A Look at Golroted/Hawkeye Keylogger

W32.Golroted/MSIL:Golroted/Hawkeye malware is a .Net keylogger which steals information and credentials from compromised systems. From the samples I've analyzed the malware can exfiltrate data using HTTP, FTP or SMTP. A number of AV vendors detect this threat under the definitions W32.Golroted or MSIL:Golroted.

Hawkeye is a version of the keylogger available on a 'subscription' base for $35/year, with cracked versions also available online. Most of the samples I've seen are all related with some minor variance in functionality which seem to be different versions or customized variants being used by attackers.

Hawkeye Products

Delivery and Infection

The malware is spread via phishing emails or infected USB drives. A number of the samples I've seen have used an attached Word document to download and execute the malicious payload.

The malware is contained within a MSIL packed executable and will launch an additional process of itself before unpacking and injecting into the launched process.  Using the volatility plugin malfind we can quickly find the the injected process and dump it for further analysis.

USB Worm

Once the malware is running on the compromised system and if the spreader option is set, it will periodically enumerate all of the connected drives. When a drive is detected of the type DriveType.Removable an Autorun.inf file is created and the malware is copied to the root of the drive as the file Sys.exe.

The files are then set with the attributes (Hidden, System & ReadOnly). The malware doesn't check if the removable device has already been infected, so the process will continue to write the above files until the devices is removed.

Persistence

If the option 'startup' is set the malware will check if the file %appdata%\windowsupdate.exe exists. If it doesn't exist the malware will copy itself to the location and a new Run key value 'Windows Update' is created with the string %appdata%\windowsupdate.exe.

The malware will continue to monitor for the existence of the windowsupdate.exe file and if it detects the file doesn't exist, it will be recreated and the registry entry will be re-added. It will also write data to a number of text files on the infected system when it is started. The timestamps from these files can be used as an indicator for incident responders of when the malware was first and last executed.

• %temp%\sysinfo.txt - Path to the malware
• %appdata%\pid.txt       - PID of the malicious process
• %appdata%\pidloc.txt  - Path to the malware

There are also a number of options that an attacker can set to make it harder for a user to search for the issue. An attacker can ensure that the following processes are killed if they are started.

• taskmgr
• cmd
• msconfig
• regedit

Beyond this simple functionality there isn't any additional anti-debugging or analysis functionality.

Payload

The malware includes a number of different methods to steal information from infected systems. From my analysis the malware targets the following: 

• Embedded Credentials in Browsers
• Embedded Credentials in Email Clients 
• Bitcoin 
• Gaming
• Steam Credentials (forced logout/key logger)
• Minecraft
• Clipboard content 
• Keylogging 

Credential Stealers 

The malware embeds two executable files as resources which are used to steal credentials from installed web browsers and e-mail clients.

[mailpv] is an embeded tool called Email Password Dump available from the website http://securityxploded.com/email-password-dump.php.

[WebBrowserPassView] is a similar tool called Browser Password Dump also available from the website http://securityxploded.com/browser-password-dump.php

To hide running these processes the malware will launch the process 'vbc.exe -f holdermail.exe' Looking at the available command line options for the VB compiler shows that -f is an invalid argument, so we  know something else is going on. 

Analyzing the decompiled code used to launch the vbc.exe process shows that it is injecting the embedded resources in the vbc.exe process to hide running the password recovery tools.  The following execution flow is used to inject and run the embedded tools.

1) Call CreateProcess() with the CREATE_SUSPENDED flag to launch vbc.exe in a suspended state.

2) Call NtUnmapViewOfSection() to unmap the virtual address space used by the launched process.

3) Call VirtualAllocEx() to re-allocate the memory in the launched processes address space.

4) Call WriteProcessMemory() to write the embedded binary into the process address space.

5) Call SetThreadContext() and ResumeThread() to execute the injected executable. 

Looking at the Browser and Email password tools shows that the -f switch is used to dump output to an output file. So we can see that passing '-f holdermail.txt' is actually for the injected processes as both tools support the -f argument to dump output to the passed file.

Each time the malware is launched it will spawn 2 vbc.exe processes, one to launch the Browser Password Dump and one to launch the Email Password Dump tools. Once the tool finishes running the malware will read the contents of the holdermail.txt file and delete it. 

SendLogs  

If the setting logger is enabled the malware will run a thread where it will send captured data to the attacker at a scheduled interval. The interval is controlled by the timerstring setting and in the analyzed samples this looks to be set to 10 minutes.  

The following configuration options control what information is sent via sendlogs()

• screeny - Include a screenshot of the desktop
• clip      -  Include clipboard content
• logger  -  Include captured key log data.

Keylogger 

To capture keyboard events the malware calls SetWindowsHookEx to register a hook of type WH_KEYBOARD_LL (13) to monitor low level keyboard input events. 

After each call to Send logs captured keyboard input is cleared.

Clipboard Stealer 

The malware will register itself as a clipboard viewer using the SetClipboardViewer() function and listen for change events. When a change event occurs the malware calls the Clipboard.GetText() to retrieve any data in the Text or UnicodeText formats. If no text data exists the call will return String.Empty. The data is then added to the clip log which includes a timestamp appended to the entry.

[---- <TimeStamp> ----]
<Captured Data>
<NewLine>
<NewLine>

Note: This indicates that the malware will only retrieve text based data from the clipboard and not other objects such as images.

Screen Capture

If the communication method is set to FTP or SMTP the malware can be configured to take a screen shot of the infected systems desktop. The sceen shot occurs at the configured interval (10 minutes) for sending the log data. 

Captured images are stored in %temp%\screens\ directory and will have the following name. 

• FTP: screenshot[counter]_[Computer.Name].jpeg
• SMTP: screenshot[counter].jpeg.

