New Keylogger Linked to North Korean Group Targets U.S. Organizations
/ 3 min read
Quick take - A newly disclosed keylogger attributed to the North Korean group Andariel targets U.S. organizations, employing sophisticated techniques to log keystrokes and mouse activity while ensuring persistence and data security through encryption and various anti-analysis measures.
Fast Facts
- A new keylogger attributed to North Korean group Andariel (APT45) targets U.S. organizations, designed to log keystrokes and mouse activity.
- The malware employs anti-analysis techniques, including junk code, and sets a global Windows hook to intercept input events.
- Captured data is stored in a password-protected, encrypted archive named “DT_0004.tmp” in the “%TEMP%” directory, using the password “Pass@w0rd#384.”
- The keylogger modifies the Run registry key for persistence, allowing it to remain operational after system reboots.
- A report from Hybrid Analysis details the keylogger’s API calls, persistence mechanisms, and provides resources for further examination by cybersecurity professionals.
New Keylogger Disclosed Attributed to North Korean Group Andariel
A new keylogger attributed to the North Korean group Andariel, also known as APT45, Silent Chollima, or Onyx Sleet, has been disclosed. This sophisticated malware is targeting U.S. organizations.
Keylogger Functionality
The keylogger is designed to log keystrokes and mouse activity. Captured data is stored in a password-protected, encrypted archive. The keylogger employs various anti-analysis techniques, including the incorporation of junk code to hinder detection and analysis efforts.
Upon installation, the malware sets a global Windows hook that intercepts keystrokes and mouse events. It utilizes two specific hook procedures to monitor low-level keyboard (WH_KEYBOARD_LL) and mouse (WH_MOUSE_LL) input events. Additionally, the malware modifies the “(Default)” value under the Run registry key, ensuring persistence on infected machines and allowing it to remain operational even after system reboots.
Data Storage and Encryption
The keylogger creates a temporary archive named “DT_0004.tmp” in the “%TEMP%” directory, which is used to store logged data. This archive is encrypted and secured with the password “Pass@w0rd#384.” The malware logs activity by writing data incrementally, beginning with the bytes “PK” to signify a ZIP archive.
The keylogger retrieves the current local date and time to log the start time of its monitoring activities. When new keystrokes or mouse events are detected, it extracts text from the foreground window and compares virtual-key codes corresponding to keyboard keys or mouse buttons with predefined values. The GetKeyboardLayout API is employed to identify the active input local identifier, while ToUnicode translates virtual-key codes into corresponding Unicode characters.
Additional Capabilities and Analysis
Information is relayed through the hook chain using the CallNextHookEx method. Additionally, the malware can access clipboard data using OpenClipboard and GetClipboardData methods, further expanding its data-gathering capabilities.
A structured report generated by Hybrid Analysis has identified the API calls utilized by the keylogger, detailing its persistence mechanisms and the log storage file. This report serves as a resource for identifying and analyzing various types of malware, with users able to download malware samples for further examination (registration with the Hybrid Analysis platform is required).
For cybersecurity professionals, the SHA-256 hash of the malware serves as a crucial indicator of compromise, enabling the detection and mitigation of this keylogger threat.
Original Source: Read the Full Article Here
