DuckLogs – New Malware Strain Spotted In The Wild

Originally published by Cyble.

Malware-As-A-Service Provides Sophisticated Features To Threat Actors

Cyble Research and Intelligence Labs (CRIL) has been continuously monitoring malware families that are new and active in the wild. Recently, CRIL observed a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. The CRIL also observed multiple active instances of DuckLogs C&C servers in the wild, indicating that the malware is emerging now.

DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server. The below figure shows the Threat Actors (TAs) advertisement in the cybercrime forum about DuckLogs.

Figure 1 – DuckLogs Stealer Advertisement in CyberCrime Forum

The TA has also claimed in the post that the malware has several features, as mentioned in the figure below.

Figure 2 – DuckLogs features

The TA sells DuckLogs malware with three different plans, as listed below.

Figure 3 – Price details of DuckLogs malware

Web Panel:

The DuckLogs provides a sophisticated web panel that allows TAs to perform several operations, such as building the malware binary, monitoring, and downloading victims’ stolen logs, etc. The login page of the DuckLogs web panel is shown below.

Figure 4 – DuckLogs web panel login page

The image below shows the dashboard page of the DuckLogs web panel, which displays overall global statistics of the victims infected by DuckLogs malware.

Figure 5 – DuckLogs web panel dashboard

The TA can also build the malware binary by customizing the options provided on the Settings page of the web panel, as shown below.

Figure 6 – DuckLogs web panel Settings page

The below image shows the Builder page of the stealer & dropper, allowing the TAs to build the required payload after enabling the necessary features on the Settings page. The dropper builder is an add-on feature in the web panel that builds another binary that acts as a dropper for delivering the customized DuckLogs malware to the users’ machine.

Figure 7 – Web panel Builder page

Technical Analysis

We have taken the sample hash (SHA256), e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396, for our analysis. It is a 32-bit, .NET executable file named “BkfFB.exe”.

Upon execution of the BkfFB.exe, the Main() function decodes the hardcoded base64 encoded module named “Bunifu.UI.dll,” which is present in the binary and loads it in the memory using Invoke method as shown in Figure 8.

Figure 8 – Parent file loading Bunifu.UI.dll (stage 1 payload)

Stage 1

The new module “Bunifu.UI.dll” is an obfuscated .NET file that further executes the Bunifu_TextBox() function to retrieve the embedded bitmap image “Gmtpo” present in the resource of the parent malware file BkfFB.exe.

The malware uses the steganography technique to hide malicious content in the compressed bitmap image. The successful decompression of the bitmap image retrieves another .NET file in memory which is “MajorRevision.exe”, as shown in Figure 9. The “Bunifu.UI.dll” module now loads “MajorRevision.exe” using the Assembly.Load method passes the decompressed bitmap content as an argument and then invokes it.

Figure 9 – Bunifu.UI.dll loading MajorRevision (Stage 2 payload)

Stage 2

Upon execution of the “MajorRevision.exe” module, it initially converts the larger array of bytes present in the module into HEX values which contains multiple Anti-Analysis, and Anti-Detection checks to prevent the execution of the malware in a controlled environment, as shown below.

Figure 10 – Anti-analysis Strings in the memory of MajorRevision.exe

In the next phase, the malware retrieves the final payload (“DuckLogs.exe”) in memory by converting another larger array of bytes which is also present in the “MajorRevision.exe.”

Finally, it injects the payload by creating a new process with the parent file name (“BkfFB.exe”) using the process hollowing technique shown below.

Figure 11 – Process hollowing to inject the final payload

The below figure shows the file information of the final malware payload, “DuckLogs.exe”. Our static analysis indicates that the malware payload is a 32-bit, .NET compiled executable file protected by Obfuscator(1.0).

Figure 12 – Final payload static details

Final Payload Analysis

The DuckLogs final payload has code to perform malicious activities such as stealer, keylogger, and clipper functionalities. Additionally, the malware has the features such as persistence, UAC bypass, windows defender bypass, disabler, remote access, file grabber, etc.

