CyberWire Daily - Keyboys back in town. [Research Saturday]
Episode Date: December 23, 2017In this edition of the CyberWire Research Saturday, we'll take a look at a more recent intrusion PwC has uncovered, named KeyBoy and highly likely a China-based threat actor. It uses compromised Word ...documents to gain access. Bart Parys is a lead researcher in PwC's cyber threat intelligence team, responsible for tracking cyber threat actors, their latest toolsets and methodologies. https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent
billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
A while back, I was just investigating the recent DDE happening, let's say, because it's not really
a vulnerability, but rather it's a feature
in Roid, which allows attackers to automatically execute a malicious payload or to fetch a
remote payment, for example.
That's Bart Paris from PwC.
He's a lead researcher with their cyber threat intelligence team.
The research paper he's discussing today is called The Keyboys Are Back in Town.
So I had written a specific
Yahoo to detect this kind of behavior, and one of them picked this up. So one of them picked up
a document, which I described in the blog post, which was named 2017 Q4 Work Plan. And this is
basically how I stumbled upon it and decided, hey, this looks pretty interesting. Let's check it out.
And so you decide to check it out.
Take us through what you discovered.
First of all, obviously, I just checked out the document
with some static analysis tools.
And also, you simply execute it, right?
Obviously, always in a safe environment.
So in a virtual machine or something like that, for example.
And I quickly saw that, indeed, there was a simple message in the word document which
stated that you should just click yes and yes for any messages basically so it was a bit of a lazy
deco message actually and after that the document would fetch a remote payload and this would be a
dll file this dll file would then be consequently executed and at that point you would be a DLL file. This DLL file would then be consequently executed
and at that point you would be infected with Keyboi
or rather their malware, right?
So until opening the document,
nothing really happens until you click at least twice
yes on any message box, right?
So this is how the feature is triggered.
Inside one of the XML files,
there will be a remote server and some PowerShell, which will simply download and move and run the
file. And so these pop-up windows are fairly innocuous. There's no indication that there'd
be anything that your average user would probably just click on them. Yes, that's right. So there's
nothing too weird about these message boxes.
They just appear like warning messages from Word saying, for example, that the document
contains any links to other files and that it needs to update them from the internet
or similar.
So basically, there's nothing too suspicious at first hand.
But when you click through, when you click yes twice, right?
Because that's what's needed to trigger the feature.
Then, well, the user can get infected.
And so it downloads this payload.
Walk us through what's in this payload.
The payload does quite a lot of different interesting things, right?
So first of all, it's a DLL file,
which means that normally it can't run by itself, right?
So while it doesn't need any user interaction,
Windows will still need to know, okay, how do I run this DLL and where do I start?
So this means that DLL basically will be run by run DLL 32.
This is a legit part of Windows, of course,
and this part says that, okay, this dll can now run as an executable
more or less that's that's the logic behind it so the dll that was fetched from that remote server
was actually uh sort of installer or dropper dll so the funny thing is that the threat actor so
keyboard itself right had some kind of humor as well. So one of the developers, I'm assuming here,
had some humor or they just wanted to track
their development malware and life cycles as well
because the internal name of the file
was called installclient.dll, right?
So not too much imagination there.
So once this DLL was executed,
it does actually quite a number of things, right? So it
is a small and interesting, clever technique in the sense that it replaced a legitimate Windows
file and then ran it as its own. So basically, if you or someone you know is a network administrator,
a system administrator, they may not immediately notice that something is wrong or that an actual
legitimate DLL was
replaced by a malicious DLL.
So, just to
briefly explain the process
of that is that, first of all, the malware
will decide from a list
which DLL will be
replaced here, and then, secondly,
the service that belongs to said
DLL will be stopped,
and then a series of commands will be run in order that Windows will not give any messages
or there won't be any errors, and that DLL can safely be replaced by the malware.
What additionally happens, and this particularly to throw off any system admins or researchers
or any incident responders, is that they will also modify a few registry keys
which basically disable windows file protection and this windows file protection
is set in place by microsoft to prevent any software or maybe even users from replacing
critical windows files we don't want any nasty blue screens. We don't want really super weird behavior. So that's why these protections are built in.
But the trap actor has decided
to simply disable those by setting a few registry keys.
After that, when the DLL is replaced,
the service belonging to the initial DLL will be started again.
Everything will run as before.
However, this time keyboard will clearly start capturing
keystrokes gathering screenshots and so on and so forth there's actually quite a lot of
capabilities in the specific malware and as such once this is inside your network it can
exfiltrate quite a lot of data or information So it's quite a bad thing to discover on the network
if you discover it at all, of course.
And how does it connect to the command and control servers?
It's not too complex, right?
It's like more small nowadays.
However, I did see usage of custom SSL libraries,
but when I checked any network traffic,
I saw that they were just
using normal HTTP traffic, right? So there was nothing too particular about it, in my opinion.
However, there was capability for encrypting the traffic as well. So there were some SSL libraries
present, but I did not see them used. Interesting. So walk us through some of the functionality that's included
in Keyboy. So as I mentioned before, one of the key things
about Keyboy, that's a small pun, is that
it has the possibility to screen grab or take screenshots.
Of course, a lot of malware does this nowadays simply because
it's quite easy to implement in your software or malware in this case.
And additionally, it's rather easy, right?
You just see what's happening on the screen.
For example, maybe the user is trying to enter any bank credentials or any credentials in critical software, for example, or anything else sensitive for that matter,
the screenshot will simply be taken
and be periodically uploaded to the C2 server
or command and control server, right?
Now, what they also do is, and again, this is not uncommon,
is determine the public or one IP address, right?
