From July 2017 to July 2018, there were 242,806 Predator Pain Key Recorder detections seen through Wapack Labs proprietary data. This past month from June 2018 to July 2018, there were 33,423 detections for Predator Pain. This indicates continued use of Predator Pain attacks, which demonstrate the continued use of this old malware and, or its derivatives. The Hawkeye keylogger has also been detected.
Background
In 2015, researchers discovered the Predator Pain (PP) malware. For years bad actors have been employing a range of tools to gain malicious objectives. The most damaging activity a bad actor conducts is the theft of authentication information against businesses or individuals. This enables these actors to impersonate individuals, targeting unsuspecting victims, for a variety of reasons. Predator Pain was developed back then and is still in use today.
Both PP and a similar product called HawkEye, are keyloggers. They include additional features, such as a web browser and e-mail client credential dumping, display capture, and captured information exfiltration. The main use of these keyloggers target stolen financial personal identifying information (pii) to exploit or sell the pii for financial gain. HawkEye is sold on many open source commercial website, where PP is typically found in underground forums. These venues often expose the sophistication of the attacker.
Methods
Wapack Labs has recently observed a high level of Predator Pain malware attacks against a specific client. This indicated the continued use of this keylogger. Analysis has shown that once activated through a phishing attack, Predator Pain will drop a copy of itself into %APPDATA%. It uses filenames such as “WindowsUpdate.exe” and “Windows Update.exe.” To continue running, even if infected computers are rebooted, it creates a registry key with the value, “Windows Update,” in HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run. It also creates the files, pid.txt and pidloc.txt, in %APPDATA% to identify the ID and path of the running keylogger process. It then implements a low-level keyboard hook to intercept and log the keystrokes of unsuspecting targets. This will then produce specific information back to the bad actor.[1]
Predator Pain collects the following system information: Computer name; Installed antivirus and firewall; Products; Internal and external IP addresses within the operating systems (OS). This information is sent back to the attackers in order to notify them that PP has successfully been executed on target computers. PP can additionally collect users’ passwords executing NirSoft applications. Once this information is collected by the malware and through key stroke collection, the fraud begins. PP has been tied to the Nigerian 419 fraud scammers yet are in all reality are being utilizes by many levels of bad actors. There are current variations of PP up to version 15. Wapack Labs was observing v13 in our collection.
Mitigation
Prevention is always wise strategy in guarding against keyloggers. System hardening, integrity assurance, software version and patch management, and user training and awareness are standard mitigation principles. Sound steps to protect against keyloggers are using multi-factor authentication; limit the impact of stolen credential information. Never share credentials across accounts and change those credentials periodically. Bad actors often engage in activities such as credential stuffing in an attempt to maximize benefits of stolen credentials. Inbound, outbound, and internal network traffic should always be controlled and monitored. Implement network segmentation. Network segmentation is a best practice for exposing only enough information as is required for specific organizational processes, moving toward a “zero trust” model.
Conclusion
Wapack Labs has recently discovered a high level of Predator Pain keylogger use in our proprietary data collection, while other of our analysts have observed the Hawkeye version 8 being used by APT groups.[2] This highly indicates that these two keyloggers, though dated, continue to be a popular malicious tool, which could have evolved into higher versions.
[1] https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/
[2] https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/
Comments