Full Report
Part 2 of analyzing the KrakenKeylogger Malware
Analysis Summary
# Tool/Technique: KrakenKeylogger (Associated Samples/Infrastructure)
## Overview
This document summarizes threat hunting activities focused on samples associated with the "KrakenKeylogger" campaign and its related Command and Control (C2) infrastructure. The analysis pivots around observed IOCs, including domains and specific binary names, to link disparate malware detections (like AgentTesla and MassLogger) back to the primary KrakenKeylogger activity.
## Technical Details
- Type: Malware Family (Keylogger/Information Stealer infrastructure)
- Platform: Windows (Implied by file types like .exe and registry/OS artifact hunting)
- Capabilities: Information stealing, dynamic infrastructure communication, potential use of staged/loader components (KrakenStub).
- First Seen: Campaign appears relatively new, associated files dated from May 2023 onwards.
## MITRE ATT&CK Mapping
* **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
* **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
* Communication with operational C2 servers (`thereccorp.com`).
* Fetching secondary payloads from dedicated domains (`masherofmasters.cyou`).
* Use of a specific binary file name, `KrakenStub`, acting as a potential loader or initial access component, although utilized by seemingly different malware families.
### Advanced Features
* **Polymorphic/Evasive Behavior:** Samples flagged as AgentTesla and MassLogger in sandbox reports were observed using the `KrakenStub` naming convention, suggesting the attacker may be layering malware or employing multi-stage droppers that obscure the ultimate payload identity.
* **Infrastructure Rotation:** Distinct C2 and payload fetching domains are used, requiring dynamic hunting.
## Indicators of Compromise
- File Hashes:
- SHA256: `8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3` (Associated with AgentTesla similarities)
- SHA256: `413ec94d35627af97c57c6482630e6b2bb299eebf164e187ea7df0a0eb80ecc6` (Associated with MassLogger/Kraken findings)
- File Names: `KrakenStub` (Internal naming convention observed across multiple samples). `RareCommodityHelper.exe` (Observed binary execution name).
- Registry Keys: Not explicitly detailed in the provided context.
- Network Indicators:
- C2: `thereccorp.com` (Defanged)
- Payload Fetching Domain: `masherofmasters.cyou` (Defanged)
- Behavioral Indicators: Files associated with `masherofmasters.cyou` included `.lnk` files, indicating execution likely relies on user interaction with shortcut files.
## Associated Threat Actors
- **Krakenz:** Identified as the seller of "KrakenKeylogger" on HackForums, strongly suggesting this user/group is responsible for this observed infrastructure and malware name.
- The investigation links indicators to malware families like **AgentTesla** and **MassLogger**, suggesting either a reuse of infrastructure/loaders across different malware types or that KrakenKeylogger itself leverages components commonly associated with these stealer families.
## Detection Methods
- Signature-based detection: Some associated samples are flagged by 0/87 vendors on VirusTotal initially, but the linked files from C2 reports show high malicious detection rates.
- Behavioral detection: Sandbox analysis successfully surfaced the internal "Kraken" string within file metadata (`ProductName`, `FileDescription`, etc.) even when the external family name was misclassified (e.g., AgentTesla).
- YARA rules: A hunt for an "UnpackMe Yara Hunt" was planned, suggesting the creation of YARA rules based on unique strings found during static/dynamic analysis of unpacked binaries.
## Mitigation Strategies
- Blocking the associated C2 and payload fetching domains at the perimeter.
- Monitoring for the execution of common information stealer behaviors.
- Proactive hunting for the internal string "KrakenStub" within file metadata (e.g., file descriptions, internal names) across the environment.
- Monitoring for the creation of malicious `.lnk` files that connect to suspicious external domains.
## Related Tools/Techniques
- **AgentTesla:** Observed to be running alongside or utilizing components named by the Kraken dropper.
- **MassLogger:** Similar to AgentTesla, observed in sandbox reports associated with Kraken-related hashes.
- **KrakenKeylogger:** The primary malware family under investigation.