Micropsia Malware

182
8953

Since June 2018, the Radware Threat Research team has monitored an ongoing APT against the Palestinian authority, featuring an updated version of the Micropsia malware with an advanced surveillance toolkit. This advanced persistent threat began in March 2017 and was reported by Cisco Talos and Check Point Software Technologies, infecting hundreds of machines thus far.

The latest Micropsia malware version analyzed in Radware’s research lab is the most sophisticated tool used by this APT group. It includes advanced surveillance features such as microphone recording, keylogging and document stealing from USB flash drives. It also resembles the old versions’ C2 communication behavior by including references to famous TV shows and characters. While the campaign and victims were selectively targeted, some instances contaminated machines in other countries as well (see below).

Infection Process

Attackers gathered intelligence and used social engineering to select their victims. They have sent spear phishing emails to email addresses of selected personas. The email contains an attached file that looked like a report from a known news agency with a malicious executable downloaded and activated in the background.

Malware Capabilities

Micropsia comes with an impressive arsenal of advanced surveillance features, allowing it to closely track the victim’s activity and control the victim’s operating system. Currently, the following capabilities exist in the analyzed binary:

  • Microphone recording
  • Document stealing from connected USB flash drives
  • Screen capturing
  • Keylogging
  • Document stealing from hard drive
  • Scanning all drives – full directory listing without filters
  • Get files by specific path
  • Download and execute an arbitrary executable
  • Update malware executable

Microphone Recording

The microphone recording capability is considered an advanced surveillance feature, which is a rare occurrence among widespread malware. That said, it might become common when initiating an APT attack. While the malware’s screen capturing and keylogging capabilities are set to ‘on’ by default, the recording feature requires an activation command from the C&C at intervals defined by the operator. Once activated, Micropsia begins recording using Win32 MCI (Media Control Interface), which provides a generic interface to nearly every kind of multimedia device.

Initiating a new recording or stopping a running one is accomplished by calling Winmm.mciSendString API. That controls the multimedia device. Micropsia operators control the recording duration via Delphi timers that allow it to perform a periodic recording. A new recording is initiated by executing the above API using the following string commands.

In the same way, stopping the recording and saving it to a file is achieved by executing the following.

USB Flash Drives for Document Stealing

Controlled by Micropsia operators, the malware is able to register to an event of USB volume insertion to detect new connected USB flash drives. This functionality is detailed in an old blog post. Once an event is triggered, Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt).

[You might also like: Stresspaint Malware Campaign Targeting Facebook Credentials]

Screen Capturing and Keylogging

Upon execution, the Micropsia malware takes screenshots every 90 seconds by calling to Gdi32.BitBlt API. This functionality is implemented by a Delphi timer which runs infinitely. Screenshots are saved as unencrypted files in JPEG format with a specific file name that contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the hardcoded extension .his.

The screen capturing function contains incriminating strings which lead us to assume that this code was copied from a snippet published in delphimaster.ru forum. The keylogging module also starts automatically by recording every keystroke using the user32.GetKeyState API. It also deals with clipboard data when malware detects a key press combination of Ctrl+C. This module writes its output to a log file that also contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the extension .slog.

Scan Drive and Fetch Files

Micropsia is able to perform a recursive directory listing on-demand for all volume drives available on the victim’s machine. It checks whether a volume drive exists by simply iterating all possible letters (from A to Z) and testing whether this directory exists. Malware operators are also able to fetch specific files from victim file system by their path.

Storage Management

Most of the malware capabilities mentioned above have outputs written to the file system which are later uploaded to the C2 server. Each module writes its own output in a different format, but surprisingly in a non-compressed and non-encrypted fashion. Micropsia’s developers decided to solve these issues by implementing an archiver component that executes the WinRAR tool. The malware first looks for an already installed WinRAR tool on the victim’s machine, searching in specific locations.

In the event a WinRAR tool is not found, Micropsia drops the RAR tool found in its Windows Portable Executable (PE) resource section to the file system.

Later, implemented as an infinite Delphi-based timer, every 15 minutes it creates RAR archives for each output type using the following command line:

RAR archives are encrypted using a hardcoded password (-hp switch) calculated during the malware initialization stage which is the result of MD5 on a hardcoded string (‘q5e9lqp’) which may be different in each malware campaign. In addition, the program uses a -df command line switch that deletes files after they are moved to the archive. Later, RAR archives are uploaded to the C2 server and afterwards they are deleted from the disk.

