The programmable keylogger APT-4

Keylogger/Keystroke

Every key we press on an electronic device emits certain frequency and this is termed as DTMF(Dual Tone Multi Frequency). This tone can be easily detected using some common apps available on play store/App Store today. But, it can also be heard and find the exact key not by only practice but in a perfect silence condition. This consumes time and at least requires 2-3 years of patience. 

 

Keylogger

 

But this can also be achieved through scripting. Yes!! You read that right. By using some advanced frameworks that were available between 2010-2013, hackers developed some keylogger for the systems targeting defense, aerospace and commercial industries and this was later named as APT-4.  Curious to know how APT-1, APT-2 and APT-3. Check out our blogs for cool stuffs. 

 


APT-4(Advanced Persistent Threat)

Unlike APT-2 and APT-3, this was suspected from China and its main target to steal information from computer, possible by creating backdoors. Suspected groups are Maverick Panda, Sykiplt Group, Wisp. No information had been leaked online about this group. This seems like the national actors pretends to keep the secret by silencing the people once the job is done from their end. Their main target was to inject the keystroke/keylogger into the targeted agencies without their knowledge. 

 

Adware

 

To do this they sent multiple phishing e-mails, but they didn't stop here. They also used some adware and  photo malwares to spread this APT. Once the user clicks the e-mail/advertisement, photos in websites they are turned into victims.


The Behavior Model of APT-4

  • Temp directory and the Microsoft Apps
  • The stealthy actor
  • Remote Code Execution
  • The worst malware design

 

 

Temp directory and the Microsoft Apps

Temp Directory

The Temp directory is used to store the recently executed instructions. This was purposely made by the developers to speed up the CPU process. Temp file is stored in two different directories one in "C:\Windows\" and the other in "%USERPROFILE%\AppData\Local\" and for Windows XP their previous versions the directory would be "%USERPROFILE%\Local Settings\". This was somehow sniffed and the creators of APT-4 used this as a stealthy storage.

Temp

The Microsoft Apps

This malware installs two different files with .exe and .dll extensions. Users are always scared about deleting system oriented files. Some users delete the .exe files and some execute it. Anyhow, there is no difference between them. Once the users install/deleted the files this creates a folder on top of the "%temp folder" and stored all the user keylogger there. This then searches for the system files in outlook, Firefox and Internet Explorer used in Windows XP and 2000. The same file is also shared with their CNC servers at periodic time stamps. For example if a German user, is affected with this APT-4 the Chinese use Google pinyin to store the keylogger into local language(Chinese).

 


The stealthy actor

Another main feature of this virus is, if a user somehow manages to find there is a malware in his machine he/she then turns off the machine and this time the malware backs up all the files in %temp and store a copy of it locally. This virus also pretends to project itself as an executable file. This malware also has an ability to change its application name whenever the system reboots. Blueteamer finds difficult to find the exact malware presence.

So if a no voice/starter person is actually forensic the machine he can't figure out the exact behavior of the malware thereby confirms to the client saying all is good even if the malware is present in the machine. Similar attacks were happened in 2016 but with an advanced version of sykipot. The initial version was discovered by Symantec and the updated version was discovered by FireEye. This malware even copies and stored information available on clipboard. 

 

 

Remote Code Execution

Hacker achieves all sort of information about the computer but still he doesn't have remote access. This is achieved by using vulnerabilities present in JavaScript CVE-2010-0806. Using this, an attacker can inject arbitrary code injection and take control of the entire system without the knowledge of the user. 

 

   

 

 The worst malware design

The major drawback of this malware is that it can be easily detected by Windows defender. We can't still find that these Chinese groups stay alive till date. Always use AdBlock extensions and update your antivirus periodically.

Comments

Popular posts from this blog

Banning that paved the road to success for The Indian Apps

The Millionaire: ProFun into A ProFession

How UK invented biscuits and established globally