So I'm assuming in this case,
this would mean that once a potential or very interesting thought or victim has been discovered by the threat actor, it means they can maybe upload additional files to the victim machine to do even more malicious behavior, exfiltrate more data, install maybe even second stage malware, for example.
maybe even second stage malware, for example.
So this is also in a lot of cybercrime malware, right?
So for example, Trickbot does this to check which banks or which config to serve for specific banks in specific countries.
But as you can see, more advanced threat access to this as well,
but maybe for other reasons, right?
And of course, like many other types of more advanced malware, there's a lot of things.
For example, it's got a lot of extended system information.
So in one of the versions that I noticed, and this was a bit of an older version, is
that it's uploaded all the information about the disks as well in accordance with other
information.
uploaded all the information about the disks as well in accordance with other information right so for example how much space was tree on the disk how many how many what is the number of processors
what is the ram how long was the machine running so the uptime and so on and so forth so there's
quite a lot of capability right and one of the other interesting things is that it has a file browser, or a so-called X4.
So basically, we can just relax, drink some tea, and browse your file system, and exfiltrate anything they want.
So, of course, this can be compared with some kind of interactive shell.
They can communicate with a victim machine.
So basically, they have full control of what you are doing and of your machine as well.
So take us through what sort of infrastructure is behind the scenes here making this possible.
So there was quite some infrastructure.
I also mapped this out in Handy Multigal Graph.
So this can also be found on the blog, by the way.
They were using quite some diverse infrastructure.
Mostly they were dynamic DNS providers, right?
So those were pretty present.
They're also quite popular again today.
There are some other interesting ones as well.
For example, they had some.video,.xyz domains,.party.
So those are one of the newer TLDs, right?
One of the things is that for a specific cluster of the malware,
not all of them, they appear to have used part of the domain name.
It's actually, I'm assuming here, part of the campaign name as well.
So for example, one of the domain names was called weblogic 727 and then the top domain right so it's easy to deduce that when you check this with malware samples when
they were uploaded provides total for example and when they were compiled they do align with
the campaign that would pertain to the 27th of july right so weblogic 727 27th of july right
a similar thing was also discovered in the weblogic 1709 but instead of the xxus top level
domain they used zset ux so again some there. And this likely pertains to the campaign that was running in September.
What about attribution?
Do you have any sense for who's behind this?
Right.
So there's no specific saying of who is really behind this.
But based on some indicators, I would say they are China-based.
So the threat actor may likely be operating from
china or they are chinese speaking right so this is proven by a few things not only by compile
times because you can't always 100 rely on that these things can be faked and will be faked
but also from the uploads from price total for example this one example because there were quite
a few uploads actually additionally there was in one of the custom ssl libraries i saw and what i
mentioned before there was a qq address as well so qq.com address is quite typical for 12 it's
very common in china right additionally there were some interesting debug messages
left in the malware,
and the English was not perfect.
So we have seen this type of English before as well.
So when you do some language-based analysis, for example,
you can, I wouldn't say conclude,
but you can allude that they may be Chinese-speaking, right?
So of origin. Additionally, one of the allude that they may be Chinese-speaking, right? So of origin.
Additionally, one of the older samples that I've also mentioned
was also found by Citizen Lab a few years ago,
and they also reported on that.
So also on keyboard, and they also indicated or alluded that they may be China-based.
What is your sense for how widespread this is
and any sense for who it's targeting?
Well, it's more difficult to say
because you don't have that much visibility, right?
So, of course, unless an organization steps forward
and says, hey, we are affected with this,
can you please help us out?
And of course, that's always a possibility.
But judging from the uploads on Biosotal,
I saw some uploads from Western-based countries.
However, there's no real indication.
And of course, for privacy reasons,
you can't really divulge,
okay, this was organization X or Y.
So in terms of targeting,
I would say they have shifted their focus a bit
more on Western-based companies,
but specifically like industry or sector, for example, I can't really say.
I don't really know.
And would a typical antivirus installation be able to detect this?
That's a very good question.
Again, I'm not 100% sure, right? I mean, if you're using a more advanced package, then I would assume it would detect any suspicious behavior
like replacing a legitimate system DLL, for example.
But again, I do not remember how well the detections were in the beginning.
But if I recall, it wasn't really spectacular.
So here, it's very important that you do enable all the logging
because, for example, when do enable all the logging,
because, for example, when you enable event fuel logs,
then you would be able to see that, hey,
this legitimate DLL got replaced by something totally different that doesn't seem normal, right?
And one indication of that is that there are really small spelling mistakes
when you replace DLLs, so that could be another pointer,
and the file size was a bit different but again i advise people regardless of using antivirus or not
enable the login where you can under the powershell but also specifically in this case
uh event viewer logging right so one layer is not enough i wouldn't say that antivirus is not sufficient,
but I wouldn't recommend to have it as an only layer.
You need a full layer, right?
Even if you would be infected with a specific malware,
you may be able to tell something from your eventual logs
or from your EDR if you have it, for example,
or from your network logs.
If you have the capability, then I would recommend,
please implement it. Please check the logs whenever you can and set your alerts as well.
When I published the research on the PwC blog, there was an interesting decline, or actually,
let's say, disappearance for a few days. And a few days later, they were active again so i'm assuming they read the blog posts
as well or they got wins and they decided to lay low for a bit but not for too long apparently so
interesting interesting yeah it does tend to happen like when there's research published
whether it's big research or not it doesn't really really matter. Bad guys read blogs as well, right?
They do follow security researchers
and they know that when something
gets published, they're often quite
fast to enhance
their malware or they load for a while
or develop new tools. So they burn
all the instances and they just
get into a new path as been seen before.
Our thanks to Bart Perez from PwC for joining us.
The research paper is called The Key Boys Are Back in Town.
You can find it on the PwC website.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.