InfoStealers Weaponizing COVID-19

InfoStealers Weaponizing COVID-19

Coronavirus, or COVID-19, continues to dominate the headlines and the cybersecurity landscape. The contagion has sadly infected over 3 million people globally, and nearly 250,000 people have died at the time of this writing.

Unsurprisingly, a global pandemic caused by a biological virus has created the perfect opportunity for malware actors to distribute digital viruses. Cybercriminals quickly leveraged the COVID-19 theme to rebrand common attack vectors and distribute them via phishing and spam campaigns. These attacks are typical infostealers, varying from new threats of relatively low complexity, like the 404 Keylogger, to more common ones, such as Lokibot. Lastline’s AI-powered solutions successfully blocked all attacks since these threats first began to surface.

In this blog post, we present the telemetry data as reported by a network of Lastline sensors deployed in our US and EMEA data centers, in order to showcase the magnitude and diversity of the attacks. We then provide a brief overview of the threats and distinctive aspects of these attacks, detailing differences, attack vectors, and exfiltration techniques.

Telemetry Data

Figure 1 shows a small subset of Lastline telemetry data of typical COVID-19-themed threats from March 1, 2020 to April 1, 2020. As we can see, there were more than 10 days that saw active attacks associated with various threats. For example, we detected both Lokibot and TrickBot campaigns on March 2 (Monday), Lokibot again a week later on March 9 (Monday), and campaigns mainly using Hawkeye on March 10 (Tuesday). On March 24 (Tuesday) the 404 Keylogger threat dominated the daily chart, and there were three types of threats detected on March 31 (Tuesday). The chart shows a clear pattern in which the attacks were active during weekdays, and there was not much activity during the weekend days. This is not surprising, as malware operators normally launch attacks during weekdays, typically starting on Mondays (as the chart shows) when people are back to work after the weekend. There is very little to gain in launching an attack campaign on a Saturday when people are not working, and much to lose if defenders can respond to an attack before people get back to their desks Monday morning.

Figure 1: Detection timeline of COVID-19-themed infostealers affecting some of Lastline customers from both EMEA and US regions.

What really caught our attention is that all the threats shown on the chart are essentially infostealers (or data stealers). Infostealers are not new, some have been around since 2013, like Hawkeye, while the relatively new one is the 404 Keylogger, which first surfaced on a Russian dark web forum in August 2019.

As the name suggests, infostealers are designed to collect a wide range of information such as usernames, passwords, and bank details via the use of typical keyloggers. Some of them evolved into more sophisticated versions capable of stealing WiFi passwords (like Agent Tesla), system and network information (Trickbot), or the contents of cryptocurrency wallets (for example, Trickbot and Hawkeye). Like many attacks, these infostealers were typically distributed via spam email campaigns (or malspam). To increase the infection rate, the actors behind the attacks normally use emails with themes based on current news or events. COVID-19 is on literally everyone’s mind these days, so the chances of convincing a victim to open a message may be substantially increased, or at least that is the attacker’s hope.

So what do some of these attacks look like? In the following sections, we will detail the attacks Lastline detected, and provide distinctive aspects of the threats within EMEA and US regions.

EMEA

Figure 2 shows the threats associated with four malware families Lastline detected within the EMEA region during the period. They are all part of the infostealer threats discussed above. As we can see, the most common and persistent infostealer in the region is Lokibot (also known as Loki, Loki Password Stealer, or LokiPWS). We detected Lokibot on six different days with higher daily average volume, as compared to other three stealers (Agent Tesla, Hawkeye, and Trickbot), each of which was seen on only two occasions over the same period. One possible reason to explain the popularity of Lokibot is that the underlying source code of the original version was leaked in 2015, which led to many “hijacked” variants of the malware from people who gained access to the source code and compiled their own version of the stealer.

Figure 2: Detection timeline of COVID-19-themed infostealers in EMEA.

Table 1 lists some email subjects and attachment names used in the Lokibot campaigns.

