Analyzing an “Ultra-Advanced APT Tool” Using High-Resolution Dynamic Analysis

Analyzing an “Ultra-Advanced APT Tool” Using High-Resolution Dynamic Analysis

Earlier this week, Sam Bowne (@sambowne) posted a nice example of how to write a simple keylogger in a few lines of Python. He used this code to evaluate a few sandboxes, including Lastline. The full code can be found on Sam’s blog, but the essential lines can be seen in the following snippet of code:

Python keylogger used to test APT solutions

As one can see, the code uses the Windows API for registering callbacks to invoke on key-press events, as we describe in our recent blog-post on the internals of keylogging malware. The recorded key-press events are collected and sent to the attacker (in this case, they are uploaded to pastebin) as soon as the return key (or enter key with key-code 13) is pressed (see the highlighted code regions).

High Resolution Dynamic Analysis

As we described in the previous blog-post, the Lastline high-resolution dynamic analysis engine recognizes when programs under analysis attempt to steal sensitive information of the user using keylogging activity.

Below, one can see the report of an analysis run in our system. The analysis sandbox identifies that the program is hooking the key-press events and instruments a virtual user to start behaving in a way that could trigger interesting behavior in the malware program.

Advanced Keylogger Malware Analysis Report
Analysis report overview – Keylogging behavior detected

Keylogging Advanced Malware Analysis Overview
Analysis subject overview highlighting interesting keyboard activity in Analysis subject 2

Since this sample is not looking for any specific data (such as credit card information or account credentials), our system uses data that seems generally attractive to an attacker as can be seen in the screenshot below.

Keylogger Malware Analysis Report Details
Report showing captured keyboard data

Network traffic showing upload of the stolen data by keylogging malware
Network traffic showing upload of the stolen data

“Evil APT Tool”

An attentive reader might have noticed that the code shown above slightly differs from the code posted by @sambowne originally. The main difference is that we decided to make the “evil APT tool” (as Sam calls it) slightly more realistic/real-world applicable:

The original program assumes users will follow instructions (and start the tool using the return key) and confirm inputs using the same return key. However, most of today’s interfaces (such as web-forms in browsers, or GUI applications) do not make much use of this key any longer, but instead use “submit” buttons that can be triggered using the mouse or many other ways through the keyboard. Therefore, our modified program simply uploads data whenever enough has been captured, as shown in the highlighted code regions.

At this point, we should address that Sam originally posted that the Lastline system fails to identify this sort of attack (which inspired us to look into the sample and write this short post). The main difference between the two outcomes is the modified return-key behavior mentioned above and not requiring user-confirmation to start the actual payload. Sam’s proof-of-concept code illustrates nicely how to write the keylogger in Python, but a real-world attack would not make these assumption. We acknowledge, however, that we should identify this sort of activity and extend our virtual user to follow the instructions accordingly.

Conclusion

Sam did a great job showing how easy it has become for attackers to quietly steal an unsuspecting victim’s personal data. Traditional sandboxes fail at analyzing this type of threat despite that many of today’s advanced malware families contain this sort of behavior. The Lastline high-resolution malware analysis engine, on the other hand, correctly identifies and detects the behavior as shown in the example analysis report.

Clemens Kolbitsch

Clemens Kolbitsch

Clemens is a Security Researcher and engine developer at Lastline. As a lead-developer of Anubis, he has gained profound expertise in analyzing current, malicious code found in the wild. He has observed various trends in the malware community and successfully published peer-reviewed research papers. In the past, he also investigated offensive technologies presenting results at conferences such as BlackHat.
Clemens Kolbitsch
Tags: