Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
NightHunter:
A Massive Campaign to Steal Credentials Revealed
Cyphort Labs Malware’s Most Wanted Series
July 2014
Your speakers today
Nick Bilogorskiy
Director of Security Research
Shel Sharma
Agenda
o What is NightHunter
o NightHunter timeline
o Dissecting the malware
o Wrap-up and Q&A
CyphortLabsT-shirt
We work with the
security ecosystem
•••••
Contribute to and learn
from malware KB
•••••
Best of 3rd Party threat
data
We e...
NightHunter – Name explained
We called it NightHunter, because of its use of SMTP (email) for
data exfiltration. Email is ...
What is NightHunter?
Campaign began 2009, still ongoing
s
Malware coded in .NET
s
Extensive data theft campaign using SMTP...
NightHunter C&C protocol: poll question
What do you think is the
Command and Control
protocol for updating of
NightHunter?...
NightHunter C&C protocol
None!
NightHunter does not use a command and control
protocol.
Instead each variant simply sends ...
First variants of NightHunter appear
Malware starts using AOL, Microsoft email servers
Malware starts using mx1.3owl.com
S...
NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350...
NightHunter Infections To Date
Samples using Gmail servers
0
50
100
150
200
250
300
350
400
450
500
2013-07 2013-08 2013-0...
df
Malware Architecture
User
Receives a
phishing email
with a DOC/ZIP
attachment
Stage 1 –EXE
Decrypts the DLL
from a reso...
NightHunter Delivery
o Delivered mostly through phishing emails with DOC/ZIP/RAR
attachments.
o User gets infected by open...
NightHunter Delivery
Email subject
/attachment names:
• Jobs List
• Inquiry
• Order
• PO
• Purchase Order
• Payment Slip
•...
NightHunter Data Theft
NightHunter steals credentials for many services, for example:
o Google
o Facebook
o Dropbox
In add...
NightHunter Malware Components
NightHunter is the name of the campaign. It includes more than 3,000 unique
malware binarie...
PredatorPain keylogger
PredatorPain keylogger
www.predatorpain.com
PredatorPain keylogger
Limitless Logger keylogger
www.limitlessproducts.org
Federiko’s Logger
NightHunter binary analysis
Second level .NET assembly decoded and loaded from memory.
Killing security products feature
Poll question #2
What is the purpose of string
obfuscation in malware?
A: Make malware run more efficiently
B: For copyrig...
NightHunter binary analysis
- .Net classes uses non-printable characters.
- Here are 2 of the ten different string obfusca...
NightHunter binary analysis
It even steals credentials
of Game Banks
Steals data from
various browsers
Conclusions
1. NightHunter is a major data
exfiltration that went undetected for
5 years.
2. Enterprises should monitor SM...
Q and A
o Information sharing
and advanced
threats resources
o Blogs on latest
threats and findings
o Tools for identifyin...
Thank You!
Upcoming SlideShare
Loading in …5
×

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials Revealed

1,269 views

Published on

Cyphort Labs has discovered an extensive data theft campaign that we have named NightHunter. The campaign, active since 2009, is designed to steal login credentials of users. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype. Attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks.

