Iranian Keylogger Marmoolak Enters via Backdoor

By on

Targeted attacks have several stages, sometimes called the APT kill chain. At McAfee Labs we prefer the model described by Lockheed Martin:

Marmoolak 1

As part of the weaponizing phase, attackers often put a payload into a file that, once installed, will connect in the C2 (command and control) phase to the attacker. A very common payload used by many password-stealing malware is a keylogger. The purpose of keylogging is to capture the users’ keystrokes, and gather credentials and links to internal and external resources. The stolen credentials can later be used to weaponize another file or serve as part of the actions phase of the APT kill chain.

One example we recently ran into is the malware Marmoolak, an Iranian keylogger with the MD5 F09D2C65F0B6AD55593405A5FD3A7D91.

We traced the first appearance of this keylogger to a Middle-East forum:

Marmoolak 2

Although some keyloggers may capture keystrokes for legitimate purposes, this one misleads its victims by including a hidden payload. By placing this keylogger on this forum, we believe the developer intended to attack other members of this forum, a popular tactic in that region.

To prevent detection, malware authors often use cheap and easy packer’s, which modify the malware witha runtime compression or encryption program. In this case the files were hidden by a modified version of the well-known packer UPX.

On execution, the file adds a copy of itself into the System32 folder as Mcsng.exe. The malware also launches a process that drops and writes the file 1stmp.sys in the %system32%\config folder:

Marmoolak 3

Although the file extension suggests it is a .sys (system) file, it is not. Its purpose is to function as a log file that contains the encrypted keystrokes of the user. Every time a key is pressed, the process records the keystroke, encrypts it and appends it to 1stmp.sys. The next screen shows a section of encrypted strings:

Marmoolak 4

Although the encryption algorithm is simple, it uses “selective encryption,” with two techniques: Each byte is encrypted by technique 1 if it is odd and technique 2 if it is even. Here is an example of a log after decryption:

Marmoolak 5

After decrypting we can see not only keystrokes, but also the time stamps when they were logged. After the keystrokes are logged and encrypted, the malware mails its content to its author. The malware also sends computer name and user name data to its master.

After cleaning up the standard Visual Basic obfuscation we can see the malware uses Sendmail:

Marmoolak 6

In this case the encrypted log is sent to the email address Marmoolak@red-move.tk. This address is hosted on a domain that is very popular in Iran for hosting malware. The McAfee Labs reputation engine has flagged this domain as malicious: http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=red-move.tk

After deobfuscation, we observed strings in Persian that contain the word marmoolak, a frequent derogatory term in Persian to describe their Arabic neighbors.

McAfee detects this Trojan keylogger and its variants as Keylog-FAG! To avoid infection from this and other keyloggers, keep your antivirus system updated and do not download content from untrusted sources. Be especially careful of hacker forums. Some members pretend to be helpful and offer their tools. However, these tools are often backdoor malware and exist solely to access systems and abuse them for various malicious ends.

Categories: McAfee Labs
Tags: , , ,

Leave a Comment

Similar articles

October is finally among us, and things are spookier than usual. One ghost causing some hocus pocus across the World Wide Web is Ghostcat-3PC, a browser-hijacking malware that has launched at least 18 different malvertising campaigns in the last three months. According to SC Magazine, Ghostcat’s goal is to hijack users’ mobile browsing sessions and ...
Read Blog
Fears and phobias. We all have them. But what are your biggest ones? I absolutely detest snakes but spiders don’t worry me at all. Well, new research by McAfee shows that cybercriminals and the fear of being hacked are now the 5th greatest fear among Aussies. With news of data breaches and hacking crusades filling ...
Read Blog
Over the years, I've been the star of a number of sub-stellar parenting moments. More than once, I found myself reprimanding my kids for doing things that kids do — things I never stopped to teach them otherwise. Like the time I reprimanded my son for not thanking his friend's mother properly before we left ...
Read Blog