The Oracle of Delphi Will Steal Your Credentials

/in  / by

It was one of those warm summer nights, no clouds, just a bright full moon lighting the way. Someone had unknowingly stumbled upon our honeypot, completely unaware of the fact that her every move was recorded and fully analyzed. Thanks to our deception technology, we could easily reroute the attacker, making her believe she reached her real target. Something about this attack was different, though. All originating from the same source, the attacks repeatedly used brute force passwords for RDP credentials to connect to the victim machine, download and execute a previously undetected malware, which we named Trojan.sysscan. This is a new malware capable of running on every Windows version from XP through Server 2012 R2.

Attack Description

Trojan.sysscan, written in Delphi, has extensive capabilities to search and extract cookies and other credentials containing authentication details such as usernames and passwords targeted at banking, gambling and tax websites as well as information saved by Point of Sale (PoS) software. By stealing connection details, our attackers can easily steal identities and large quantities of money.  

The attacker at work

Persistence

The malware can function both automatically and manually, depending on the configuration. If the malware runs as administrator, it will establish a persistent backdoor by adding a hidden user to the list of administrators with a known password using a known technique.  It will then  make sure RDP is accessible, on both desktop and server versions of Windows using the known RDP wrapper library which is packaged inside Trojan.sysscan.

Collection and Exfiltration

In addition to collecting credentials, Trojan.sysscan collects vast amounts of computer metadata. Borrowing a technique from Trojan.Barys, it recognizes when it’s being investigated by a security tool or run under a virtualized environment which allows the attacker to realize if they had been caught in a honeypot or sandbox. This information is collected and not directly acted upon, showing that at this point, attackers are not worried at all about being caught in endpoints or by scanning tools.

Guardicore - The Oracle of Delphi Will Steal Your Credentials

The malware thoroughly checks it’s not running in a researchers sandbox

To collect the credentials, the malware exhaustively scans the entire C: drive of the victim and the registry, searching for cookie files, SQLite databases and registry keys that match an internal database. Once found, the data is copied and exfiltrated. If the victim does not keep personal data on the drive, the malware won’t find it.

The primary method of exfiltrating data is by communicating with an exfiltration server (85.93.5.43) using a HTTP POST message over a non standard port (12421). This server is known to be the destination of many different malwares. If the Trojan is run interactively and fails to communicate, the attacker can copy the results to the Windows clipboard and then over RDP, copy it locally to their computer.

Detection and Prevention

During our investigation, we discovered that the sole attacking source known to us is the IP 144.76.137.166, which belongs to a Spanish hosting company, okITup, and has been observed performing a series of identical attacks. In none of the attacks did we observe this Trojan being dropped using an exploit, nor have we seen it packaged with any known droppers. This means that at this stage, prevention involves the use of strong password authentication to prevent brute force attacks.

Guardicore - The Oracle of Delphi Will Steal Your Credentials

The series of attacks

At this point, Trojan.sysscan is undetected by the vast majority of antivirus engines as a malicious software. Malware that requires command line parameters or other user input is hard to investigate in a sandbox and Trojan.Sysscan does not use any possibly malicious system calls. This makes it hard on the antivirus to conclusively decide whether the executable is malware. Detection therefore is limited to checking for hidden accounts and whether the RDP wrapper library is installed. Detection of this malware requires modern security software built for defense in depth, assuming a breach, detecting and mitigating it, for example one that can detect the search and exfiltration of sensitive data.

Conclusion

Trojan.sysscan is an example of a credential stealing Trojan, backdooring machines and exfiltrating large amounts of credentials. Unlike other types of Trojans that have a specific goal like currency mining, the purpose of this malware is stealing credentials, making it particularly dangerous to large organisations. Trojan.sysscan evades detection easily which unfortunately is not unique. The usage of Delphi, while not a popular language, provides the coders with versatile frameworks that simplify their code as it allows them to use 3rd party libraries that perform many tasks for them, such as communication, computer scanning and metadata extraction.

Modern data centers and corporate networks provide fruitful ground for malware to flourish. Newer techniques are required to provide effective security in those environments, such as the kind of deception and honeypot technology we develop. Don’t believe us, try us.

Indicators of Compromise

Files

Filenames: csrss.exe, sysscan.exe

MD5 4f b7 ac 01 3b 7c ff ff 3c 78 2d 15 03 30 eb 32

SHA256 31 83 3c 4b 17 9c 4e 4d e4 49 32 c5 7d eb fb 65 62 bb 6e 83 3d 9f d1 41 5f ee 64 11 aa ce a4 5b

IP Addresses

  • 144.76.137.166
  • 85.93.5.43

1 reply
  1. Bookworm
    Bookworm says:

    Additional information, with a different twist: One of my customers received a hack attack from the 144.76.137.166 IP address, so apparently the hosting provider in Germany is an active supporter of this behaviour. The RDP port was NOT a standard port, the username was not standard, but the password was apparently too short. At 6:41 CDT, November 15th, a login was successfully made. This login then downloaded and installed Google Chrome, and created a second administrative account called ‘admin2’ – not hidden – and TeamViewer. Nothing else seemed to occur until November 19th. At that point, it appears that a manual login was made, and using Google Chrome, a visit was made to simple.com (Simple Bank), then two downloads were accessed. One being Desktop Locker Express, which was run in Trial mode, and NiceHashMiner. Neither program was installed, they were simply unpacked to, and run from the desktop. I would venture that the original creator of the RDP cracking service is now selling access to hacked machines without the additional trojan installers.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image

‹ Back to Guardicore Labs