Malware-as-a-Service Provides Sophisticated Features To Threat Actors
Cyble Research and Intelligence Labs (CRIL) has been continuously monitoring malware families that are new and active in the wild. Recently, CRIL observed a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. The CRIL also observed multiple active instances of DuckLogs C&C servers in the wild, indicating that the malware is emerging now.
DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server. The below figure shows the Threat Actors (TAs) advertisement in the cybercrime forum about DuckLogs.
The TA has also claimed in the post that the malware has several features, as mentioned in the figure below.
The TA sells DuckLogs malware with three different plans, as listed below.
Web Panel:
The DuckLogs provides a sophisticated web panel that allows TAs to perform several operations, such as building the malware binary, monitoring, and downloading victims’ stolen logs, etc. The login page of the DuckLogs web panel is shown below.
The image below shows the dashboard page of the DuckLogs web panel, which displays overall global statistics of the victims infected by DuckLogs malware.
The TA can also build the malware binary by customizing the options provided on the Settings page of the web panel, as shown below.
The below image shows the Builder page of the stealer & dropper, allowing the TAs to build the required payload after enabling the necessary features on the Settings page. The dropper builder is an add-on feature in the web panel that builds another binary that acts as a dropper for delivering the customized DuckLogs malware to the users’ machine.
Technical Analysis
We have taken the sample hash (SHA256), e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396, for our analysis. It is a 32-bit, .NET executable file named “BkfFB.exe”.
Upon execution of the BkfFB.exe, the Main() function decodes the hardcoded base64 encoded module named “Bunifu.UI.dll,” which is present in the binary and loads it in the memory using Invoke method as shown in Figure 8.
Stage 1
The new module “Bunifu.UI.dll” is an obfuscated .NET file that further executes the Bunifu_TextBox() function to retrieve the embedded bitmap image “Gmtpo” present in the resource of the parent malware file BkfFB.exe.
The malware uses the steganography technique to hide malicious content in the compressed bitmap image. The successful decompression of the bitmap image retrieves another .NET file in memory which is “MajorRevision.exe”, as shown in Figure 9. The “Bunifu.UI.dll” module now loads “MajorRevision.exe” using the Assembly.Load method passes the decompressed bitmap content as an argument and then invokes it.
Stage 2
Upon execution of the “MajorRevision.exe” module, it initially converts the larger array of bytes present in the module into HEX values which contains multiple Anti-Analysis, and Anti-Detection checks to prevent the execution of the malware in a controlled environment, as shown below.
In the next phase, the malware retrieves the final payload (“DuckLogs.exe”) in memory by converting another larger array of bytes which is also present in the “MajorRevision.exe.”
Finally, it injects the payload by creating a new process with the parent file name (“BkfFB.exe”) using the process hollowing technique shown below.
The below figure shows the file information of the final malware payload, “DuckLogs.exe”. Our static analysis indicates that the malware payload is a 32-bit, .NET compiled executable file protected by Obfuscator(1.0).
Final Payload Analysis
The DuckLogs final payload has code to perform malicious activities such as stealer, keylogger, and clipper functionalities. Additionally, the malware has the features such as persistence, UAC bypass, windows defender bypass, disabler, remote access, file grabber, etc.
Persistence and UAC Bypass
Upon execution, the malware creates a copy of itself into the Startup folder to establish persistence. Copying files into the Startup folder enables the TAs to execute the malicious file automatically when users log into infected systems.
The malware also bypasses the UAC (User Access Control) and automatically executes itself using admin privileges. After gaining elevated privileges, the attacker can steal sensitive data, change security settings, install additional malware, etc., on the victim’s system. The figure below shows the functions used by DuckLogs to perform persistence and UAC bypass.
Windows Defender Bypass
The malware executes the below PowerShell command to disable Windows Defender features in the Victims’ system.
- “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” Uninstall-WindowsFeature -Name Windows-Defender
Stealer
The “Stealer” module steals information such as bookmarks, history, cookies, downloads, and passwords from installed browsers and steals sensitive information from the applications such as email clients, messenger, VPN, etc.
The stealer also targets crypto wallets installed in the victim’s machine and sends all the stolen information to the TA. The figure below shows the functions used by the stealer module.
Clipper
The “Clipper” module hijacks cryptocurrency transactions by swapping the victim’s wallet address with the TA’s wallet address. The malware gets the victim’s clipboard data using the Clipboard.GetText() method, identifies the victim’s cryptocurrency wallet address by matching the regex pattern, and then the clipper replaces it with the TAs wallet address using the Clipboard.SetText() method.
It supports crypto wallets such as BCH (Bitcoin Cash), BTC (Bitcoin), DOGE (Dogecoin), ETH (Ethereum), LTC (Litecoin), XLR (Solaris), XMR (Monero), and XRP (Ripple). The below figure shows the code snippet used to perform the clipper activity.