Persistence And UAC Bypass

Upon execution, the malware creates a copy of itself into the Startup folder to establish persistence. Copying files into the Startup folder enables the TAs to execute the malicious file automatically when users log into infected systems.

The malware also bypasses the UAC (User Access Control) and automatically executes itself using admin privileges. After gaining elevated privileges, the attacker can steal sensitive data, change security settings, install additional malware, etc., on the victim’s system. The figure below shows the functions used by DuckLogs to perform persistence and UAC bypass.

Figure 13 – Functions used for Persistence and UAC Bypass

Windows Defender Bypass

The malware executes the below PowerShell command to disable Windows Defender features in the Victims’ system.

• “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Uninstall-WindowsFeature -Name Windows-Defender

Stealer

The “Stealer” module steals information such as bookmarks, history, cookies, downloads, and passwords from installed browsers and steals sensitive information from the applications such as email clients, messenger, VPN, etc.

The stealer also targets crypto wallets installed in the victim’s machine and sends all the stolen information to the TA. The figure below shows the functions used by the stealer module.

Figure 14 – Function of Stealer

Clipper

The “Clipper” module hijacks cryptocurrency transactions by swapping the victim’s wallet address with the TA’s wallet address. The malware gets the victim’s clipboard data using the Clipboard.GetText() method, identifies the victim’s cryptocurrency wallet address by matching the regex pattern, and then the clipper replaces it with the TAs wallet address using the Clipboard.SetText() method.

It supports crypto wallets such as BCH (Bitcoin Cash), BTC (Bitcoin), DOGE (Dogecoin), ETH (Ethereum), LTC (Litecoin), XLR (Solaris), XMR (Monero), and XRP (Ripple). The below figure shows the code snippet used to perform the clipper activity.

Figure 15 – Code for Clipper

Keylogger

The “Logger” module monitors and stores the keystrokes in the victim’s machine. The captured keystrokes are saved in the %temp% folder for exfiltration. The below image shows the code snippet used by the malware for keylogging purposes.

Figure 16 – Code for Keylogger

Disablers

The “Disablers” module can disable the features such as Task manager, Run, CMD, and RegEdit on the victim’s machine by using the function shown in the figure below.

Figure 17 – Disablers functions

File Grabber

The “Grabber” module grabs browser-related files such as Bookmark, History, LoginData, LocalState, and Cookies from the victim’s system and sends them to the attacker. The figure below shows the browser names targeted by the File Grabber Module.

Figure 18 – File grabber functions

Remote Control

The TAs can take control of the victim’s machine by using the “Control” module and perform activities such as:

• Transfer and execute other files in the Victims machine.
• Open any URL in the browsers
• Shut down, Restart, Logoff, and Lock the machine.
• Uninstall malware from the system
• Send message
• Perform a DoS (Denial-of-Service)attack
• Show BSOD (Blue Screen Of Death)
• Disable mouse and keyboard inputs etc.

The below figure shows the functions used by the malware for performing remote control activities.

Figure 19 – Code for Remote access control

Command And Control

Finally, the malware exfiltrates all sensitive data from the victims’ machine to its Command and Control (C&C) server ducklogs[.]com. CRIL has also observed the following DuckLogs C&C domains active in the wild:

• hxxps[:]//lovableduck[.]ru
• hxxp[:]//ilovetheducks[.]ru
• hxxp[:]//quackquack[.]ru
• hxxps[:]//smallduck[.]ru

Conclusion

DuckLogs is a unique combination of Stealer, Keylogger, and Clipper malware bundled into one malicious software package available in cybercrime forums for a relatively low price, making this threat dangerous to a wider set of potential victims.

Our Recommendations

• The initial infection may happen via spam email, so enterprises should use email-based security to detect phishing emails. One should also refrain from opening untrusted links and email attachments without verifying their authenticity.
• The compiled DuckLogs binary is packed and protected by multiple layers. Using a reputed antivirus is thus recommended on connected devices, including PCs and laptops. The security software should have the latest security updates to detect new malware families such as DuckLogs.
• DuckLogs is capable of performing Clipper activity. Users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
• Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
• Block URLs that could spread the malware, e.g., Torrent/Warez.