In this blog post, we detail our analysis of a recent campaign that we attribute, with high confidence, to KeyBoy, a threat actor believed to be based in or operating from China. KeyBoy has been most recently reported on by CitizenLab in 2016, and now appears to have returned.
Our analysis starts with a Microsoft Word document named 2017 Q4 Work Plan.docx (with a hash of 292843976600e8ad2130224d70356bfc), which was created on 2017-10-11 by a user called “Admin’’, and first uploaded to VirusTotal, a website and file scanning service, on the same day, by a user in South Africa.
Curiously, the Word document does not contain any macros, or even an exploit. Rather, it uses a technique recently reported on by SensePost, which allows an attacker to craft a specifically created Microsoft Word document, which uses the Dynamic Data Exchange (DDE) protocol. DDE traditionally allows for the sending of messages between applications that share data, for example from Word to Excel or vice versa. In the case reported on by SensePost, this allowed for the fetching or downloading of remote payloads, using PowerShell for example.
Figure 1 – Word Error
Once we extract the initial document, using 7-zip for example, we can observe the usual structure, and inside, a file called document.xml is of interest. In this XML, a remote payload, in this case a DLL, will be downloaded using PowerShell, moved to the user’s temporary folder, and run using rundll32.exe, starting in the HOK function or export. Figure 2 shows the relevant part in our XML file.
Figure 2 - Download and payload execution
This debug.dll is a PE32 binary file with the following properties:
This DLL serves as a dropper for the actual payload, and as such the internal name of ‘InstallClient’ is an apt choice by the threat actor. Developing a Yara rule for the simple dropper DLL, yielded several new binaries:
We have analysed d6ddecdb823de235dd650c0f7a2f3d8f, which also has InstallClient.dll as its internal name, as it seems to be the earliest dropper DLL used in this campaign, and does not appear to be very different from any of the other DLLs so far uncovered.
The DLL starts in the function named Insys, which performs some simple checks, for example, if the current user account is an administrator, and will subsequently call the function named SSSS, which is the main function.
A substantial amount of actions will follow according to what’s defined in the SSSS function, as follows:
The malware will also, in some observed cases, output debug or error messages in a newly created file in the user’s Application Data folder as DebugLog.TXT, for example:
Then, the original dropper DLL will then be deleted, using a simple batch file that runs in a loop. In Figures 3 to 5, the target DLL, the original and new DLL, as well as the full process flow are shown.
Figure 3 - Target DLL, config and keylog file built dynamically on the stack
Figure 4 - Real and fake rasauto.dll (rasauto32.dll is the real or original DLL)
Figure 5 - Complete process flow
While visually there is apparently no difference, due to the malware being time-stomped (altering the created and modified dates of a file or folder), we can however observe a few subtle differences in the real and malicious binary.
Figure 6 - Subtle differences
As can be seen in Figure 6, the fake DLL has a different link date, some minor spelling mistakes, and does not include the build in the file version details. As the malware also disables Windows File Protection and thus any pop-ups, it may not be immediately obvious to system administrators that a legitimate DLL was actually replaced. The following commands are issued in order to achieve persistence:
Taking a look at the Windows registry for our service, RasAuto, short for Remote Access Auto Connection Manager and historically used for connecting dial-up modems to the internet for example, reveals no specific additional modifications.
Dllhost.exe is additionally seen to call back or phone home to a hardcoded range of C2 servers, on ports 53, 80, and 443.
Figure 7 - Dllhost connecting to a remote address
Dllhost usually has no need to connect to the internet or WAN, and as such it is a possible indicator of malicious activity.
Attaching a debugger to dllhost.exe, reveals the keylogger files and configuration, replaced DLL file, as well as another folder, which is likely used to store screenshots and other data. Another ASCII string can be discovered in the DLL’s config, MDDEFGEGETGIZ, which likely pertains to the specific KeyBoy campaign, or target.
Figure 8 - ASCII dump
The malware leveraged by KeyBoy has a plethora of functionality, including, but not limited to:
Interestingly enough, the malware developers left several unique debug messages, for example:
Earlier, we mentioned the threat actor uses custom SSL libraries to communicate to the C2. While we have been unable to observe this behavior in any traffic logs, we were able to extract a certificate, which can be found in Appendix B. Converting this certificate to the DER format, we find strings pointing to jessma.org, and an email address, email@example.com. These belong to projects by a Chinese developer, where one of the tools or libraries is named HP-Socket, which is a ‘High Performance TCP/UDP Socket Component’.
Additionally, said library sported an interesting debug path:
In addition to writing a Yara rule for the dropper DLL and finding additional samples as mentioned above, we repeated the same process for the payload DLL. In Table 1 below, you may find other payloads, with their related and fake, or replaced Windows DLL or service.
|Hash||Impersonated DLL||Impersonated service|
|a55b0c98ac3965067d0270a95e60e87e||ikeext.dll||IKE and AuthIP IPsec Keying Modules|
|2e04cdf98aead9dd9a5210d7e601cca7||rasauto.dll||Remote Access Auto Connection Manager|
|d6ddecdb823de235dd650c0f7a2f3d8f||rasauto.dll||Remote Access Auto Connection Manager|
Table 1 - Impersonated DLLs
Sinet.dll may relate to SPlayer, a popular video player in China.
