Introduction
Earlier this year, we published a white paper detailing the VIP keylogger, a sophisticated malware strain leveraging spear-phishing and steganography to infiltrate victims’ systems. The keylogger is known for its data theft capabilities, particularly targeting web browsers and user credentials.
In a recently identified campaign, the threat actors have once again employed spear-phishing tactics to distribute the malware. However, unlike the previous iteration, this campaign uses an Auto-It-based injector to deploy the final payload VIP keylogger.
The malware is typically delivered through phishing emails containing malicious attachments or embedded links. Once executed, it installs the VIP keylogger, which is specifically designed to steal sensitive information by logging keystrokes, capturing credentials from widely used web browsers like Chrome, MS Edge, and Mozilla, and monitoring clipboard activity.
In this campaign, the AutoIt script is utilized to deliver and execute the malicious payload. Threat actors often leverage AutoIt due to its ease of obfuscation and ability to compile scripts into executables, which evade traditional AV solutions.
Infection chain and Process tree:
The campaign begins with a spear-phishing email carrying a ZIP file named “payment receipt_USD 86,780.00.pdf.pdf.z.”. This archive contains a malicious executable disguised as “payment receipt_USD 86,780.00 pdf.exe”, tricking users into believing it’s a harmless document. Once executed, the executable runs an embedded AutoIt script and drops two encrypted files leucoryx and avenes into the temp folder. These files are decrypted at runtime, and the final payload, VIP Keylogger, is injected into RegSvcs.exe using process hollowing techniques, as shown in the figures below.
Infiltration:
The campaign begins with a spear-phishing email carrying a ZIP file named “payment receipt_USD 86,780.00 pdf.pdf.z.” This archive contains a malicious executable disguised as “payment receipt_USD 86,780.00 pdf.exe,” tricking users into thinking it’s a harmless document. Once executed, the embedded AutoIt script runs and drops the VIP Keylogger onto the system, as shown in the images below.
Zip Attachments which further contains the executable.
During execution, two files named leucorynx and aveness are dropped in the system’s Temp directory, as shown in the figure below.
AutoIt Script:
This AutoIt script decrypts and executes the dropped payload in memory. It first checks the encrypted file leucoryx in the temp directory, reads its content, and decrypts it using a custom XOR function (KHIXTKVLO). The decrypted data is stored in a memory structure.
It retrieves the pointer to the decrypted payload and uses DllCall to allocate executable memory and copy the payload into the allocated memory. A second DllCall triggers the execution and runs the payload in the memory.
The leucorynx contains the key to the decode file, as shown in the figure below.
The malware drops a .vbs script in the Startup folder to maintain persistence. This script executes the primary payload located in the “AppData\Local” directory.
The VB script ensures that the payload (definitiveness.exe) located in the “AppData\Local\Dunlop” directory is executed every time the user logs in, it to operate silently in the background after each reboot.
The dropped file avness is loaded into memory, as shown in the figures below. Once loaded, its contents are passed to a custom decryption routine, which is responsible for unpacking or decoding the embedded payload.
The figure below Shows the decryption function, which is takes the address of the encrypted payload and the XOR key as arguments.
The figure below highlights the decryption loop, where the payload is iteratively decoded. The memory dump shows the decrypted content of the payload.
Decrypted payload is .NET VIP keylogger;
Process Hollowing:
The figure below demonstrates the use of process hollowing, where RegSvcs.exe is spawned in a suspended state using CreateProcess. This enables the malware to unmap the original code and inject its own payload into the process memory before resuming execution.
As shown in the figures below, the decrypted payload is mapped into the address space of regsvc.exe. The memory dump has strings associated with the payload.
Payload: VIP Keylogger
The final payload delivered in this campaign is VIP Keylogger, for which we have already provided a comprehensive analysis of its functionality, capabilities, and behaviour in our technical paper on VIP Keylogger.
IOCs:
| MD5 | Filename |
| F0AD3189FE9076DDD632D304E6BEE9E8 | payment receipt_USD 86,780.00 pdf.exe |
| 0B0AE173FABFCE0C5FBA521D71895726 | VIP Keylogger |
| Domain/IP | |
| hxxp[:]//51.38.247.67:8081 |
Protection:
Trojan.AgentCiR
Trojan.YakbeexMSIL.ZZ4
MITRE ATT&CK:
| Tactic | Technique ID | Name |
| Obfuscation | T1027 | Obfuscated Files or Information |
| Execution | T1204.002 | |
| Execution | T1059.006 | Command and Scripting Interpreter: Python |
| Screen Capture | T1113 | Screen Capture |
| Gather Victim Host Information | T1592 | Collects system info |
| Input Capture | T1056 | Keylogging |
| Defense Evasion | T1055.002 | Process Injection: Portable Executable Injection |
| Content Injection | T1659 | Injecting malicious code into systems |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
Author:
Vaibhav Billade
Rumana Siddiqui