Published in: Technology
  • Be the first to comment

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials Revealed

  1. 1. NightHunter: A Massive Campaign to Steal Credentials Revealed Cyphort Labs Malware’s Most Wanted Series July 2014
  2. 2. Your speakers today Nick Bilogorskiy Director of Security Research Shel Sharma
  3. 3. Agenda o What is NightHunter o NightHunter timeline o Dissecting the malware o Wrap-up and Q&A CyphortLabsT-shirt
  4. 4. We work with the security ecosystem ••••• Contribute to and learn from malware KB ••••• Best of 3rd Party threat data We enhance malware detection accuracy ••••• False positives/negatives ••••• Deep-dive research Threat Monitoring & Research team ••••• 24X7 monitoring for malware events ••••• Assist customers with their Forensics and Incident Response About Cyphort Labs
  5. 5. NightHunter – Name explained We called it NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
  6. 6. What is NightHunter? Campaign began 2009, still ongoing s Malware coded in .NET s Extensive data theft campaign using SMTP and more than 3,000 unique keylogger binaries s Steals login credentials of users, Google, Facebook, Dropbox, Skype and other services s At least 1,800 infections
  7. 7. NightHunter C&C protocol: poll question What do you think is the Command and Control protocol for updating of NightHunter? A HTTP B HTTPS C FTP D IRC E None of the above
  8. 8. NightHunter C&C protocol None! NightHunter does not use a command and control protocol. Instead each variant simply sends stolen data to the hard-coded email server. By using Email - it hides in plain sight as organizations beef up web anomaly detection
  9. 9. First variants of NightHunter appear Malware starts using AOL, Microsoft email servers Malware starts using mx1.3owl.com Starts using Comcast, Yahoo email servers Cyphort discovers NightHunter NightHunter History 2009 2010 2012 2013 2014
  10. 10. NightHunter Infections To Date There are at least 1,800 unique infections 3OWL Ieindia Drmike Hanco Gmail Comcast 1000 350 200 150 100* 60 Number of unique infections per email server
  11. 11. NightHunter Infections To Date Samples using Gmail servers 0 50 100 150 200 250 300 350 400 450 500 2013-07 2013-08 2013-09 2013-10 2013-11 2013-12 2014-01 2014-02 2014-03 2014-04 2014-05 2014-06 Count Time smtp.gmail.com
  12. 12. df Malware Architecture User Receives a phishing email with a DOC/ZIP attachment Stage 1 –EXE Decrypts the DLL from a resource section and loads it from memory Attacker Receives stolen credentials in the email server *Stage 2 – DLL Runs from EXE’s process memory and Sends out credentials via SMTP * Some samples did not need use Stage 2
  13. 13. NightHunter Delivery o Delivered mostly through phishing emails with DOC/ZIP/RAR attachments. o User gets infected by opening a malicious document with scripting enabled. o Emails were targeted towards personnel in finance/sales/HR departments
  14. 14. NightHunter Delivery Email subject /attachment names: • Jobs List • Inquiry • Order • PO • Purchase Order • Payment Slip • Reconfirm Pls • Remittance Payment Slip • WireSlip
  15. 15. NightHunter Data Theft NightHunter steals credentials for many services, for example: o Google o Facebook o Dropbox In addition they are interested in : o Bitcoin Stealing o Password managers o Firefox/Google Chrome/IE/Safari/Opera o Outlook o Pidgin/Trillian/Paltalk/AIM/IMVU o Various Games and Game Bots o Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander o Yahoo o Hotmail o Amazon o Skype o LinkedIn o Banks, and others
  16. 16. NightHunter Malware Components NightHunter is the name of the campaign. It includes more than 3,000 unique malware binaries, keylogger trojans including the following families: o Predator Pain o Limitless logger lite o Keylogger Logları (SlloTBan) o Spyrex o FEDERIKOs Logger o Unknown Logger Public o Aux Logger o Neptune o Mr. Clyde Logger o Ultimate Logger o MY Ultimate Jobe o Syslogger o Syndicate Logger
  17. 17. PredatorPain keylogger
  18. 18. PredatorPain keylogger www.predatorpain.com
  19. 19. PredatorPain keylogger
  20. 20. Limitless Logger keylogger www.limitlessproducts.org
  21. 21. Federiko’s Logger
  22. 22. NightHunter binary analysis Second level .NET assembly decoded and loaded from memory. Killing security products feature
  23. 23. Poll question #2 What is the purpose of string obfuscation in malware? A: Make malware run more efficiently B: For copyright reasons C: Deter reverse engineering D: Prevent static signature detection E: C and D
  24. 24. NightHunter binary analysis - .Net classes uses non-printable characters. - Here are 2 of the ten different string obfuscation techniques
  25. 25. NightHunter binary analysis It even steals credentials of Game Banks Steals data from various browsers
  26. 26. Conclusions 1. NightHunter is a major data exfiltration that went undetected for 5 years. 2. Enterprises should monitor SMTP and other protocols for data theft. 3. Intent of data collection is unknown; it appears campaign is building up a heap of stolen credentials to enable new damaging cyber threats. 4. Change your passwords frequently.
  27. 27. Q and A o Information sharing and advanced threats resources o Blogs on latest threats and findings o Tools for identifying malware
  28. 28. Thank You!

×