Email SubjectsAttachment Names
RE: Corona – Impact of Shipment – Details required — High Priority — TOP URGENT REMINDER 1#LGHC000782441968_Outgoing_Outstanding_ Shipment_pdf.gz
AWARENESS NOTICE ON CORONAVIRUS(COVID-19)CENTER FOR DISEASE CONTROL_COVID_19 WHO DOCUMENT_PDF.arj
COVID-19: Copy of Transfer Receipt From Our BankMT103_PDF.arj
The measures BOBST has taken regarding the Coronavirus expansionLetter_to_customers_covid-19_pdf.gz
UPDATE : BUSINESS CONTINUITY PLAN ANNOUNCEMENT 2020 DUE TO CORONAVIRUS (COVID-19Business continuity plan_pdf.gz
Re: Arrival notice – M/V Corona Tritondelivery certificate.pdf.arj
Table 1: Email subjects and attachment names used in the Lokibot campaigns.

As you can clearly see, all email subjects contain at least one of the pandemic related keywords (Coronavirus, COVID-19, or Corona) with urgent social engineering language to enhance the lure, and all attachments appear to be archives, mainly pdf.gz or pdf.arj. The archives simply contain an executable file. In many cases, it is a first stage payload called GuLoader, like the one detailed in Table 2.

MD5e602d86250e0bddada3bde70bc252c02
SHA19a46dfeb88cadf9734bf736289123d990d284a40
SHA256f1ba59863abc7d03f67577aa4b75ab121608c76433981f394651f2b327914e9c
File nameLetter_to_customers_covid-19_pdf.exe
Size77824 bytes
Typeapplication/x-pe-app-32bit-i386
Table 2: GuLoader sample being analyzed.

The GuLoader downloader, wrapped in a VisualBasic (VB6) executable, normally contains some shellcode to download the final encrypted stealer payload, such as Lokibot, typically over cloud services, such as Google Drive or Microsoft OneDrive, and execute it to exfiltrate data from the infected device to a C2 server controlled by the actor. Table 2 shows the GuLoader embedded in Letter_to_customers_covid-19_pdf.gz (listed in Table 1). Once the downloader gets executed, it will attempt to retrieve the Lokibot payload from Google Drive:

hxxps://drive.google[.com/uc?export=download&id=1fA4kzM69SX93thpC9iRdLtw_cwkmv7U1

Like many short-lived payload URLs, the URL above is no longer accessible. We also noticed that some attachments contained an AutoIt packed executable with an embedded Lokibot payload, as shown in Table 3.

MD59498ba71b33e9e9e19c352579e0d1b0a
SHA139419cf0c4a2aec86db7e87aaecf2972ed7cddb6
SHA256da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002
File nameAWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe
SizeSize
Typeapplication/x-pe-app-32bit-i386
Table 3: Details of the AutoIt-packed Lokibot sample.

After decompiling the sample, the highly obfuscated AutoIt script includes an encrypted Lokibot payload, as shown in Figure 3. The payload is then decrypted by calling the decryption function at the end of the encrypted code block, as shown in the figure.

Figure 3: Encrypted Lokibot payload embedded in AutoIt script.

A quick check of the extracted strings from the decrypted Lokibot payload implies that the malware is designed to steal credentials from a victim’s device, such as the data stored on web browsers and FTP clients. Figure 4 shows a list of targeted browsers and FTP clients, from well-known ones to less-popular alternatives.

Figure 4: Extracted strings from the decrypted Lokibot payload.

Lokibot C2 server URLs typically end with fre.php, this can be seen in the following figure as well. Later we will further confirm our observations through the network traces by analyzing a PCAP file from the infection.

Figure 5: C2 URL from the decrypted Lokibot payload.

Once the payload is decrypted, it is injected into the dllhost.exe process (as Figure 3 shows), which then executes it. Dllhost.exe is an important Windows system file (also often termed COM surrogate process). Like many other living-off-the-land binaries (LoLBins) supplied by an operating system for legitimate purposes, the dllhost.exe can be abused by malicious operators. This is echoed by the attacks Lastline reported recently [1-2], which revealed that cse.exe was used in a recent spam campaign (again infostealer-related) [1], and both Powershell.exe and BitsAdmin.exe were weaponized in the Nemty ransomware attack [2].

