Cyphort Labs has discovered an extensive data theft campaign that we have named NightHunter. The campaign, active since 2009, is designed to steal login credentials of users. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype. Attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks.
3. Agenda
o What is NightHunter
o NightHunter timeline
o Dissecting the malware
o Wrap-up and Q&A
CyphortLabsT-shirt
4. We work with the
security ecosystem
•••••
Contribute to and learn
from malware KB
•••••
Best of 3rd Party threat
data
We enhance malware
detection accuracy
•••••
False positives/negatives
•••••
Deep-dive research
Threat Monitoring &
Research team
•••••
24X7 monitoring for
malware events
•••••
Assist customers with
their Forensics and
Incident Response
About Cyphort Labs
5. NightHunter – Name explained
We called it NightHunter, because of its use of SMTP (email) for
data exfiltration. Email is often overlooked, so it can be a more
stealthy way of data theft, akin to hunting at night.
6. What is NightHunter?
Campaign began 2009, still ongoing
s
Malware coded in .NET
s
Extensive data theft campaign using SMTP and more than
3,000 unique keylogger binaries
s
Steals login credentials of users, Google, Facebook, Dropbox,
Skype and other services
s
At least 1,800 infections
7. NightHunter C&C protocol: poll question
What do you think is the
Command and Control
protocol for updating of
NightHunter?
A HTTP
B HTTPS
C FTP
D IRC
E None of the above
8. NightHunter C&C protocol
None!
NightHunter does not use a command and control
protocol.
Instead each variant simply sends stolen data to
the hard-coded email server.
By using Email - it hides in plain sight as
organizations beef up web anomaly detection
9. First variants of NightHunter appear
Malware starts using AOL, Microsoft email servers
Malware starts using mx1.3owl.com
Starts using Comcast, Yahoo email servers
Cyphort discovers NightHunter
NightHunter History
2009
2010
2012
2013
2014
10. NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350
200
150
100*
60
Number of unique
infections per
email server
11. NightHunter Infections To Date
Samples using Gmail servers
0
50
100
150
200
250
300
350
400
450
500
2013-07 2013-08 2013-09 2013-10 2013-11 2013-12 2014-01 2014-02 2014-03 2014-04 2014-05 2014-06
Count
Time
smtp.gmail.com
12. df
Malware Architecture
User
Receives a
phishing email
with a DOC/ZIP
attachment
Stage 1 –EXE
Decrypts the DLL
from a resource
section and loads
it from memory
Attacker
Receives stolen credentials in
the email server
*Stage 2 – DLL
Runs from EXE’s
process memory and
Sends out credentials
via SMTP
* Some samples did not need use Stage 2
13. NightHunter Delivery
o Delivered mostly through phishing emails with DOC/ZIP/RAR
attachments.
o User gets infected by opening a malicious document with scripting
enabled.
o Emails were targeted towards personnel in finance/sales/HR
departments
15. NightHunter Data Theft
NightHunter steals credentials for many services, for example:
o Google
o Facebook
o Dropbox
In addition they are interested in :
o Bitcoin Stealing
o Password managers
o Firefox/Google Chrome/IE/Safari/Opera
o Outlook
o Pidgin/Trillian/Paltalk/AIM/IMVU
o Various Games and Game Bots
o Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander
o Yahoo
o Hotmail
o Amazon
o Skype
o LinkedIn
o Banks, and others
16. NightHunter Malware Components
NightHunter is the name of the campaign. It includes more than 3,000 unique
malware binaries, keylogger trojans including the following families:
o Predator Pain
o Limitless logger lite
o Keylogger Logları (SlloTBan)
o Spyrex
o FEDERIKOs Logger
o Unknown Logger Public
o Aux Logger
o Neptune
o Mr. Clyde Logger
o Ultimate Logger
o MY Ultimate Jobe
o Syslogger
o Syndicate Logger
23. Poll question #2
What is the purpose of string
obfuscation in malware?
A: Make malware run more efficiently
B: For copyright reasons
C: Deter reverse engineering
D: Prevent static signature detection
E: C and D
24. NightHunter binary analysis
- .Net classes uses non-printable characters.
- Here are 2 of the ten different string obfuscation techniques
26. Conclusions
1. NightHunter is a major data
exfiltration that went undetected for
5 years.
2. Enterprises should monitor SMTP
and other protocols for data theft.
3. Intent of data collection is unknown;
it appears campaign is building up a
heap of stolen credentials to enable
new damaging cyber threats.
4. Change your passwords frequently.
27. Q and A
o Information sharing
and advanced
threats resources
o Blogs on latest
threats and findings
o Tools for identifying
malware