Emissary Keylogger (May 20, 2010)

SonicWALL UTM Research team received reports of a new KeyLogger seen in the wild called Emissary Keylogger. This Keylogger builder has a free version and a paid version being sold in a hacker forum.

The Keylogger builder comprises of two files– Emissary.exe and Stub.exe. Emissary.exe as shown below is the first released version of the keylogger builder. It requires a malicious user to input email address where the captured keylogs will be sent, the keylogger server name to build, a Fake Message that will popup when the server runs, and system options such as blocking AV sites, adding entry to startup and disabling administrative tasks such as the task manager and Registry editor.

The builder will generate the keylogger server server.exe from Stub.exe, which the malicious user will use to target a victim.

An updated Emissary Builder v3.0 is also available with added features and functionalities such as:

• Supports Gmail, Hotmail and AOL email account
• FTP Backup
• Icon Changer
• Screenshot capture
• Execute Batch file
• Opening Webpage
• Start a Process
• Change Desktop Wallpaper
• Auto Startup Technique
• Adds Startup Registry entry
• Copy itself to Startup folder
• Sends logs in HTML format
• Can Spread via USB
• Download and Execute trojans
• Deletes Cookies
• Logs Clipboard
• Block Websites by modifying LocalHost File

  Default entries of this keylogger in Local Hosts file blocks the following security related websites:

  • 127.0.0.1 virustotal.com
  • 127.0.0.1 www.scanner.novirusthanks.org
  • 127.0.0.1 scanner.novirusthanks.org
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 kaspersky.com

• Sends System Information such as:
  
  • Username
  • Machine Name
  • Installed logical drives
  • IP
  • Installed Softwares.
• Disables the following Windows Features by adding registry entries such as:
  
  • Task Manager
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableTaskMgr
    Data: dword:00000001
  • CMD
  • Key: HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem
    Value: DisableCMD
    Data: dword:00000001
  • Registry Editor
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    Value: DisableRegistryTools
    Data: dword:00000001
  • Control Panel
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
    Value: NoControlPanel
    Data: dword:00000001
  • Folder Options
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
    Value: NoFolderOptions
    Data: dword:00000001
  • Run
  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
    Value: NoRun
    Data: dword:00000001
  • Firewall
  • Key: HHKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
    Value: EnableFirewall
    Data: dword:00000000
  • Safeboot

  Deletes the following registry entry:

  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
  • User Account Control (UAC)
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
    Value: EnableLUA
    Data: dword:00000000
  • Right Click on Desktop and Windows Explorer
  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
    Value: NoViewContextMenu
    Data: dword:00000001

* Startup Folder is usually Documents and SettingsUsernameStart MenuPrograms
* LocalHost is {System Directory}Driversetchosts

Shown below are the screenshots of Emissary Builder v3:

Infection Cycle

Malware authors use different infection vectors to target as many unsuspecting users as possible. They employ social engineering techniques to lure the users into downloading and installing their malware. In one such instance of social engineering tactics used for Emissary keylogger, we saw the malware author use popular video sharing site YouTube which further contained link to a site where the keylogger was being hosted.

1. The Malware author will upload a video on Youtube.com. The Youtube video can pertain to anything that an unsuspecting user might be interested. It will lure the user to click the download link of the video which in fact is a link where the actual keylogger server can be downloaded. In this case, its the www.mediafire.com website.

2. With the use of the URL shortening tool, the user have no idea where the download link will be redirected. Once the user clicks the download link, it will be redirected to the website that hosts the keylogger server. The user will then download the file and executes it.

3. The keylogger will then start infecting the system and gathers information and sends it to the author’s email. Shown below is an email account of the malware author showing the list of computer machine’s infected.

SonicWALL Gateway AntiVirus provides protection against this Keylogger via GAV: EmissaryKeyLogger (Trojan) and GAV: EmissaryKeyLogger_2 (Trojan) signatures.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.