intent. This helps answer why a cybercriminal wrote a particular piece of malware, and what the ultimate, or even the preliminary, objectives are.
Understanding the goal of the malware provides an insight into the cybercriminals’ objectives, but equally importantly, it helps researchers and network defenders anticipate where and how the malware may attack. That added intelligence is critical when trying to protect valuable data.
The focus of this post is on the set of malicious software that is specifically designed to steal user credentials.
Stealing Login Credentials is Key to Cybercriminals
Password-snatching malware is extremely important to cybercriminals. The vast majority of data breaches involve the use of stolen passwords, especially passwords to privileged accounts. In fact, research shows that hackers use stolen login credentials in 81% all of significant data breaches. A detailed discussion about the frequency of password theft is beyond the scope of this post, but for those who want a deeper dive, see Password-Stealing Malware Remains Key Tool for Cybercriminals.
Hackers typically obtain IDs and passwords in the following ways:
- Guessing. Since weak passwords are still commonly used, this approach is alarmingly successful. Automated password-guessing tools are readily available to criminals, and effective.
- Social Engineering. Tricking users into revealing their passwords through a phishing attack or other form of social engineering. Phishing remains one of the most prolific ways to launch a cyberattack of any kind.
- Malware. Code specifically written to do one thing—steal user names and passwords.
Types of Password Snatching Malware
There are several types of malware specifically designed to steal user credentials. Here are some of the more common varieties.
Keylogging Malware: Keystroke loggers (“Keyloggers”) capture user data as it’s entered into the keyboard. Not all keystroke logging software is malicious. Employers use legitimate keylogging software or hardware to oversee the use of their computers and to monitor employee activity. Windows 10 has a built-in keylogger in its final version. According to Microsoft, the keylogger is there to “improve typing and writing services.” Unfortunately, keyloggers are often used by cybercriminals to capture user IDs, passwords, and other sensitive information. Network defenders need to understand the basics of keyloggers, how criminals use them, and how to detect them.
Ramscrapers: Sometimes referred to as memory scraping malware, these malicious programs find their way into the heart of the system and monitor its memory looking for IDs, passwords, account numbers, and other valuable data. Even though this type of sensitive data is often encrypted in storage, ramscapers capitalize on the fact that at some point the system needs to decrypt that data and hold it in memory in order to use it. Ramscrapers are readily found in the underground market. Popular versions include Dexter, Soraya, ChewBacca, Mimikatz, and BlackPOS.
Password File and System Grabbers: Some malware is specifically designed to access or steal your system’s password repository or files. If successful, the malware may obtain all passwords for all users on the system, or all of the passwords belonging to a particular user. For example, Keydnap is a MacOS X-based program that steals passwords from the Keychain password management system of the infected Apple device. Researchers have discovered a number of malware families designed to compromise an entire password file, including malicious programs that specifically target third-party password managers like Password Safe and KeePass.
Password Crackers: Password cracking tools take many forms. Some try to login with every possible combination of words, numbers, and characters. Other tools aim to break the decryption of captured password files that contain the login credentials for all authorized users. Cybercriminals also plant malware that captures and breaks passwords transmitted over wireless or physical networks. Common password cracking tools include Brutus, RainbowCrack, Cain and Abel, John the Ripper, Medusa, Aircrack-NG, and Wfuzz.
Man-In-the-Browser: This form of malware infects the victim’s browser, and captures IDs, passwords, and other data as it travels between the browser and the internet. The malware frequently injects authentic looking dialog boxes or forms for the user to complete, such as a request for the user’s ID and password.
Password Snatching is a Huge Problem
Organizations lose billions of dollars to password stealing malware. Both the Target and Home Depot data breaches were reportedly caused by the ramscraping BlackPOS malware, which successfully stole user IDs and passwords. In the staggering Yahoo data breach, where cybercriminals stole 3 billion user accounts, the hackers gained initial access through login credentials obtained via a phishing scheme. But the real damage apparently came when the hackers were able to access the giant’s entire password file.
More recently, both NotPetya and BadRabbit ransomware strains leveraged Mimikatz ramscaping malware. NotPetya alone crippled thousands of computers at companies like Maersk, Merck, and FedEx, and caused well over a billion dollars in damages.
Hope for Organizations – Using Behavior Analysis to Safeguard Credentials
Given the amount of damage inflicted by stolen IDs and passwords, it’s critical that enterprises take immediate and effective steps to protect themselves, their employees, and their customers. Fortunately, there are a number of things an organization can do to dramatically cut their risk of password theft and resulting data loss.
In addition to policies requiring strong passwords and appropriate user training about phishing and other social engineering attacks, organizations need to deploy tools specifically designed to detect and stop today’s advanced malware that’s intentionally created to steal user credentials. Because malware is constantly growing in sophistication, companies must make sure the system they implement uses the very latest in malware detection techniques.
A good quality and up-to-date malware detection system can identify all forms of password-stealing code—primarily through advanced sandbox technologies. By performing both static and dynamic analysis, these systems analyze and execute the code in a carefully controlled environment—evaluating the program for malicious capabilities and behaviors. This Deep Content Inspection identifies specific malicious behaviors engineered into a piece of malware, and analyzes it for potential risks—including but not limited to the following behaviors:
- Evasion attempts or capabilities
- Attempts to establish unauthorized persistence
- Specific password decryption or cracking features
- Attempted access to privileged system files
- Lateral movement, looking for password files, especially privileged credentials, or other assets or other systems that may lead to added password and ID information
- Attempted communications with the malware’s command and control server to exfiltrate stolen credentials
- Other related events, that individually don’t appear threatening, but when evaluated as a whole, reveal malicious intent
With the right policies, culture, and advanced malware detection tools in place, organizations will dramatically reduce the risk of a data breach or other security incident due to keyloggers and other forms of malware that’s specifically designed to steal user IDs and passwords.