The counter is initialized to 1 and is controlled by the screenynumber configuration option. There isn't persistent storage for the current incremented count value, so each time the malware is launched it will be reinitialized to the value defined in screenynumber and overwrite existing files. 

Communication 

The malware can be configured to send captured data via FTP, SMTP or HTTP. The settings for these are encrypted using RijndaelManaged class and stored as Base64 encoded strings within the executable.

I've put together a quick script in Powershell that can be used to decrypt the configuration settings found in the unpacked malware.

https://github.com/idiom/IRScripts/blob/master/hawkeye-decrypt.ps1 

Although values for more than one of these methods could be set, the malware will use the following priority for the communication mechanism FTP, SMTP, HTTP.

If configured to use HTTP (PHP) the request will have the querystring of: log.php?username={username}&name={FileName}&data{Data}.

• Username - Value within the encryptedphplink option
• Filename  - Generated value includes Header, ComputerName & HWID 
• Data         - Key log and clipboard content

The malware also has options to download files or interact with websites. Each of these settings takes a double pipe "||" separated list of urls.

• downloadfiles - Download files and store them in %temp%\DFile_{num}.exe, where num is initialized as 0 and is incremented depending on the number of files to download.
• websitevisitor - Loop through the list of websites calling Process.Start("http://{url") on each passed URL.
• websiteblocker - For each of the passed strings and an entry to the hosts file mapping the host to 127.0.0.1

Configuration

I haven't looked at all of the options that can be used by an attacker to customize the malware. The below list summarizes the options and should provide an overview of the available features and additional functionality.

Option	Values	Description
encryptedemailstring	encrypted string	SMTP User
encryptedpassstring	encrypted string	Email server pass
encryptedsmtpstring	encrypted string	SMTP Server
portstring	587	Port used for email
timerstring	600000	Value used for sleep value
encryptedftphost	encrypted string	FTP Host
encryptedftpuser	Encrypted String	FTP User
encryptedftppass	Encrypted String	FTP Password
encryptedphplink	Encrypted String	PHP Link to use
useemail	true/false	Use SMTP to send data
useftp	true/false	Use FTP to send data
usephp	true/false nophp	Use HTTP to send data
delaytime	0	Time in seconds to delay execution after launch.
clearie	true/false	Clear IE Cookies
downloadfiles	url list (separator ||)	Download and execute a file. The file is stored as %temp%\DFile_0.exe
websitevisitor	url list (separator ||)	Navigate the configured website
websiteblocker	url list (separator ||)	For each site add an entry to the hosts file directing it to 127.0.0.1
notify	true/false	Notify that the system is infected using the configured install
DisableSSL	true/false	Disable SSL for SMTP connection.
fakerror	true/false	Display a fake Error message when the malware is started.
fakemgrstring	string	String to display in the MessageBox.
fakemgrtitle	string	Title of the MessageBox.
fakeMSGholder	MessageBoxIcon	Specifies which icon to display in the MessageBox.
startup	true/false	Add entry to HKCU Run key
screeny	true/false	Controls if the malware takes a screenshot when it sends log data.
clip	true/false	Controls if the malware steals clipboard data
TaskManager	true/false	Controls if the malware kills taskmgr processes.
logger	true/false	Enable/disable keylogger and sendlogs
stealers	true/false	Enable/disable credential stealers
melt	true/false	Enable/disable if the malware validates it is running from the defined path (%appdata%).
reg	true/false	Enable/disable if the malware kills regedit processes.
cmd	true/false	Enable/disable if the malware kills cmd.exe processes.
misconfig	true/false	Enable/disable if the malware kills mconfig processes.
spreaders	true/false	Enable/disable infecting USB devices.
steam	true/false	Enable/disable if the malware kills existing steam processes and deletes saved configuration data.
screenynumber	1	Starting number to append to screenshots
minecraftt	120000	Timer to use for minecraft credential stealer.
pinsst	140000	Timer to use for jagex game data.
bitcoinst	180000	Timer to use for checking for wallet.dat file.
meltlocation	%appdata%\WindowsUpdate.exe	Location of persistence file. Although this is defined here, there are a number of places the value is hard-coded.

Incident Response

The malware leaves a number of host indicators incident responders can use to help identify or trace an infection.  

• Existence of %temp%\screens directory with screenshots of the compromised system
• Existence of the following text files:
• %temp%\sysinfo.txt
• %appdata%\pid.txt
• %appdata%\pidlock.txt  
• Entry in the HKCU Run Key for 'Windows Update' with the string data %appdata%\windowsupdate.exe 
• Existence of 'Windows Update.exe' and windowsupdate.exe in %appdata%
• Hidden Sys.exe file at the root of removable drives

Beaconing network communications via SMTP, FTP or HTTP will occur at a regular interval. The samples I've looked at were configured to use a 10 or 20 minute sleep. If the malware is configured to use HTTP communications it will be landing on a .php page with the format log.php?username={username}&name={FileName}&data{Key logger and clipboard data}.

Yara Rules

The following yara rules can be used to help identify samples of the malware.

References

• https://techhelplist.com/index.php/spam-list/794-blank-subject-al-bin-general-trading-special-wines-ivs-malware
• http://www.symantec.com/security_response/writeup.jsp?docid=2014-111714-1155-99 
• http://www.malwaredigger.com/2015/02/quick-analysis-msilgolroted-stealer.html

Samples

• c30ca528c0f22db5bb4aacb236cdb18c
• 63ca2f8b1e580d07dddfb043e6bb805d
• 47e241e3c44587889fc00cba210f4372
• 8a5422c7d2514d7ad0ed912593547009
• f51440eeac9dc43c37f75cd9d20b9cf4
• 7a7e8863fce822388083e7c22944423a