Analyzing an “Ultra-Advanced APT Tool” Using High-Resolution Dynamic Analysis
Every AV I’ve tested is helpless against Violent Python attacks; the only good defense I’ve found is @LastlineLabs
— Sam Bowne (@sambowne) May 27, 2014
Earlier this week, Sam Bowne (@sambowne) posted a nice example of how to write a simple keylogger in a few lines of Python. He used this code to evaluate a few sandboxes, including Lastline. The full code can be found on Sam’s blog, but the essential lines can be seen in the following snippet of code:
As one can see, the code uses the Windows API for registering callbacks to invoke on key-press events, as we describe in our recent blog-post on the internals of keylogging malware. The recorded key-press events are collected and sent to the attacker (in this case, they are uploaded to pastebin) as soon as the return key (or enter key with key-code 13) is pressed (see the highlighted code regions).
High Resolution Dynamic Analysis
As we described in the previous blog-post, the Lastline high-resolution dynamic analysis engine recognizes when programs under analysis attempt to steal sensitive information of the user using keylogging activity.
Below, one can see the report of an analysis run in our system. The analysis sandbox identifies that the program is hooking the key-press events and instruments a virtual user to start behaving in a way that could trigger interesting behavior in the malware program.
Analysis report overview – Keylogging behavior detected
Analysis subject overview highlighting interesting keyboard activity in Analysis subject 2
Since this sample is not looking for any specific data (such as credit card information or account credentials), our system uses data that seems generally attractive to an attacker as can be seen in the screenshot below.
Report showing captured keyboard data
Network traffic showing upload of the stolen data
“Evil APT Tool”
An attentive reader might have noticed that the code shown above slightly differs from the code posted by @sambowne originally. The main difference is that we decided to make the “evil APT tool” (as Sam calls it) slightly more realistic/real-world applicable:
The original program assumes users will follow instructions (and start the tool using the return key) and confirm inputs using the same return key. However, most of today’s interfaces (such as web-forms in browsers, or GUI applications) do not make much use of this key any longer, but instead use “submit” buttons that can be triggered using the mouse or many other ways through the keyboard. Therefore, our modified program simply uploads data whenever enough has been captured, as shown in the highlighted code regions.
At this point, we should address that Sam originally posted that the Lastline system fails to identify this sort of attack (which inspired us to look into the sample and write this short post). The main difference between the two outcomes is the modified return-key behavior mentioned above and not requiring user-confirmation to start the actual payload. Sam’s proof-of-concept code illustrates nicely how to write the keylogger in Python, but a real-world attack would not make these assumption. We acknowledge, however, that we should identify this sort of activity and extend our virtual user to follow the instructions accordingly.
Sam did a great job showing how easy it has become for attackers to quietly steal an unsuspecting victim’s personal data. Traditional sandboxes fail at analyzing this type of threat despite that many of today’s advanced malware families contain this sort of behavior. The Lastline high-resolution malware analysis engine, on the other hand, correctly identifies and detects the behavior as shown in the example analysis report.
Latest posts by Clemens Kolbitsch (see all)
- Ransomware: Too Overt to Hide [Part 2] - April 13, 2017
- Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 3] - November 10, 2016
- Lifting the Seams of the Shifu “Patchwork” Malware - September 4, 2015