0xToxin

0xToxin

Threat Analyst & IR team leader - Malware Analysis - Blue Team

Intro

In the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps I’ve done during my research about the Kraken.
If you haven’t already read the first part of analyzing the Kraken, be sure to check it out here
With that saying let’s begin!

What we have?

Let’s start with what we currently have and how can we pivot with it:

  • C2: thereccorp.com
  • Payload fetching domain: masherofmasters.cyou
  • Binary Name: KrakenStub

The hunting will be splitted into 4 part:

  1. thereccorp.com analysis
  2. masherofmasters.cyou analysis
  3. UnpackMe Yara Hunt
  4. OSINT research

thereccorp.com Analysis

We start off with our final C2 domain thereccorp.com, searching the domain in VirusTotal will respond us with a solid 0/87 vendors detection:

image.png

going to the relations tab and looking at the Communicating Files files we can see 22 files which all were flagged as malicious:

image-2.png

all files are pretty recent (oldest one dated to 7th of May 23), this in fact helps us to understand that the campaign is pretty new and keeps being distributed.

Some files were already analyzed by various sandboxes and this helped me a lot by downloading the file from those sandboxes reports (most Sandboxes I know allow downloading the examined sample). Let’s have a look at couple samples that were actually flagged falsely

RareCommodityHelper.exe

Looking at the Vendor Threat Intelligence tab in the MalwareBazaar report we can see that 3 different family associated with the sample.

image-3.png

I’ve opened the report of JoeSandBox and simply searched for the string kraken and surprisingly look what popped up:

image-4.png

Why would AgentTesla malware will have KrakenStub named file during it’s execution?

I took a look also UnpackMe report.
Looking at the Unpacked binary that was flagged as masslogger we can see the ProductName, FileDescription, OriginalFilename and InternalName share the same suspicious string we’re looking for: KrakenStub

image-5.png

RareCommodityHelper.exe

Going with the same approach as before, I took a look at the report of the different vendors under MalwareBazaar page and found again 3 different families:

image-6.png

I once again checked if our suspicious Kraken string can be found either in JoeSandbox or UnpackMe reports and guess what?

image-7.png

image-8.png

Kraken was found in both of them once again.
At this point I felt comfortable with my findings from the C2 IOC.
Let’s move to the second domain we have.

masherofmasters.cyou Analysis

Typically when I encounter a domain I will investigate it in 3 main sources:

  1. VirusTotal
  2. URLscan
  3. URLhaus

those 3 are my go to sources for inital domain information gathering.

VirusTotal

Looking at the domain on VirusTotal can give us a lot of data, such as DNS records, JARM fingerprints, SSL Certs, WhoIS lookup and much more, but the interesting part that I look when doing a proactive hunt is the Relations tab , this tab can tell us which IP’s this domain was assigned to, if it has subdomains and which associated files this domain had connection with:

image.png

Based on the given list, we can see that 5 files were .lnk files, which correlated with our execution flow explained in part 1. (from here you can take the files and see the execution flow when they’re detonated and compare to your findings)

URLscan

Unfortunetlly at the time of investigation the domain was already terminated and no previous scans were made on URLscan so I couldn’t find nothing about it here…

URLhaus

When I searched the domain in URLhaus I found about 12 hits:

image-2.png

Some of the files are being flagged as MassLogger others were flagged as SnakeKeylogger and also AgentTesla , I investigated all the files and actually the ones that were marked as AgentTesla were indeed that malware but the samples which were flagged as MassLogger and SnakeKeylogger were actually our beloved Kraken

UnpackMe Yara Hunt

UnpackMe provides a unique service of proactive lookback on samples analyzed by the platform based on a given Yara rule
The rule I’ve created was simply based on unique strings that I found in the sample:

rule Win_KrakenStealer {
    meta:
        description = "Win_KrakenStealer rules"
    strings:
		$s1 = "KrakenStub" ascii wide
		$s2 = "KrakenStub.exe" ascii wide
		$s3 = "Kraken_Keylogs_" ascii wide
		$s4 = "Kraken_Password_" ascii wide
		$s5 = "Kraken_Screenshot_" ascii wide
		$s6 = "Kraken_Clipboard_" ascii wide
		$s7 = "KrakenClipboardLog.txt" ascii wide
		
    condition:
        uint16(0) == 0x5a4d and 5 of ($s*)
}

And here is the result of the hunt:

image.png

In a 12 weeks lookback there were 11 samples that fitted the given Yara Rule, 8 of them were marked as MassLogger, so I took a look at one of them

image-2.png

and by simply looking at the File Version Information we can see that it’s 99% our Kraken , I downloaded the sample and opened it in DnSpy and guess what?

image-3.png

It was our Kraken! so we found about 11 samples that are flagged falsely.
And with that our hunt for samples is done, from here you can pretty much correlate some IOC’s so see whether or not it’s the same threat actor.

OSINT Research

At this part I wanted to try and find the origin of the malware, so I tried two things:

  1. Search engine dorking
  2. Underground forums

Search Engine Dorking

I tried to search the term "KrakenStub" malware both in Google and DuckDuckGo, besides giving me 2 analysis one of JoeSandbox and the second one of Vmray I couldn’t finding anything useful but it always good to try and search using search engines because you can’t really know what you can find…

Underground Forums

there are several underground/hacking forums that you can find on the clean web without the needs going to TOR and pivoting around the darknet.
One of the most known hacking forums out there is HackForums , so I tried my luck and searched through the marketplace forum for “Kraken” keywords, and after quite some time and found this thread :#1 KrakenKeylogger | 3 Senders | E-Mail Client & Browser Recovery | Perfect Features sold by a user named Krakenz:

image.png

What a perfect hit!
that particular finding made my day, I knew that this is it, I’ve closed the circle and I can close this case and fully resolved.

Extra Findings

After I’ve published part 1 of analyzing the Kraken, @jw4lsec and me had a small conversation and he shared with me that Windows Defender was flagging the sample I’ve shared during the investigation as a different malware upon each different execution attempt:

image.png

image-2.png

Summary

In the 2nd part of analyzing the Kraken I’ve showed you my way of thinking and approach to the process of threat hunting, especially when your guts tells you that something here is not right. I hope that during those 2 parts of analysis you’ve learned new things, feel free to PM me via any social media.