Micropsia Malware

23
16111

Since June 2018, the Radware Threat Research team has monitored an ongoing APT against the Palestinian authority, featuring an updated version of the Micropsia malware with an advanced surveillance toolkit. This advanced persistent threat began in March 2017 and was reported by Cisco Talos and Check Point Software Technologies, infecting hundreds of machines thus far.

The latest Micropsia malware version analyzed in Radware’s research lab is the most sophisticated tool used by this APT group. It includes advanced surveillance features such as microphone recording, keylogging and document stealing from USB flash drives. It also resembles the old versions’ C2 communication behavior by including references to famous TV shows and characters. While the campaign and victims were selectively targeted, some instances contaminated machines in other countries as well (see below).

Infection Process

Attackers gathered intelligence and used social engineering to select their victims. They have sent spear phishing emails to email addresses of selected personas. The email contains an attached file that looked like a report from a known news agency with a malicious executable downloaded and activated in the background.

Malware Capabilities

Micropsia comes with an impressive arsenal of advanced surveillance features, allowing it to closely track the victim’s activity and control the victim’s operating system. Currently, the following capabilities exist in the analyzed binary:

  • Microphone recording
  • Document stealing from connected USB flash drives
  • Screen capturing
  • Keylogging
  • Document stealing from hard drive
  • Scanning all drives – full directory listing without filters
  • Get files by specific path
  • Download and execute an arbitrary executable
  • Update malware executable

Microphone Recording

The microphone recording capability is considered an advanced surveillance feature, which is a rare occurrence among widespread malware. That said, it might become common when initiating an APT attack. While the malware’s screen capturing and keylogging capabilities are set to ‘on’ by default, the recording feature requires an activation command from the C&C at intervals defined by the operator. Once activated, Micropsia begins recording using Win32 MCI (Media Control Interface), which provides a generic interface to nearly every kind of multimedia device.

Initiating a new recording or stopping a running one is accomplished by calling Winmm.mciSendString API. That controls the multimedia device. Micropsia operators control the recording duration via Delphi timers that allow it to perform a periodic recording. A new recording is initiated by executing the above API using the following string commands.

In the same way, stopping the recording and saving it to a file is achieved by executing the following.

USB Flash Drives for Document Stealing

Controlled by Micropsia operators, the malware is able to register to an event of USB volume insertion to detect new connected USB flash drives. This functionality is detailed in an old blog post. Once an event is triggered, Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt).

[You might also like: Stresspaint Malware Campaign Targeting Facebook Credentials]

Screen Capturing and Keylogging

Upon execution, the Micropsia malware takes screenshots every 90 seconds by calling to Gdi32.BitBlt API. This functionality is implemented by a Delphi timer which runs infinitely. Screenshots are saved as unencrypted files in JPEG format with a specific file name that contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the hardcoded extension .his.

The screen capturing function contains incriminating strings which lead us to assume that this code was copied from a snippet published in delphimaster.ru forum. The keylogging module also starts automatically by recording every keystroke using the user32.GetKeyState API. It also deals with clipboard data when malware detects a key press combination of Ctrl+C. This module writes its output to a log file that also contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the extension .slog.

Scan Drive and Fetch Files

Micropsia is able to perform a recursive directory listing on-demand for all volume drives available on the victim’s machine. It checks whether a volume drive exists by simply iterating all possible letters (from A to Z) and testing whether this directory exists. Malware operators are also able to fetch specific files from victim file system by their path.

Storage Management

Most of the malware capabilities mentioned above have outputs written to the file system which are later uploaded to the C2 server. Each module writes its own output in a different format, but surprisingly in a non-compressed and non-encrypted fashion. Micropsia’s developers decided to solve these issues by implementing an archiver component that executes the WinRAR tool. The malware first looks for an already installed WinRAR tool on the victim’s machine, searching in specific locations.

In the event a WinRAR tool is not found, Micropsia drops the RAR tool found in its Windows Portable Executable (PE) resource section to the file system.

Later, implemented as an infinite Delphi-based timer, every 15 minutes it creates RAR archives for each output type using the following command line:

RAR archives are encrypted using a hardcoded password (-hp switch) calculated during the malware initialization stage which is the result of MD5 on a hardcoded string (‘q5e9lqp’) which may be different in each malware campaign. In addition, the program uses a -df command line switch that deletes files after they are moved to the archive. Later, RAR archives are uploaded to the C2 server and afterwards they are deleted from the disk.

Next, the malware creates a new hidden directory with a hardcoded name “Recovery” under the Common AppData shell folder (C:\ProgramData\Recovery in Windows Vista and above). This directory is used to store all components’ outputs in a dedicated sub folder for each.

[You might also like: The Mikrotik RouterOS-Based Botnet]

C2 Communication
Malware C2 servers are stored hardcoded in binary and cannot be changed by operators dynamically, unless the malware’s executable binary is updated. In our binary, there are three hardcoded HTTPS URLs used for C2 communication. These C2 servers’ addresses were not seen in previous versions.