Abusing LoLBins to download or execute malware is an increasingly popular trend. The 404 Keylogger threat we discuss later also relies on a LoLBin file, MSBuild.exe (more details in the US section). This is an unfortunate fact, but it’s not surprising, as using LoLBins in a security-conscious environment allows one to exploit the “confused deputy” approach to avoid being blocked by a whitelisting application, such as AppLocker, which should then increase the successful infection rate.

Following the injection, the dllhost.exe process then calls the Lokibot C2 server for further instructions or malicious activity. In this instance, the C2 server is hosted at academydea.] com pointing to 165.227.16.] 98, as the PCAP analysis shows in Figure 6. HTTP POST from the infected machine attempts to upload the victim’s user and machine information to the C2 server. At the time of running the malware, the C2 URL was not active anymore (returning a 404 response).

Figure 6: Call C2 HTTP POST and (404) response from PCAP analysis.

US

Unlike the EMEA region, which is dominated by the Lokibot threat (Figure 2), the US region suffered more diversified attacks without a clear domination by a single infostealer, as shown in Figure 7. This is not hard to understand if we look at it with a slightly different lens: that of legitimate businesses.

Often, entering into a foreign market requires business owners to leverage appropriate market entry options such as product localization to meet the unique culture and language in the target region. There is no exception for malware actors when launching attacks in a different region. The EMEA region comprises many countries with different languages, hence it requires more efforts to customize the attacks, for example to perform language localization in malspam (and sometimes malware UI) to maximize the infection rate. For instance, we notice that the Trickbot and Agent Tesla attacks against Italy in EMEA used Italian in the campaigns, while the US victims received English versions instead.

As the US is a large market with one single language, it appears to be attractive to all sorts of attacks, from unsophisticated keyloggers to multi-stage stealers. This may explain why we detected more threats in the US than in EMEA. It’s interesting to note that the most active threat in the EMEA region, Lokibot, is missing from the US chart. The reason for that is unclear to us. It may appear in later attacks, or the lack of its existence is simply due to the limited subset of telemetry data we examined.

Figure 7: Detection timeline of COVID-19-themed infostealers in US.

Though we don’t observe overall domination by a single threat in the US, the 404 Keylogger exhibited the most aggressive attacks on a single day (March 24, 2020), which is almost double the second highest daily detection, as denoted by Agent Tesla in the chart on March 23, 2020.

404 Keylogger is a relatively young infostealer, which was first made public on a Russian hacking forum in August 2019. A month later, the creator of the infostealer registered a dedicated domain to sell it as a legitimate monitoring tool, with prices starting from $30/month. Like typical infostealers, it spreads via malspam and is capable of stealing information such as user credentials from browsers and email clients, as well as logging clipboard data and screenshots.

Table 4 lists the most common campaign from the 404 Keylogger attack. Again, both the email subject and attachment name clearly reflect the COVID-19 theme to increase the infection rate. As the table shows, the attachment is an archive with extension .r00 (WinRAR split compressed archive file).

Email subjectsAttachment names
COVID-19 VACCINE UPDATEW.H.O WORLD COVID-19 UPDATES_doc.r00
Table 4: Email subject and attachment name used in the 404 Keylogger campaign.

Similar to the Lokibot campaigns, the archives simply contain an executable file, which is an AutoIt-packed 404 Keylogger payload. We notice that all the packed samples we checked actually failed to execute due to a missing function in the packer. Figure 8 shows the AutoIt error message captured from our sandbox analysis for the sample shown in Table 5.

Figure 8: 404 Keylogger runtime error.

The misconfiguration error in malware is not rare due to various reasons, but we believe the following analysis for the broken sample (as shown in Table 5) can still help us understand the nature of the threat.