Next, the malware creates a new hidden directory with a hardcoded name “Recovery” under the Common AppData shell folder (C:\ProgramData\Recovery in Windows Vista and above). This directory is used to store all components’ outputs in a dedicated sub folder for each.

[You might also like: The Mikrotik RouterOS-Based Botnet]

C2 Communication
Malware C2 servers are stored hardcoded in binary and cannot be changed by operators dynamically, unless the malware’s executable binary is updated. In our binary, there are three hardcoded HTTPS URLs used for C2 communication. These C2 servers’ addresses were not seen in previous versions.

  • https//max-mayfield.com/api/white_walkers/
  • https//young-spencer.com/api/white_walkers/
  • https//192.169.6.59/api/white_walkers/

Besides encryption supplied by SSL, the hackers did not add an extra layer of encryption. Modern malware tends to encrypt its data to evade detection and make the binary research harder. Thus, communication can be monitored easily in a research environment using SSL termination proxy. Malware sets the User Agent string (hard-coded) for all of its communication to mimic Googlebot.

Bot Registration

As mentioned by the Cisco Talos Intelligence Group, after executing the Micropsia registers itself against the C2 server. As part of the bot registration phase, the malware creates a POST request that contains information of the bot ID (encoded in base64 contains OS hostname and username), OS version string, malware version (v4.0.0 in our case) and installed anti-virus information extracted using WMI queries. The C2 server responds with a JSON that confirms the bot registration and may instruct the malware to take additional steps. The JSON response contains the following keys:

Supported C2 Commands

Micropsia performs periodic GET requests to /api/white_walkers//requests. The C2 server responds with a JSON that contains keys instructing the malware to execute the next steps.

Not all key names that appear in the JSON response have a corresponding logic in the analyzed binary. The analyzed binary lists the supported C2 command names and their meaning.

Upload Stolen Information

Every two minutes the malware collects all RAR files of stolen information and uploads them to the C2 server using the POST method to the relevant URL based on the storage type.

Malware Protection

Attacking groups continuously create new malware and mutations with additional capabilities. Radware’s Malware Research Group will keep monitoring and analyzing new threats to provide protection to Radware customers.

Read “Five Ways Modern Malware Defeats Your Defenses And What You Can Do About It” to learn more.

Download Now

182 COMMENTS

  1. Dell Printer Support is a team of experts who takes care of your dell printer issue. Our support is capable of dealing with any dell printer glitches. In case you’re having issue with you dell printer contact dell Printer Support and get instant help.

  2. Dell Support is a team of experts who take care of your dell device issue. If face any problem with your device like your device is crashed, a device is not working properly or others then contact Dell Tech Support and get instant help.

  3. HP Support is a group of experts who deals with every issue with your HP devices. These experts are proficient enough to give you the best of services. HP Support experts are quite efficient in giving repair services.

  4. A small grouping of execs can handle you manually as a result of they’re absolute to offer the standard services. So, in the event that you face any issue along with your package you don’t need to go anywhere except us.

  5. QuickBooks Enterprise Support 1888-557-6950 offers industry-specific solutions, notably for contractors, manufacturing and wholesale, nonprofits, and retailers. Quickbooks Enterprise support stands unique in the market as it has got the best tool which can help us to fix our any kind of Quickbooks related issues. They help to resolve our problem quite instantly and easily.

  6. QuickBooks Enterprise Support 1888-557-6950 offers industry-particular arrangements, strikingly for temporary workers, assembling and discount, philanthropies, and retailers. Quickbooks endeavor bolster stands special in the market as it has the best instrument which can help us to settle our any sort of Quickbooks related issues. They help to determine our concern in a split second and effortlessly.

  7. Will you be facing the issue with decision making? The amount of is it possible to earn in a month? You ought to predict this before. Many people are not used to this. We shall help most of the folks. What business are you having? Can it be raw material business? Would you cope with retail trade? Craftsmen also cope with your selection of revenue. Sometimes you do not forecast the specific budget. We now have experienced individuals to provide you with the figure. We’re going to also supply you with the figure of your respective budget which you yourself can get in the future from now. This will be only possible with QuickBooks support.