Hunting further, we have discovered similar samples to the ones described above, with additional interesting debug paths:
Table 2 - Other debug paths
Both samples include references to a “work” folder, and a “VS” or “VS Project”. The latter likely points to a Visual Studio project short name, or VS. While the connection initially seems rather weak, it did hit the same Yara rule as mentioned before and the sample with hash 29e44cfa7bcde079e9c7afb23ca8ef86 additionally includes an SSL certificate, which, when converted, points to another custom SSL library, called WolfSSL, which is a “a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud”. The same hash or binary also includes what we assess to be a campaign name or KeyBoy version identifier, which is weblogic20170727.
Another sample which hit our Yara rule is 7aea7486e3a7a839f49ebc61f1680ba3, which was first uploaded to VirusTotal on 2017-08-25. This sample appears to be an older variant of KeyBoy, as there are several plain-text strings present, which are consistent with CitizenLab’s report referenced in the introduction.
All samples (hashes) and other indicators are provided in Appendix A.
We have mapped out the complete infrastructure that we have discovered, using Maltego, as shown in Figure 9.
Figure 9 - C2 graphing
There was some overlap with the samples and infrastructure, and one email address appears to jump out, which is linked to several domains: 657603405@qq[.]com. This email address does not appear to have been observed before.
One other relevant point to note in regards to the infrastructure, is the use of dates, likely relating to campaign names, as part of the C2 servers. Examples include:
In this report, we have analysed what we assess with high confidence, to be (part of) the latest KeyBoy campaign, a threat actor that has been active for several years, and displays at least a medium level of technical and operational know-how.
Several connections can be made to CitizenLab’s report from 2016, such as the continued usage of fake services and related DLLs, powerful capabilities, several exports and strings present in the (sometimes decrypted) DLLs, as well as campaign or version identifiers which are reminiscent and consistent with earlier reported identifiers.
While we do not have a clear visibility of targeting, it does appear that this latest campaign targets at least some Western organisations, likely for corporate espionage purposes. Organisations can refer to Appendix A, in order to search of any possible indicators of compromise. Additionally, organisations may wish to disable default administrator credentials, which will prevent unauthorised services to be installed.
Clients who are part of our threat intelligence subscription services, can refer to our latest report CTO-TIB-20171019-01A - KeyBoy's new toys, which includes more information as well as ruling in order to detect KeyBoy’s latest campaign. If you would like more information on any of the threats discussed in this alert, or you suspect you may be compromised, please feel free to get in touch, by emailing firstname.lastname@example.org.
MIID0TCCArmgAwIBAgIJALFGobpzN5MdMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJHRDELMAkGA1UEBwwCR1oxDDAKBgNVBAoMA1NTVDEP MA0GA1UECwwGSmVzc01BMRcwFQYDVQQDDA53d3cuamVzc21hLm9yZzEeMBwGCSqG SIb3DQEJARYPbGRjc2FhQDIxY24uY29tMB4XDTE2MDQwMTE1MDIwMFoXDTI0MDYx ODE1MDIwMFowfzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMQswCQYDVQQHDAJH WjEMMAoGA1UECgwDU1NUMQ8wDQYDVQQLDAZKZXNzTUExFzAVBgNVBAMMDnd3dy5q ZXNzbWEub3JnMR4wHAYJKoZIhvcNAQkBFg9sZGNzYWFAMjFjbi5jb20wggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDht6llexLtFkV8ijjdJGaHXXQysWOJ UM/YQFYP52nviurJSpMbWSXnuaDlfidk76B66Np5mlnN5BiHqbBj34GCVKz5VQtx 3kMY1y30YWyiHAEZiV3PLQc8/A9MnJM/q/mHaulmTuJi8A85TWadqUNXgiaIMkqz bKaauR1/GCxXuEVroqtyR99RCWhfakTz04KfIbt83QR0imWC6uhmvD/DXJ03XFzd XkK5aNp+ef1sBQgFKjeXV6EMuq+UgEDPXlCDUJAqsZt6W/ohrCAHWQYZ/RSvvaMJ O7aWROGAC/lh6ATOIbFlGVppw6zUGdIDkB5FVF1MC7CyDndncFrY+OJzAgMBAAGj UDBOMB0GA1UdDgQWBBT8fu6QFIfxlQvMWjl5pmfBjL6ciDAfBgNVHSMEGDAWgBT8 fu6QFIfxlQvMWjl5pmfBjL6ciDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA A4IBAQDI+f6GMBJxRJNKrgbUYLD1U6LWEQJQ50g2NxGy0j+TL6oypoo/kyME3tOR EmXEDzytGcSaQ78xYcg97UQd8OhXYQr0qwZ/JLarmhCVK/bfbGTIn4Mk4ZgDqcOU 46jsJeEZwUSrrq7svKO5d7+wV0VGPO+Ww4yzRCPwm2puXFY1+KpTxYX31+wwMB8p 7GuJEDgV08qzLfcBAfSFFYiOHL3tJ+XNKFNRqigjeYrWuAMphOhpYfYnU0d0upe8 wWx9Unm8qSkc7hiS/vvs1v7Pv1sqMFRBoaKOTqZ7Wz/5AySGPQjeMV/atmArDEkx z58OEgTzg1J/Keztxwj7I2KnYHyH