KBDRU-Stealer

Introduction:

In 2021, security analysts initially identified the KBDRU malware, Infostealer, and clipper, which were crafted using AutoIt. This malicious software was designed with the specific intent of compromising user data, particularly targeting the theft of login credentials and sensitive information.

Malware Characteristics:

1. File Name: KBDRU.exe
2. other names : [ WWAHost.exe , Build.exe]
3. company name: Поставщик пространства имен PNRP
4. type : win32 EXE
5. compiler-stamp : Fri Jun 12 07:52:28 2020 | UTC
6. hash: E2115A42E4EF267A4484CBB5CD342EA5D12B26F93FB76F6BA92EED12129DD272

Static Analysis:

VirusTotal:

when scanning malware using VirusTotal website we can see that the malware is detected by 48 out of 71 security vendors as KDRU malware and we can see the results in the next figure.

Detect it easy (DIE) :

I will open malware with Detect It Easy tool to see some information about KBDRU malware like compiler, type of packer (if the malware author used a commercial packer to pack it), type of linker and more information We can see the results in the next figure.

Entropy:

we find (.text) , (.rsrc) and (.reloc) sections are packed and the entropy is high.

PEstudio:

we will examine the malware with pestudio, in section area we found 5 sections and we recognize the (.text) is not executable , and saw the entropy of all packed sections .

Imports:

we identified 161 flags utilizing suspicious APIs. These APIs are associated with activities such as process injection, keyboard input theft, and manipulation of access tokens. These actions aim to circumvent access controls within the operating system.

Strings:

Furthermore, we have identified APIs that write data to files, perform file deletions, and engage in access token manipulations and process injections.

Resource Section:

after using Resource Hacker , we found that KBDRU stealer has a pacaked AutiIt script in resource section.

hidden script in resource section

indicate that the script is packed

Behavioral Analysis:

i will run the malware and monitor its behaviors , i will focus on 4 things (file systems , processes , registry keys , network traffics).

ProcMon & ProcDot :

The core operation involves the primary process manipulating the directory file by changing its location and spawning additional processes, notably labeled as KBDRU. This intricate maneuver allows the malware to establish a foothold and execute its malicious activities within the targeted system.

by ProcDot

The malware conducts a comprehensive search for sensitive data, including (.pdf) files, captures window screenshots, and extracts OS details and running processes. It then compresses the information and transmits it covertly to a Command and Control server.

text file that contain all information about the Operating System

this is the screenshot that the malware captured

Registry Keys:

it steals website cookies and manipulates website settings to evade detection and bypass security policies.

AutoRuns:

The malware ensures its persistence by configuring itself to run automatically during Windows startup.

Task Scheduler:

The malware exhibits a persistence mechanism by creating a scheduled task that recurrently triggers its execution at one-minute intervals.

WireShark:

The malware attempts to establish connections with Command and Control (C2) servers for the purpose of uploading the pilfered information we previously highlighted. This step involves transferring the stolen data to the servers controlled by the attacker, creating a potential avenue for unauthorized access and exploitation of compromised information.

DNS: api.telegram.org

DNS: ipapi.co

IOCs:

Host Indicator :

Folders:

1. C:\Users\<user>\AppData\Roaming\amd64_c\
2. C:\Windows\System32\Tasks\M-4–6–52–1092775626–1349697749–1275881323–6984

Registry Keys:

1. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
2. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
3. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
4. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
5. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
6. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
7. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Network Indicator:

DNS:

1. ipapi.co
2. api.telegram.org

IPs:

1. 104.26.8.44
2. 172.67.69.226
3. 104.26.9.44
4. 149.154.167.220

Summary:

KBDRU-Stealer is a sophisticated malware that specializes in extracting sensitive information from operating systems. Notably, it extends its reach to pilfer website cookies, manipulating their settings strategically to evade detection and circumvent security policies. Subsequently, this ill-gotten information is transmitted covertly to servers controlled by the attacker through a Command and Control (C2) mechanism. This multifaceted approach underscores the malware’s advanced capabilities and the potential risks it poses to system security and user privacy.