  8. Numerous sorts of questions or QuickBooks related issue, at that point you are route the correct way. You simply give single ring at our without toll QuickBooks Payroll Support.we will enable you to right arrangement as indicated by your issue. We work on the web and can expel the specialized issues by means of remote access and when the issue happens we will settle the same.

  9. At QuickBooks Support contact number, you will find solution each and every issue that bothers your projects and creates hindrance in running your company smoothly. Our team is oftentimes willing to allow you to while using the best support services you could possibly ever experience.

  10. Dial HP Printer Support Phone Number our qualified and experienced technical professional expert will connect to you who understand and identify the particular real cause and help you to get it fix at a really affordable price to make sure you wouldn’t normally face similar problems in forseeable future. We provide an exact, satisfactory and tangible solution.So why are you waiting? Call HP printer support number to get benefit of our extremely advanced and qualified skills of your specialists along with their instant support for all issues of HP Pinter for making sure a fast and continuous printing experience.

  11. QuickBooks has given its utmost support to entrepreneurs in decreasing the price otherwise we’ve seen earlier, however, an accountant wont to help keep completely different accounting record files. Utilising the assistance of QuickBooks, users will maintain records like examining, recording and reviewing the complicated accounting procedures.

  12. If you still face the error again, proceed to the next phase.
    See Install QuickBooks in Selective Startup for detailed instructions.
    In the event that you continue to get the 1935 error, see repair or reinstall Microsoft .NET Framework and start the installation again.

  13. QuickBooks Error code 12 0 often takes place when system settings are wrongly configured or irregularities into the Windows registry. QuickBooks Error code 12 0 can easily be fixed with a unique software configured to resolve common system registry issues.

  14. QuickBooks error code 6189 is basically a run-time error which you find when you’re looking to run QuickBooks or trying to open an organization file in your system. This means that the file, which one tries to open, is certainly not accessible. Although the message that appears with this specific error contains a couple of details, it is usually problematic for a person to find its exact cause and correct it.

  15. QuickBooks is made to satisfy your every accounting needs and requirement with an excellent ease. This software grows with your business and perfectly adapts with changing business environment. Everbody knows you will find always two sides to a coin and QuickBooks isn’t any different. This software also throws some errors in the long run. Sometimes it becomes quite difficult to know that is using this error code or message. If that’s the case you should call our QuickBooks Support telephone number your can purchase in contact with our technical specialists in order to look for the fix of error instantly.

  16. Can be executed every user task with QuickBooks Payroll Accounting software. Therefore you only need to install QuickBooks Payroll software and fetch the details, rest most of the essential calculation will undoubtedly be done automatically as a result of software.

  17. Having employees in your company also signifies the growth of your business, which will be considered essential by many people business owners. Thus, when you’ve got employees in your company, another component that becomes equally essential can be your employees’ payroll. If you’re hiring an employee to operate for your needs, it’s also important to pay wages for them. In the event that business which you own has a great deal many employees, every one of them being given a certain task, you will need something more than just a mere book of accounts.

  18. Mcafee.com setup total protection spoke to and gift wizard, use after the instructions as you concur your degree of affirmation. Diverse preventive frameworks you want to determine earlier than you communicate to McAfee Total Safety program. Attempt to preserve insubordinate systems from in look of errors to your gadgets. McAfee total security as your well being programming utilized.

  19. QuickBooks online login service gives an industry trendy approach to combine statistics from multiple business enterprise documents right into a single employer file with guaranteed results. The merged record is then audited to ensure all transactions are merged correctly.

  20. In this text, we will talk the quality four approaches to change gmail password. Password changing system in gmail significantly varies as Google offers interactive answers to trade or get better the password. Read those top four methods, and you will realize the perfect way to Change your gmail password just like the tech genius.

  21. If you want to take full advantages of power washing services in Fayetteville then visit fast and clean power washing. We offered to unmatched assistance utilizing the highest caliber of business industry-standard hardware and eco-accommodating cleaners. We have many years of experienced staff who are completely safeguarded and prepared experts in the most recent procedures in the power washing industry. For knowing more about the company in detail visit at cleaning services in Fayetteville.

    We especially provide our Cleaning Services in Cumberland, Harnett, Fayetteville, Hoke, Lee, and Moore. Our services are house power washing, patio furniture cleaning, brick paver cleaning, Stain Removal, and driveways & sidewalks. Reasons to Choose Us such as Top-Rated Company, Superior Quality, and Eco-Friendly Products. Visit at Pressure Washing in Moore for more details about us.

