Cyble - DuckLogs - New Malware Strain Spotted In The Wild

Malware-as-a-Service Provides Sophisticated Features To Threat Actors

Cyble Research and Intelligence Labs (CRIL) has been continuously monitoring malware families that are new and active in the wild. Recently, CRIL observed a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. The CRIL also observed multiple active instances of DuckLogs C&C servers in the wild, indicating that the malware is emerging now.

DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server. The below figure shows the Threat Actors (TAs) advertisement in the cybercrime forum about DuckLogs.

Figure 1 – DuckLogs Stealer Advertisement in CyberCrime Forum

The TA has also claimed in the post that the malware has several features, as mentioned in the figure below.

Figure 2 DuckLogs features — Figure 2 – DuckLogs features

The TA sells DuckLogs malware with three different plans, as listed below.

Figure 3 Price details of DuckLogs malware — Figure 3 – Price details of DuckLogs malware

Web Panel:

The DuckLogs provides a sophisticated web panel that allows TAs to perform several operations, such as building the malware binary, monitoring, and downloading victims’ stolen logs, etc. The login page of the DuckLogs web panel is shown below.

The image below shows the dashboard page of the DuckLogs web panel, which displays overall global statistics of the victims infected by DuckLogs malware.

Figure 5 DuckLogs web panel dashboard — Figure 5 – DuckLogs web panel dashboard

The TA can also build the malware binary by customizing the options provided on the Settings page of the web panel, as shown below.

Figure 6 DuckLogs web panel Settings page — Figure 6 – DuckLogs web panel Settings page

The below image shows the Builder page of the stealer & dropper, allowing the TAs to build the required payload after enabling the necessary features on the Settings page. The dropper builder is an add-on feature in the web panel that builds another binary that acts as a dropper for delivering the customized DuckLogs malware to the users’ machine.

Figure 7 Web panel Builder page — Figure 7 – Web panel Builder page

Technical Analysis

We have taken the sample hash (SHA256), e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396, for our analysis. It is a 32-bit, .NET executable file named “BkfFB.exe”.

Upon execution of the BkfFB.exe, the Main() function decodes the hardcoded base64 encoded module named “Bunifu.UI.dll,” which is present in the binary and loads it in the memory using Invoke method as shown in Figure 8.

Stage 1

The new module “Bunifu.UI.dll” is an obfuscated .NET file that further executes the Bunifu_TextBox() function to retrieve the embedded bitmap image “Gmtpo” present in the resource of the parent malware file BkfFB.exe.

The malware uses the steganography technique to hide malicious content in the compressed bitmap image. The successful decompression of the bitmap image retrieves another .NET file in memory which is “MajorRevision.exe”, as shown in Figure 9. The “Bunifu.UI.dll” module now loads “MajorRevision.exe” using the Assembly.Load method passes the decompressed bitmap content as an argument and then invokes it.

Stage 2

Upon execution of the “MajorRevision.exe” module, it initially converts the larger array of bytes present in the module into HEX values which contains multiple Anti-Analysis, and Anti-Detection checks to prevent the execution of the malware in a controlled environment, as shown below.

Figure 10 Anti analysis Strings in the memory of — Figure 10 – Anti-analysis Strings in the memory of MajorRevision.exe

In the next phase, the malware retrieves the final payload (“DuckLogs.exe”) in memory by converting another larger array of bytes which is also present in the “MajorRevision.exe.”

Finally, it injects the payload by creating a new process with the parent file name (“BkfFB.exe”) using the process hollowing technique shown below.

Figure 11 Process hollowing to inject the final payload — Figure 11 – Process hollowing to inject the final payload

The below figure shows the file information of the final malware payload, “DuckLogs.exe”. Our static analysis indicates that the malware payload is a 32-bit, .NET compiled executable file protected by Obfuscator(1.0).

Figure 12 Final payload static details — Figure 12 – Final payload static details

Final Payload Analysis

The DuckLogs final payload has code to perform malicious activities such as stealer, keylogger, and clipper functionalities. Additionally, the malware has the features such as persistence, UAC bypass, windows defender bypass, disabler, remote access, file grabber, etc.

Persistence and UAC Bypass

Upon execution, the malware creates a copy of itself into the Startup folder to establish persistence. Copying files into the Startup folder enables the TAs to execute the malicious file automatically when users log into infected systems.

The malware also bypasses the UAC (User Access Control) and automatically executes itself using admin privileges. After gaining elevated privileges, the attacker can steal sensitive data, change security settings, install additional malware, etc., on the victim’s system. The figure below shows the functions used by DuckLogs to perform persistence and UAC bypass.

Figure 13 – Functions used for Persistence and UAC Bypass

Windows Defender Bypass

The malware executes the below PowerShell command to disable Windows Defender features in the Victims’ system.

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” Uninstall-WindowsFeature -Name Windows-Defender

Stealer

The “Stealer” module steals information such as bookmarks, history, cookies, downloads, and passwords from installed browsers and steals sensitive information from the applications such as email clients, messenger, VPN, etc.

The stealer also targets crypto wallets installed in the victim’s machine and sends all the stolen information to the TA. The figure below shows the functions used by the stealer module.

Figure 14 Function of Stealer — Figure 14 – Function of Stealer

Clipper

The “Clipper” module hijacks cryptocurrency transactions by swapping the victim’s wallet address with the TA’s wallet address. The malware gets the victim’s clipboard data using the Clipboard.GetText() method, identifies the victim’s cryptocurrency wallet address by matching the regex pattern, and then the clipper replaces it with the TAs wallet address using the Clipboard.SetText() method.

