An analysis of AutoLog, a keylogger in AutoIt

Note: I have had this for quite a while, and the sample I had might be outdated.

AutoLog is a keylogger written in AutoIt that is UD and also is extremely popular. It uses the Jos van der Zande Obfuscator, which helps confuses the code to some point, but code structure is not changed at all. The obfuscator also prevents the output from being detected, however AVG detects any file obfuscated by the obfuscator. The obfuscator had a public deobfuscation tool, MyAutToExe, which perfectly deobfuscated the malware. However I happened to manage to extract the original unobfuscated code from the builder, so I will use that version as the variables and function names are mostly preserved already.

The code is slightly obfuscated before the use of the Obfuscator. The strings were encrypted and variables were renamed using Au3Stripper. It was trivial to automatically decrypt the strings and replace them. The Obfuscator is fairly good at ridding of detections, since with a few thousands users and me scanning on VirusTotal, it is a surprise that the stub stays under 5 detections without any updates.

The keylogging method is simple, it either used the IsPressed function or GetAsyncKeyState depending on the user’s choice. The site icanhazip.com is used to obtain the user’s external IP address. For those of you who didn’t know, icanhazip was flagged by antiviruses quite often  due to the fact that it is commonly abused by malware. Nothing out of the ordinary here.

6d1369e8cece15d10eb7c21a2de2c68a

An interesting thing about AutoLog is that it is able to hide itself from Task Manager in Windows 7, which is done through the use of SendMessage after obtaining a handle to the GUI. A fairly creative approach, I don’t think I have ever seen it before.

The AV Killer uses a combination of a public method and a seemingly private one. First, a handle to the process is obtained via OpenProcess, the AV is then suspended using NtSuspendProcess, and then closed. I am surprised that this work, due to the fact that AVs are protected by drivers and should be able to prevent themselves from being suspended and killed. After killing the process, the Image File Execution Option is used to set a debugger for the process to prevent the process from being revived. This is done for around 270 processes which range from Kaspersky, ClamAV to KeyScrambler and WireShark (which technically aren’t AVs).

Antivirus Killing function

Antivirus Killing function

AutoLog uses the API GetAsyncKeyState to log keystroke. The hooking mechanism is taken from a Github repository. AutoLog’s persistence exploits a bug on Windows 7 and potentially under (haven’t checked) which is described here. This bug renders the process pretty much unkillable. While this bug is capable of keeping the process alive, sometimes it causes freezes and stops the malware from functioning properly. A very creative approach I must say, I have never seen anything like this before in the realm of AutoIt malware.

USv3NSc

A comparison of AutoLog’s source code and the public keylogger source code (Left: AutoLog, Right: GitHub)

In conclusion, while AutoLog is an interesting piece of malware providing features that are often not seen on other malware samples, out of which the fact that it only has a few detections is extremely worrying as many AVs have trouble detecting AutoLog’s payload. Additionally, it is because of malware like this that public and freely available obfuscators are getting flagged up as malware.

 

The Healer new release

Version 1.2.0.0 is now available!

Added features: Persistent File Remover and FileAssasin.

Removed feature: Kaspersky Installer, since it is too heavy

Now there is only 1 version, since Kaspersky is removed.

 

Download here: https://www.dropbox.com/s/mwwt6womgdxujb6/The%20Healer%201.2.0.0.rar?dl=0

 

Getting your own host is better than using Direct Exe Hosting.

Direct Exe hosts are commonly used by malware as they allow a Downloader to work properly (I mean, if you used MediaFire, the HTML page will be downloaded, duh?). Despite getting blacklisted fairly fast, they are all still very popular as blacklist usually only affects the browser. However, what they DON’T know is that most Direct Exe hosts are highly vulnerable.

One fairly good example is NeverGreen.net

 

This direct Exe hosting is currently blacklisted by 18/68 AntiVirus engines on VirusTotal, and is advertised on HackForums. Despite the good design, the host is not really secure. All of the URLs are in the simple format of nevergreen.net/abc, where abc consists of 3 random numbers/letters. With 5 minutes of scripting, I made a scraper that would try to bruteforce the url, and obtained around 8 samples in a mere 3 minutes. The only problem was that Nevergreen does not remove files that are older than 1 month, therefore I am also getting samples that are as old as almost a year. File extension is another problem since some of the files might be .RAR, so I had to use ExeInfo PE to figure out what it is..