  • https//max-mayfield.com/api/white_walkers/
  • https//young-spencer.com/api/white_walkers/
  • https//192.169.6.59/api/white_walkers/

Besides encryption supplied by SSL, the hackers did not add an extra layer of encryption. Modern malware tends to encrypt its data to evade detection and make the binary research harder. Thus, communication can be monitored easily in a research environment using SSL termination proxy. Malware sets the User Agent string (hard-coded) for all of its communication to mimic Googlebot.

Bot Registration

As mentioned by the Cisco Talos Intelligence Group, after executing the Micropsia registers itself against the C2 server. As part of the bot registration phase, the malware creates a POST request that contains information of the bot ID (encoded in base64 contains OS hostname and username), OS version string, malware version (v4.0.0 in our case) and installed anti-virus information extracted using WMI queries. The C2 server responds with a JSON that confirms the bot registration and may instruct the malware to take additional steps. The JSON response contains the following keys:

Supported C2 Commands

Micropsia performs periodic GET requests to /api/white_walkers//requests. The C2 server responds with a JSON that contains keys instructing the malware to execute the next steps.

Not all key names that appear in the JSON response have a corresponding logic in the analyzed binary. The analyzed binary lists the supported C2 command names and their meaning.

Upload Stolen Information

Every two minutes the malware collects all RAR files of stolen information and uploads them to the C2 server using the POST method to the relevant URL based on the storage type.

Malware Protection

Attacking groups continuously create new malware and mutations with additional capabilities. Radware’s Malware Research Group will keep monitoring and analyzing new threats to provide protection to Radware customers.

Read “Five Ways Modern Malware Defeats Your Defenses And What You Can Do About It” to learn more.

Download Now

23 COMMENTS

  1. QuickBooks error code OLSU 1013 can happen when communication is unable to take place between a certain bank and your account. This can be due to issues with the bank server. This error code can also occur in case the internet connection being used is unstable.

  2. I used Sage 50 Free Edition recently. I was so disappointed that it froze on me when I was trying to set up my business accounts. I took the time to set them up but when I went back to make some more changes, it had completely reset itself and the data was lost. It would be awesome if Sage could get their act together. As it stands now, this software is not worth the money or the time it takes to learn how to use it correctly.

  3. The POS terminals using contactless payments opens a path to collect information of cards without the consent of card holder. The card readers can read information on cards with out ever needing the card possession. The new wallets with WIFI blocking function will become a necessity in the coming days.
    Be vigilant, be safe. Keep an eye on what is happening around you and keep yourself out of harms way.

  4. Sara Technologies is the best blockchain game development company in the USA since 2007 we provide services for all gaming industries and we have a team of professional developers who can give you consulting services regarding blockchain game development so contact us anytime we are available 24/7 for your help.

  5. The QuickBooks Error 1328 is an update error that is caused by the . tmp files located in the config. msi folder. This error comes with an error message and usually prevents you from performing any company files task.

  6. Our Flexible Ontario Training Courses Are Designed To Fit Around Your Schedule. We Believe In Honest, Creative & Flexible Education At Canada’s Largest AOLCC Mississauga. We Provides Complete detail of Admission, Courses, Fees, Placement & Cutt-off of Academy of Learning Mississauga. Academy of Learning Mississauga Campus Canada’s largest career college Network 30+Diploma&Certificate Programs.

  7. Below are the quick steps to solve these unrecoverable error codes of QuickBooks Desktop.. Identify how many users are affected by using different login credentials to open the same company file at the same time. If errors happen for any specific user then it may be damaged its credential. If it is so then recreate the damaged user.

  8. I believe that good design increases quality of life. believe in the healing power of plants, color, fresh air and good light. I believe that creativity, not wealth, is the key to having an amazing home. Decorate wild!

  9. How to activate redbull TV on your devices?
    • Open the App Store on your device.
    • Download and install redbull tv.
    • To get the activation code launch the app.
    • An activation code is displayed on your device.
    • Go to Redbull.com/activate, Enter redbull activate code.

  10. Thanks for Sharing. One of the most well-liked adventure activities in India is river rafting. How many of our recommended destinations for the best places for river rafting in India have you covered?

  11. When you are looking to buy toys for the children, you can often check out the stores like Amazon where you can find dozens of variety of kids toys. Especially these days, many are preferring for the kids cars and among them electric cars have become so popular among the children. If looking for the kids-electriccars.co.uk, then check out the store which offers the best affordable pricing and free delivery all across the UK.

  12. Thanks for sharing. The best way to have a wonderful vacation is to find a lakeside cabin alongside any of the beautiful lakes in North America, and you’re good to go.

  13. Are you looking for NFT consulting services in the USA? If yes, then you can contact Sara Technologies Inc. we serve services all around the USA; contact us anytime our team is available 24/7 for your help.

LEAVE A REPLY

Please enter your comment!
Please enter your name here