Set up your keylogger to report by email? Bad idea! (The case of Ardamax)
February 11, 2013
A couple of days ago, I was surfing our wild Internet when I came up with a dirty piece of software dedicated to steal accounts of a popular build-with-bricks videogame.
The program offered a premium account of the videogame for free. The real fact is that it was a stealer, which installs a keylogger on your computer to record and send your private information to the bad actors.
When the user executes the program, the keylogger silently installs itself and then hides its directories and processes. If we take a look at the installation directory, it has these files:
d6192e6ac19bedf50772769568b8a1bf RKJ.00 (encrypted configuration file)
c8602a35ed53655f62eb70e52627f7ef RKJ.01 (aux exec file)
cabd1ee6acc039dd33ba48f886f3b12d RKJ.02 (aux exec file 2)
29c88770640993a5f0df70bfa272bb09 RKJ.exe (main executable)
It looks like an Ardamax Keylogger installation, latest version. This is a pretty popular keylogger among bad guys, it has trial and paid versions. It can monitor keystrokes, login credentials, clipboard and even take screenshots and pictures from the webcam.
A couple of minutes after the infection, the machine started to connect to Google’s email server using an encrypted channel (SSL SMTP). Is the keylogger reporting results to the administrator using this? In that case, we could probably analyse the sample and get the email account credentials of the malware administrator.
As the configuration file is encrypted, the easiest way to get some more information is by doing some reverse engineering. Let’s going to infect a machine, dump the memory (keylogger.mem) and analyse it with volatility.
$ python vol.py -f keylogger.mem pslist
The keylogger process is hidden for Windows Task Manager, but volatility can show it to us.
Offset(V) Name PID PPID Thds
0x862d6528 RKJ.exe 1832 1528 1
Time to dump process memory.
$ python vol.py -f keylogger.mem memdump -p 1832—dump-dir=/tmp/
And if we carefully study the strings contained in that memory dump (take care of the encoding!)...
$ strings -a—encoding=l 1832.dmp
Logs from “%USERNAME%
[censored].firstname.lastname@example.org —> username
smtp.googlemail.com —> password
Luckily Google had disabled the email account due to service abuse, no need to report the issue.
What about the encrypted configuration file?
We have seen some people infected by this keylogger wondering how to decrypt the file to see where is the malware leaking information to. Well, if you can not do memory analysis or some debugging it is quite easy to decrypt.
After a quick cryptanalysis of the file, it is quite obvious that it is encrypted with XOR cipher or something similar. You can easily decrypt it by using a XOR analysis tool like xortool. Let’s give a try:
$ python xortool.py -b keylogger/RKJ.00
xortool will generate some output files with possible decryptions. In this case the 33rd file was the good shot, encrypted with key “Z|NY”. If we open it with an editor, we can see all configuration parameters and reporting credentials in plain text.
Take care of the channels you allow on your network! We have seen how Google do a great job on cancelling accounts of this kind, but we should never have a blind faith on a legit connection because it could be a potential way to leak private information to the outside.