Keylogger
The “Logger” module monitors and stores the keystrokes in the victim’s machine. The captured keystrokes are saved in the %temp% folder for exfiltration. The below image shows the code snippet used by the malware for keylogging purposes.
Disablers
The “Disablers” module can disable the features such as Task manager, Run, CMD, and RegEdit on the victim’s machine by using the function shown in the figure below.
File Grabber
The “Grabber” module grabs browser-related files such as Bookmark, History, LoginData, LocalState, and Cookies from the victim’s system and sends them to the attacker. The figure below shows the browser names targeted by the File Grabber Module.
Remote Control
The TAs can take control of the victim’s machine by using the “Control” module and perform activities such as:
- Transfer and execute other files in the Victims machine.
- Open any URL in the browsers
- Shut down, Restart, Logoff, and Lock the machine.
- Uninstall malware from the system
- Send message
- Perform a DoS (Denial-of-Service)attack
- Show BSOD (Blue Screen Of Death)
- Disable mouse and keyboard inputs etc.
The below figure shows the functions used by the malware for performing remote control activities.
Command and Control
Finally, the malware exfiltrates all sensitive data from the victims’ machine to its Command and Control (C&C) server ducklogs[.]com. CRIL has also observed the following DuckLogs C&C domains active in the wild:
- hxxps[:]//lovableduck[.]ru
- hxxp[:]//ilovetheducks[.]ru
- hxxp[:]//quackquack[.]ru
- hxxps[:]//smallduck[.]ru
Conclusion
DuckLogs is a unique combination of Stealer, Keylogger, and Clipper malware bundled into one malicious software package available in cybercrime forums for a relatively low price, making this threat dangerous to a wider set of potential victims.
Cyble Research and Intelligence Labs will continue monitoring the new malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
- The initial infection may happen via spam email, so enterprises should use email-based security to detect phishing emails. One should also refrain from opening untrusted links and email attachments without verifying their authenticity.
- The compiled DuckLogs binary is packed and protected by multiple layers. Using a reputed antivirus is thus recommended on connected devices, including PCs and laptops. The security software should have the latest security updates to detect new malware families such as DuckLogs.
- DuckLogs is capable of performing Clipper activity. Users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 T1059 T1047 |
User Execution PowerShell Windows Management Instrumentation |
| Persistence | T1547 | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1562 T1497 |
Disable or Modify Tools Virtualization/Sandbox Evasion |
| Discovery | T1057 T1082 T1518 |
Process Discovery System Information Discovery Security Software Discovery |
| Command and Control | T1071 T1105 T1573 T1102 |
Application Layer Protocol Ingress Tool Transfer Encrypted Channel Web Service |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type |
Description | ||
| 5bbbef641b0d73309939c16a8bb1621b c790ad50365158aecd4599ebab8db004bf9a9091 e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396 |
MD5 SHA1 Sha256 |
BkfFB.exe (Main file) | ||
| 58a0f68310f775b4bd4ea251064ed667 83c727335125f06b712cf4390bb9d265f77088a0 e15bf47074cc31f3445b3efb8ad75fac95ab085b5598cc82075902292ab8276b |
MD5 SHA1 Sha256 |
DuckLogs.exe (Final payload) |
||
| Ducklogs[.]com | Domain | C&C | ||
| lovableduck[.]ru ilovetheducks[.]ru quackquack[.]ru smallduck[.]ru | Domain | Similar C&C | ||
| 179[.]43[.]187[.]84 | IP | C&C | ||
| hxxp://lovableduck[.]ru/host/drops/eYjqq6Ezx/ee48v958r[.]exe hxxp://ilovetheducks[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe hxxp://quackquack[.]ru/host/drops/g6tujhiry/hjt50kzbo[.]exe hxxp://quackquack[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe hxxp://quackquack[.]ru/host/drops/jgh1zyoel/fsgrvawrq[.]exe hxxp://smallduck[.]ru/host/drops/ezQEvGqPI/nZAQiWiHm[.]exe hxxp://smallduck[.]ru/host/drops/SrM7WQD2E/7s4udn5F1[.]exe hxxp://smallduck[.]ru/host/drops/20NVT6CUe/9GseGAVEy[.]exe hxxp://lovableduck[.]ru/host/drops/KI2kRAS0x/rrxgKvAJd[.]exe hxxp://lovableduck[.]ru/host/drops/k1rf7fmny/lr2xfd9m9[.]exe hxxp://ilovetheducks[.]ru/host/drops/e563bgj4y/hrldcrajl[.]exe hxxp://ilovetheducks[.]ru/host/drops/JTQ4iHTm3/wT9lPlvPK[.]exe | URL | Payload | ||
Related
Source: https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/