Not so long ago, Kaspersky clients in the United States approached Kaspersky researchers with a request to investigate a new type of malicious software that they were able to recover from their organizations’ servers. The malware calls itself Grabit and is distinctive because of its versatile behavior. Every sample we found was different in size and activity from the others but the internal name and other identifiers were disturbingly similar. The timestamp seems valid and close to the documented infection timeline. Our documentation points to a campaign that started somewhere in late February 2015 and ended in mid-March. As the development phase supposedly ended, malware started spreading from India, the United States and Israel to other countries around the globe.
All of the dozens of samples we managed to collect were programmed in Windows machine 32bit processor, over the Microsoft .NET Framework (Visual Basic/C#). Files were compiled over the course of three days, between March 7th and 9th of 2015. The following chart illustrates how the group or individual created the samples, the size of each sample, the time of the day when each was compiled and the time lapses between each compilation.
Malware compilation timeline
The smallest sample (0.52Mb) and the largest (1.57Mb) were both created on the same day, which could indicate experiments made by the group to test features, packers and “dead code” implementations.
Looking at the chart, it is interesting to see the modus operandi as the threat actor consistently strives to achieve a variety of samples, different code sizes and supposedly more complicated obfuscation.
Along with these different sizes, activities and obfuscation, a serious encryption algorithm was also implemented in each one of them. The proprietary obfuscated string, methods and classes made it rather challenging to analyze. ASLR is also enabled, which might point to an open source RAT or even a commercial framework that packed the malicious software in a well written structure. This type of work is known as a mitigation factor for threat actors to keep their code hidden from analysts’ eyes.
During our research, dynamic analysis showed that the malicious software’s “call home” functionality communicates over obvious channels and does not go the extra mile to hide its activity. In addition, the files themselves were not programmed to make any kind of registry maneuvers that would hide them from Windows Explorer. Taking that into an equation, it seems that the threat actors are sending a “weak knight in a heavy armor” to war. It means that whoever programmed the malware did not write all the code from scratch. A well trained knight would never go to war with a blazing shield and yet a stick for a sword.
Looking into the “call home” traffic, the Keylogger functionality prepares files that act as a container for keyboard interrupts, collecting hostnames, application names, usernames and passwords. However, the interesting part lies here.
The file names contain a very informative string:
HawkEye_Keylogger_Execution_Confirmed_<VICTIM> 3.10.2015 6:08:31 PM
HawkEye is a commercial tool that has been in development for a few years now; it appeared in 2014, as a website called HawkEyeProducts, and made a very famous contribution to the hacker community.
In the website, the product shows great versatility as it contains many types of RATs, features and functionality, such as the traditional HawkEye Logger or other types of remote administration tools like Cyborg Logger, CyberGate, DarkComet, NanoCore and more. It seems to support three types of delivery: FTP, SMTP and Web-Panel.
As seen, the malware uses a number of RATs to control its victims or track their activity. One of the threat actor’s successful implementations contained the well-known DarkComet. This convenient “choose your RAT” functionality plays a very important role in the malware infection, routine and survival on the victim’s machine. The DarkComet samples are more complicated than the traditional HawkEye logger. One instance had a random key generator which sets an initialization vector of the first 4 bytes of the executable file and appends a random 5 byte key that unpacks another PE file, less than 20Kb in size. The PE file then contains another packer with an even more challenging obfuscation technique. The last sample we tested had still more complicated behavior. The code itself had the same obfuscation technique, though traffic was not transferring in clear text. Stolen data was packed and sent encrypted over HTTP random ports. This means that the group is trying to produce other types of malicious samples with different RATs.
Approximately 10,000 stolen files have been collected. Companies based in Thailand and India had the largest percentage of infected machines. By looking at the stolen credentials, it is very clear that employees sent the malware to one another, as stolen host names and internal applications are the same.
The following is the full chart, updated to May 2015:
Malware distribution by country
Demonstrating the effectiveness of their simple Keyloggers, one C2 (on May 15th) maintained thousands of victim account credentials from hundreds of infected systems.
To sum it up, Grabit threat actors did not use any sophisticated evasions or maneuvers in their dynamic activity. It is interesting to see the major differences between the core development of the malware and the actual functionality it uses.
Some malware samples used the same hosting server, and even the same credentials. Could it be that our threat actor was in a hurry?
Our guess is that we are looking at a group and not an individual. Some members of the group are more technical than the others and some are more security oriented and aware of the risks they might expose themselves to.
Back to square one:
From what we have seen so far, the malware is being delivered as a Microsoft Office Word (.doc) email attachment, containing a malicious macro called AutoOpen. This macro simply opens a socket over TCP and sends an HTTP request to a remote server that was hacked by the group to serve as a malware hub, before downloading the malware. In some cases the malicious macro was password protected, but our threat actor might have forgotten that a .doc file is actually an archive and when that archive is opened in a convenient editor of your choice, the macro strings are shown in clear-text.
The malware is in plain view, modifying commonplace registry entries, such as the startup configurations, and not covering its tracks. Its binaries are not deleted in most cases, and its communication is in clear-text, where the victim can sniff the communication and grab the FTP/SMTP server’s credentials.
Malware derivatives are mainly located in:
C:\Users\ <user> \AppData\Roaming\Microsoft
Phishing extensions: .doc
Icons: .pdf, .doc, .ttf, .xls, .ppt, .msg, .exe
Stealer: .txt, .jpeg, .eml
Additional Executable names:
Malware extensions: .zip or .exe