  22. Are you finding any software that could help you file your tax returns? If yes, TurboTax is the answer. The TurboTax is a tax preparation software that plays a significant role in preparing and filing your tax returns. It is available for both state and federal income tax returns and has been designed in a way to guide users step by step whenever they go for filing their returns. For getting all of its benefits, ring up the TurboTax technical support to know the proper installation steps.

  23. Mcafee.com/activate – The web-based application and websites attract numerous malicious content to the device, and they affect the whole of your data and the smooth functioning of the system. It is due to harmful or inferior elements that come in the shape of viruses, spyware, malware, and some other harmful data. To protect these malicious and dangerous things, people need something that prevents these dangerous elements. Then comes the antiviruses, and among them, the most powerful is McAfee that helps the user to scan their device and removes all the malicious contents from the system.

  24. This is the right webpage for anybody who really wants to find out about this topic.
    You know a whole lot its almost tough to argue with
    you (not that I personally will need to…HaHa). You certainly put a brand new spin on a topic that’s been discussed
    for ages. Excellent stuff, just wonderful!

  25. Iamcafee, a product that able to remove all viruses from your computer….Source: mcafee.com/activate Antivirus is a product that gives a wide assortment of virus location techniques as it does not just forestall infections from entering your computer framework yet executes or isolates viruses that have gotten through the firewall. https://iamcafee.com/

  26. Quickbooks accounting software is amongst the top software that easily completes any accounting or related to it issues. However, it does have its own downfall that comes in the form of error. Like error -6000 -XXX where X can be any number telling about the different types of error -6000. One of those errors is code -6000 -832 which should be removed ASAP for the security of the company files & for the better health of the system.
    If you want any information regarding the Quickbooks software or anything related to the error it might be facing or even want information in general check out the link above.

  27. Nice content! Welcome to Microsoft office support section, If you are facing any technical issues due to download and install the office 2016, 2019 and office 365 can connect with office.com/setup and follow the steps can resolve your problems.

  28. To get your hands on this revolutionary product, visit their official website. The more bottles you purchase, the bigger discount Savage Grow Plus offers.

    To get your hands on this revolutionary product, visit their official website. The more bottles you purchase, the bigger discount Savage Grow Plus offers.

  29. ​We know that the pandemic has already claimed the lives of thousands of people in residential care. We also know that the majority of these establishments are scrupulously clean and have robust sanitisation routines in place. View More: residential air purifier or best air purifier uk

  30. Bitdefender is a cybersecurity software that offers the best protection to safeguard everything that matters to you the most. It offers notable device protection with smoothest, effortless, and hassle-free experience.

  31. Valuable info. Lucky me I found your website by accident. I bookmarked it. This article is genuinely good and I have learned lot of things from it concerning blogging. thanks.

  32. This is one of the finest post i ever read the way you describe her about Malware is incredible. You presentation is also good. I would like to appreciate the author for his hard work.

  33. Felt blessed and satisfied after reading your published blog. It was quite easy for me to understand and learn your prescribed teachings. So, I would like to thank you for this. Besides, if you encounter QuickBooks Error H202 you should feel free to browse our website. Over there you will find many knowledge-based contents that will help you to fix every technical glitch in no time.

  34. Thanks for sharing your wealthy information. This is one of the excellent posts which I have seen. I go through your all of your blog, but this blog is the best one. It is really what I wanted to see hope in future you will continue for sharing such an excellent post

  35. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained

  36. Here with best software, you will find best software lists for every category. We also gather information the running deals on specific software by software manufacture. It doesn’t matter whether you are looking for an best software to convert your files or best portable antivirus software or best alternatives of office, we have all. We actually help you to buy right software for your specific needs. First decide then buy high-quality software online at low prices – for us this is not just a slogan, but a promise.

  37. Is your business totally rely on QuickBooks? Well if your answer is yes, then you must have the ways to resolve the errors that can occur during the runtime of the QuickBooks. QuickBooks error 6000 83 and other error like this are sometimes potentially harmful to your data, just click the link and see what it takes to resolve.

  38. Hey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks software, dial QuickBooks Customer Service Phone Number. The team, on the other end, will assist you with the best technical services.