MD5b33b2a3108d51644d37c16bf604024b2
SHA1eeedb19aa357725a0300ca82fc6708406443ace6
SHA256e12075ae545ee8b6d2981c5f51c857974fbeeba4791a55b13a3a51c2c7394f9f
File nameW.H.O WORLD COVID-19 UPDATES_doc.exe
Size1273856 bytes
Typeapplication/x-pe-app-32bit-i386
Table 5: AutoIt packed 404 Keylogger payload analyzed in this blog post.

Decompiling the AutoIt packed sample reveals the embedded 404 Keylogger payload which is encrypted, as shown in Figure 9.

Figure 9: Encrypted 404 Keylogger payload embedded in AutoIt script.

It is worth noting that both the Lokibot discussed above and the 404 Keylogger herein were encrypted and packed similarly in AutoIt scripts. Furthermore, the 404 Keylogger attack also weaponized a LoLBin file, MSBuild.exe in this case, to load the decrypted payload source code. MSBuid.exe is a Windows system tool which can compile source code wrapped in an XML-based project file on the fly and execute it inside the script’s namespace.

Figure 10 shows the printed strings from the compiled payload, which reveals some of the targeted mail clients and browsers for data extraction. 

Figure 10: 404 Keylogger – targeted mail clients and browsers for data extraction.

Once the data is harvested, it is transferred to the attack operator via certain data exfiltration techniques. Figure 11 shows a snippet of the decrypted and deobfuscated 404 Keylogger source code (written in VB.net). As highlighted in the figure, the keylogger can use FTP, SMTP, Pastebin, or Telegram for data exfiltration.

Figure 11: Decrypted and deobfuscated 404 Keylogger (VB.net) source code.

Conclusions

In this investigation we found out that threat actors are indeed very active during this global pandemic situation. Their MO is, however, nothing novel: they use email attachments as the initial infection method to eventually deliver an infostealer or spyware. They heavily rely on archive files as they provide a thin layer of protection against legacy or neutered security solutions unable to extract lesser-used archive formats and correctly process the content.

The majority of the infostealers follow a “Malware as a Service” model, and they are sold for very affordable prices in the dark markets. Because of this, the main differentiator between campaigns ends up being the malware configuration rather than the code itself. Instead, what keeps changing over time is the packer entrusted to keep the malware undetected for as long as possible. The latest iterations have been delivering payloads downloaded from publicly hosted platforms (like Google Drive or OneDrive) making the resulting network traffic difficult to identify and blacklist.

References

  1. “Infostealers and self-compiling droppers set loose by an unusual spam campaign”, https://www.lastline.com/labsblog/infostealers-self-compiling-droppers-set-loose-unusual-spam-campaign/, accessed: 5/2020
  2. “Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders”, https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/, accessed: 5/2020
Subrat Sarkar

Subrat Sarkar

Subrat Sarkar is a Senior Malware Reverse Engineer at Lastline with 10 years of experience in the Computer security domain. Previously, he worked with QuickHeal, Symantec, McAfee, and Attivo Network as Security Researcher and Software Developer. He has a keen interest in malware reversing, exploits, windows internal, windows kernel/driver and writing code.
Subrat Sarkar
Jason Zhang

Jason Zhang

Jason Zhang is a senior threat researcher at Lastline. Prior to joining Lastline, Jason worked at Sophos and MessageLabs (then Symantec) specializing in cutting-edge threat research, and ML application in malware detection. Jason is a regular speaker at leading technical conferences including Black Hat and VB. Jason earned his Ph.D. in Signal Processing from King's College London & Cardiff University.
Jason Zhang
Stefano Ortolani

Stefano Ortolani

Stefano Ortolani is Director of Threat Intelligence at Lastline. Prior to that he was part of the research team in Kaspersky Lab in charge of fostering operations with CERTs, governments, universities, and law enforcement agencies. Before that he earned his Ph.D. in Computer Science from the VU University Amsterdam.
Stefano Ortolani