Malware authors have a tendency to conceal themselves so that they can continue their actions uninterrupted. However, we have observed the opposite trend when some authors, who like to show their swagger when writing malware—in particular remote access tools (RATs). They proudly spread their work and post videos on YouTube to demonstrate them. In this post we focus on two samples that are very popular in the Middle East. These particular malware authors are very vocal about the malicious software they created, posting details on social media and other hacker forums. The malware executables are extremely user friendly; anyone with basic computing experience can generate an entire set of new customized malware to steal data from targeted users.
The first campaign is SpyGate, a fully functional RAT written in Visual Basic. The malware author openly advertises the tool on social media, with a download link included.
Combining the data we have found, we have a profile of a young man living in Riyadh, Saudi Arabia, who studied in Dubai and seems to like the game “Dragon City.” Although he seems to change his desktop wallpaper often (as seen on YouTube), he’s clearly developing this RAT.
Once the RAT is downloaded and executes, we see the following window:
The malware has a proper GUI that provides the user with various options, such as monitoring the victim’s screen, obtaining all the keylogs, etc.
One interesting option is the “build/compile malware” tab, which is the source of most copies of SpyGate on the web. This option lets script kiddies or malware users compile their own “customized” malware. In the host address window they can add their own web addresses to receive the stolen data.
The malware author also has options to statically alter the top level info of the binary, such as changing the filename, extension, and even the icon. These steps are useful to mislead antimalware vendors and escape static clustering and detection. The final output after this compilation is a new zero-day binary with an entire set of password-stealing capabilities. The malware author’s goal is to steal as much data as possible.
On execution, SpyGate creates two temp files: melt.tmp, which stores the malware’s execution path (for tracking purposes); and oosuacodersoo.tmp, which stores all the keylogs from the victim’s system. For example, typing “Hello Spygate!! How are you” logs all keystrokes and spaces.
But SpyGate is more than just a keylogger. It attempts to steal Google Chrome login data, Internet Explorer autocomplete forms data, FTP passwords, and other data.
SpyGate also checks for antimalware programs. The list is long and contains about 50 vendors, including McAfee.
While examining the spread of this RAT, we discovered several control servers hosted in the Middle East, and targeting numerous users around the globe.
SpyGate: the source of KingRAT
We saw a tremendous variety of new Zeus variants when its source code was leaked, and now we’ve seen similar development based on SpyGate. The open exchange of information among forum members leads often to modified and even more ferocious RATs. One such offshoot of SpyGate is KingRAT 0.1, which has been made public by the malware author “Hacker Syria DZ.” We observed communication between the RAT authors in this article on social media.
The executable is hosted on a Middle East site as a RAR archive. Upon execution, we see a GUI that gives various options.
Under the build option, a user can compile a binary to suit custom needs. For example, the user can block sites such as Virustotal.com, disable debuggers like OllyDbg, and even decide whether to incorporate USB-infection capabilities.
After we compiled a new RAT, we found the file YmzdHViIGdlbaW9uPTEuMC4wLjAsIGN1bHR1cmU9bmVmVyYXRvciB2MS4wLCJhbCw.log in templates folder. This file stores the keystrokes. Although the keylogging module is good for tracing the process name, the keystroke module appears to be buggy. Only partial keystrokes are stored.
Despite its different and stylish GUI, KingRAT does nearly the same work as SpyGate. The author has tried to hide the reference to SpyGate in the front end. However, a binary analysis makes it evident that this malware uses the same SpyGate code. Below we see the “no-ip” and “Paltalk” password-stealing modules for SpyGate (on the left) and KingRAT, respectively. The code is the same; only the password-stealing module is left out by the KingRAT author.
We have more evidence of KingRAT’s origins in this reference to SpyGate:
Although the authoring of tools such as RATs, cryptors, and malware seems to be “l33t” and earn status in the Middle East underground, the danger remains that many teenagers play with these tools without understanding the risks. Not only do some of these kits contain backdoors, but hacking into victims’ computers is a crime in most countries.
McAfee detects the parent compiler as SpyGateCompiler! and the resultant compiled malware as SpyGate!
A Yara rule to detect SpyGate:
rule SpyGate_v2_9
{
meta:
date = “2014/09”
maltype = “Spygate v2.9 Remote Access Trojan”
filetype = “exe”
strings:
$1 = “shutdowncomputer” wide
$2 = “shutdown -r -t 00″ wide
$3 = “blockmouseandkeyboard” wide
$4 = “ProcessHacker”
$5 = “FileManagerSplit” wide
condition:
all
}
The post Middle-East Developer of SpyGate Struts His Stuff Online appeared first on McAfee.