  39. Logistic Adda is a top-notch and highest online search portal for finding professional and reliable Logistics companies in India. Logistic Adda is a one stop destination to avail the best packers and movers services in the paradigm of moving, shifting and packing either be it a local shifting, domestic shifting or across the globe.

    Founded by Anand Singh the company has already surpassed the objective of becoming the best logistic service providers in the entire country. The amount of dedication and hard work of the founder cannot be expressed as with their ability of mastering every other task is exceptional.

  40. As there are countless online certification training providers on the web, but we are different as we understand what our customers want. iGlobe Career allows aspirants to level up their IT knowledge and skills by offering various online certification courses in several fields, including Cyber Security, artificial intelligence, Project Management, Scrum, AWS, Azure, and much more more.

  41. Everybody desires a pleasurable and amazing feeling with allthing. Exactly it is what we effort to give to our customers also, a pretty behavior with Escorts Service. Without a hesitance, we are the just agency that offering you so many choices. 

  42. Follow thes step to fixed the windows error was the file exists quickbooks,
    Firstly fo to QuickBooks Desktop and upadte now
    press Windows setting and turn ON UAC
    Allow Full Control Access to the User
    Re-register QuickBooks .DLL and .OCX file using Reboot.bat file
    Configure Windows Firewall,
    make sure clean Installation of QuickBooks

  43. If your Netgear router is not working just fine, then you should reset it to factory defaults. To do so, you first need to look for the reset button at the rear of the router and press it using a paper clip or a similar tool. You need to keep the reset button pressed for about seven seconds and then release it. Let the modem router reboot and see if it helps. This will finally reset Netgear router.

  44. I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Extraordinary site you have here.. It’s best quality composing like yours nowadays. I sincerely acknowledge people like you!

  45. While the use of the Sage accounting software any version/edition, sometimes customer’s might come around the error message “Sage 50 database issue”, “Sage not responding” on their device’s display screen. The common solution for this message is to simply reboot system or “Install Sage 50” again. Issue causes because of a few reasons Service release isn’t installed, Antivirus or Anti-Spyware, Damaged data, etc.

  46. Canon printer comes with numerous types, including multifunction, single function, photo print, scanning, copy, and other so many features; however, setting up a Canon model requires an almost similar process to canon setup.

  47. Microsoft365.com/setup is an official portal to activate and start your Microsoft 365 product including office apps, cloud services and other collaboration services. You’ll need to Sign In and enter Microsoft 365 product key.

  48. Get started to Canon inkjet setup with guidelines of ij start canon site. Check and learn the best and easy methods to set up Canon printer hardware download and install the Canon ij setup. The site is based on the computer operating system where you can find an online manual and guide.

  49. Get started to Canon inkjet setup with guidelines of ij start canon site. Check and learn the best and easy methods to set up Canon printer hardware download and install the Canon ij setup. The site is based on the computer operating system where you can find an online manual and guide.

  50. Microsoft Silverlight is a new technology that provides an excellent platform for developing Rich Internet Applications (RIAs). It can be thought of as an alternative to Adobe Flash Player and Flex because it allows search engines to easily crawl the content.

  51. Quickbooks tool hub eliminates all types of errors related to QuickBooks. Many businesses deploy QuickBooks for accounting purposes. So it is necessary to protect it so go ahead and Quickbooks tool hub download. Quickbooks tool hub is very amazing and it is very fast. It fixes company file issues, network issues, crash issues, etc. very swiftly.

  52. When someone shares valuable information on the web, it is our responsibility to appreciate the writers of those articles and blogs because these days valuable and informative information is rarely seen.

  53. One strategy that can help you lose a few extra pounds is taking the time to step on the scale each day and writing down your current weight. Seeing the numbers rise and fall keeps you focused on your goal and can also help you realize what dietary or exercise modifications are helpful.

  54. If you are trying to lose weight than you should try to eat balanced meals. If you follow a balanced diet then your body will stay in an optimum weight loss zone where you can shed weight very quickly. Having a balanced diet is a must if you are trying to lose weight the right way.

  55. Thanks for giving the solution for the printer to connect to the wireless network. So you can visit our website we provide the printer driver installing the online process. We remove all errors from your printer easily and give you a better solution for downloading and installing.

LEAVE A REPLY

Please enter your comment!
Please enter your name here