The programmable keylogger APT-4

By -

Keylogger/Keystroke

Every key we press on an electronic device emits certain frequency and this is termed as DTMF(Dual Tone Multi Frequency). This tone can be easily detected using some common apps available on play store/App Store today. But, it can also be heard and find the exact key not by only practice but in a perfect silence condition. This consumes time and at least requires 2-3 years of patience. 

 

Keylogger

 

But this can also be achieved through scripting. Yes!! You read that right. By using some advanced frameworks that were available between 2010-2013, hackers developed some keylogger for the systems targeting defense, aerospace and commercial industries and this was later named as APT-4.  Curious to know how APT-1, APT-2 and APT-3. Check out our blogs for cool stuffs. 

 


APT-4(Advanced Persistent Threat)

Unlike APT-2 and APT-3, this was suspected from China and its main target to steal information from computer, possible by creating backdoors. Suspected groups are Maverick Panda, Sykiplt Group, Wisp. No information had been leaked online about this group. This seems like the national actors pretends to keep the secret by silencing the people once the job is done from their end. Their main target was to inject the keystroke/keylogger into the targeted agencies without their knowledge. 

 

Adware

 

To do this they sent multiple phishing e-mails, but they didn't stop here. They also used some adware and  photo malwares to spread this APT. Once the user clicks the e-mail/advertisement, photos in websites they are turned into victims.


The Behavior Model of APT-4

  • Temp directory and the Microsoft Apps
  • The stealthy actor
  • Remote Code Execution
  • The worst malware design

 

 

Temp directory and the Microsoft Apps

Temp Directory

The Temp directory is used to store the recently executed instructions. This was purposely made by the developers to speed up the CPU process. Temp file is stored in two different directories one in "C:\Windows\" and the other in "%USERPROFILE%\AppData\Local\" and for Windows XP their previous versions the directory would be "%USERPROFILE%\Local Settings\". This was somehow sniffed and the creators of APT-4 used this as a stealthy storage.

Temp

The Microsoft Apps

This malware installs two different files with .exe and .dll extensions. Users are always scared about deleting system oriented files. Some users delete the .exe files and some execute it. Anyhow, there is no difference between them. Once the users install/deleted the files this creates a folder on top of the "%temp folder" and stored all the user keylogger there. This then searches for the system files in outlook, Firefox and Internet Explorer used in Windows XP and 2000. The same file is also shared with their CNC servers at periodic time stamps. For example if a German user, is affected with this APT-4 the Chinese use Google pinyin to store the keylogger into local language(Chinese).

 


The stealthy actor

Another main feature of this virus is, if a user somehow manages to find there is a malware in his machine he/she then turns off the machine and this time the malware backs up all the files in %temp and store a copy of it locally. This virus also pretends to project itself as an executable file. This malware also has an ability to change its application name whenever the system reboots. Blueteamer finds difficult to find the exact malware presence.

So if a no voice/starter person is actually forensic the machine he can't figure out the exact behavior of the malware thereby confirms to the client saying all is good even if the malware is present in the machine. Similar attacks were happened in 2016 but with an advanced version of sykipot. The initial version was discovered by Symantec and the updated version was discovered by FireEye. This malware even copies and stored information available on clipboard. 

 

 

Remote Code Execution

Hacker achieves all sort of information about the computer but still he doesn't have remote access. This is achieved by using vulnerabilities present in JavaScript CVE-2010-0806. Using this, an attacker can inject arbitrary code injection and take control of the entire system without the knowledge of the user. 

 

   

 

 The worst malware design

The major drawback of this malware is that it can be easily detected by Windows defender. We can't still find that these Chinese groups stay alive till date. Always use AdBlock extensions and update your antivirus periodically.

Comments

Post a Comment

Popular posts from this blog

Banning that paved the road to success for The Indian Apps

By -
Image
We all know about the Chinese apps ban done in India which created a tornado among the digital life not only destroyed the income of China apps but created new fields for the Indian Apps to blossom among us. Before I explain about various Indian apps that rose to our attention, we all need to know a little details about the security clearances an app posses. Every apps we install asks for permissions and we simple press accept all without giving a second thought why it asks and what's the requirements. Let me tell a real scenario to you which it took place on Aug '19. When my cousin and I were talking about ghosts incident, are they real or not! and during our conversation we were transferring a movie to one of our mobiles via ShareIt. Before our session, ShareIt showed some travel related contents as we were traveling, post this conversation, ShareIt app showed us the ghost related prank videos. We were shocked so I did a research about t...
Read more

The Millionaire: ProFun into A ProFession

By -
Image
The world stuck by thunder and everything stood still . During this pandemic situation people started to realize the worth of their life and the precious time they hold. This made everyone to value their loved ones and they utilize their time worthwhile. Among them, the gamer’s started to think productively and the perspectives have been changed about How to earn money!  Have you ever heard about the word   streamers?   Well, no sweat, you're gonna be Insinuated. Gaming started to bloom around the world in the late 2000 ’s . Children  used to play video games by  using the various electronic console-like brick game, video games using the game chip.  A s an up-gradation,   play station reached the  gaming market for  the graphics and the gameplay . The experience was immeasurable   when compared with previous gaming . When the play station was donning the gaming market, PC games came with a price tag, that is far more affordable ...
Read more

How UK invented biscuits and established globally

By -
Hello and welcome to my first post of our blog!!! Here we're gonna see some interesting facts(a product that we consume daily) in my first post.                         Origin of Biscuits   In my country, elders usually carry biscuits whenever they visit their relatives. Even diabetes patients consult themselves towards biscuit, which is enriched in high-fibre. It shows that biscuits have made a major impact on our daily life. Regardless of age, biscuits are favoured by everyone. Have you ever imagined how it was originated? Okay, before we get deeper into it, I wanna share some interesting facts that I found while doing my research. Prepare to be baked! The biscuit was invented before World War I The inventor of the biscuit served under Queen Victoria, though he owns his factory. Biscuits were found to be one of the favorite consumables for sailors. The UK nearly had about 30% of exports share in biscu...
Read more