It supports crypto wallets such as BCH (Bitcoin Cash), BTC (Bitcoin), DOGE (Dogecoin), ETH (Ethereum), LTC (Litecoin), XLR (Solaris), XMR (Monero), and XRP (Ripple). The below figure shows the code snippet used to perform the clipper activity.

Figure 15 Code for Clipper — Figure 15 – Code for Clipper

Keylogger

The “Logger” module monitors and stores the keystrokes in the victim’s machine. The captured keystrokes are saved in the %temp% folder for exfiltration. The below image shows the code snippet used by the malware for keylogging purposes.

Disablers

The “Disablers” module can disable the features such as Task manager, Run, CMD, and RegEdit on the victim’s machine by using the function shown in the figure below.

File Grabber

The “Grabber” module grabs browser-related files such as Bookmark, History, LoginData, LocalState, and Cookies from the victim’s system and sends them to the attacker. The figure below shows the browser names targeted by the File Grabber Module.

Remote Control

The TAs can take control of the victim’s machine by using the “Control” module and perform activities such as:

Transfer and execute other files in the Victims machine.
Open any URL in the browsers
Shut down, Restart, Logoff, and Lock the machine.
Uninstall malware from the system
Send message
Perform a DoS (Denial-of-Service)attack
Show BSOD (Blue Screen Of Death)
Disable mouse and keyboard inputs etc.

The below figure shows the functions used by the malware for performing remote control activities.

Figure 19 Code for Remote access control — Figure 19 – Code for Remote access control

Command and Control

Finally, the malware exfiltrates all sensitive data from the victims’ machine to its Command and Control (C&C) server ducklogs[.]com. CRIL has also observed the following DuckLogs C&C domains active in the wild:

hxxps[:]//lovableduck[.]ru
hxxp[:]//ilovetheducks[.]ru
hxxp[:]//quackquack[.]ru
hxxps[:]//smallduck[.]ru

Conclusion

DuckLogs is a unique combination of Stealer, Keylogger, and Clipper malware bundled into one malicious software package available in cybercrime forums for a relatively low price, making this threat dangerous to a wider set of potential victims.

Cyble Research and Intelligence Labs will continue monitoring the new malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

The initial infection may happen via spam email, so enterprises should use email-based security to detect phishing emails. One should also refrain from opening untrusted links and email attachments without verifying their authenticity.
The compiled DuckLogs binary is packed and protected by multiple layers. Using a reputed antivirus is thus recommended on connected devices, including PCs and laptops. The security software should have the latest security updates to detect new malware families such as DuckLogs.
DuckLogs is capable of performing Clipper activity. Users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
Block URLs that could spread the malware, e.g., Torrent/Warez.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Execution	T1204 T1059 T1047	User Execution PowerShell Windows Management Instrumentation
Persistence	T1547	Registry Run Keys / Startup Folder
Privilege Escalation	T1055	Process Injection
Defense Evasion	T1562 T1497	Disable or Modify Tools Virtualization/Sandbox Evasion
Discovery	T1057 T1082 T1518	Process Discovery System Information Discovery Security Software Discovery
Command and Control	T1071 T1105 T1573 T1102	Application Layer Protocol Ingress Tool Transfer Encrypted Channel Web Service

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
5bbbef641b0d73309939c16a8bb1621b c790ad50365158aecd4599ebab8db004bf9a9091 e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396	MD5 SHA1 Sha256	BkfFB.exe (Main file)
58a0f68310f775b4bd4ea251064ed667 83c727335125f06b712cf4390bb9d265f77088a0 e15bf47074cc31f3445b3efb8ad75fac95ab085b5598cc82075902292ab8276b	MD5 SHA1 Sha256	DuckLogs.exe (Final payload)
Ducklogs[.]com	Domain	C&C
lovableduck[.]ru ilovetheducks[.]ru quackquack[.]ru smallduck[.]ru	Domain	Similar C&C
179[.]43[.]187[.]84	IP	C&C
hxxp://lovableduck[.]ru/host/drops/eYjqq6Ezx/ee48v958r[.]exe hxxp://ilovetheducks[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe hxxp://quackquack[.]ru/host/drops/g6tujhiry/hjt50kzbo[.]exe hxxp://quackquack[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe hxxp://quackquack[.]ru/host/drops/jgh1zyoel/fsgrvawrq[.]exe hxxp://smallduck[.]ru/host/drops/ezQEvGqPI/nZAQiWiHm[.]exe hxxp://smallduck[.]ru/host/drops/SrM7WQD2E/7s4udn5F1[.]exe hxxp://smallduck[.]ru/host/drops/20NVT6CUe/9GseGAVEy[.]exe hxxp://lovableduck[.]ru/host/drops/KI2kRAS0x/rrxgKvAJd[.]exe hxxp://lovableduck[.]ru/host/drops/k1rf7fmny/lr2xfd9m9[.]exe hxxp://ilovetheducks[.]ru/host/drops/e563bgj4y/hrldcrajl[.]exe hxxp://ilovetheducks[.]ru/host/drops/JTQ4iHTm3/wT9lPlvPK[.]exe	URL	Payload

Source: https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/

Tags: EMAIL, VPN, PERSISTENCE, SPAM, TOOL, DISCOVERY, CRYPTO, PHISHING

Cyble – DuckLogs – New Malware Strain Spotted In The Wild