Another vulnerable host is AutoUpload.club. The full vulnerability is mentioned by L!NK in his video at https://www.youtube.com/watch?v=vQOidWoeOB8

Those are just the 2 direct exe hostings that I havve been looking at. So don’t rely on these hosts, since anyone can obtain your stub with ease.

 

Malwr showing false positives with MP4 files

During my recent tests with MP4 files, I discovered a very interesting fact: Malwr is not compatible with MP4 files and will show false positives such as detecting shellcodes, startup and HTTP connections.

Malwr uses the standard Windows XP for analyzing malware. However, the Windows Media Player in Windows XP is not able to open MP4 files, and will therefore open Microsoft’s shell page, and perform a few other activities. One of them is detected as a startup method, however it actually isn’t.

Here are some of the Malwr links that are false positives (Found using Malwr’s search button):

https://malwr.com/analysis/ZmY4MGE4MzU3NjM1NGRiZWFkNmU2OTUxMTFkZGVhZDU/

https://malwr.com/analysis/NzY1OTMxNWE5ODVkNDA3NGIxMjhlNDEwMmIwOWI2OGU/

https://malwr.com/analysis/YjM3ZGFiNmY3YjA1NDg3ZWFmNzZlNjczNjlkNmNjYzI/

https://malwr.com/analysis/YjY4M2EwZDhhYjliNDI1YThhZTk0MDlhMTcwNjE5YzA/

https://malwr.com/analysis/MTBiOWI0Zjc5ZjRhNDBjODk2N2QzNzEzOTU0N2ZhODY/

 

Why there is no need for Microsoft Office

Microsoft Office is installed on almost every computer running Windows nowadays. However, the security aspect of it is pretty worrisome.  If you are to browse around Hackforums, you will find many people selling Word Exploits, silent and macro, available at very cheap prices. Some of the recent cyber attacks against Ukraine’s  power system have been delivered with the help of these exploits. So it is not really the best idea to open any Microsoft Word, Excel, or Powerpoint document. At least not with Microsoft Office.

A much more secure way to open these documents is to upload all of them to Google Drive, and then open them. This way none of the possible malicious scripts and macros are opened on your computer. And don’t worry, Google Drive won’t be harmed, since the macros are not processed by their system.

Just some small tips from me to those who do not wish to get malware on their system.

 

Common things in most malware

Malware might varies in style, programming language, encryption and obfuscation method, as well as many other factors. However, they all have 1 similarities (Excluding cryptolockers): They attempt to look as similar to legit application as possible.
1. Process name

Most malware will try to look like common processes. Sometimes they will try to impersonate a system process. Some of the common names are conhost.exe, windowsupdate.exe, winupdateclient.exe,… When you see a process that seems suspicious because of these signs, you should run an AV scan and attempt to find any suspicious activities on your computer. If your AV solution does not detect anything, open up Task Manager, right click on the process, select “Open File Location”, and copy the file to your desktop. After that, you can upload it and forward it to me.

2. Installation Directory

This is the similarity in most malware. They will install themselves to a directory, so even if you delete the original file, the malware is still on the system. Some popular place for installation of such malware is the AppData folder, the Windows folder and the Temp folder. The Temp folder is the least popular of the three, since it is cleared regularly in order to preserve disk space. However, it is still commonly used.

3.  Attempts to hide process

Malware DON’T want to be spotted. So they try to hide their task from the Task Manager. Some might do this by attempting to replace the Task Manager, which could be done simply through a registry key, some might try to launch it from a different user, which isn’t really effective, or some just try to kill the task manager process.

So that is it for this post. I know it is kinda short, but that is because I am analyzing a RAT, which is somewhat unique since it uses PHP for connection.

 

Now blocked countries

Recently, in a log check, I found a lot of bad traffic, which were responsible for the 5000 failed logins to my site. They came from 9 small countries, which are all now blocked. I will not reveal the name of the countries, except for one, which is China.

Cheers.