Recent Keylogger Attributed to North Korean Group Andariel Analyzed Through A Hybrid Analysis Perspective

• A technical deep dive into the new North Korean keylogger from a Hybrid Analysis perspective
  从 Hybrid Analysis 的角度对新的朝鲜键盘记录器进行技术深入研究
• The keylogger incorporates junk code to hinder analysis and logs keystrokes and mouse activity, storing the data in a password-protected, encrypted archive
  键盘记录器包含垃圾代码以阻碍分析并记录击键和鼠标活动，并将数据存储在受密码保护的加密档案中
• The malware has been associated with a North Korean group targeting U.S. organizations
  该恶意软件与一个针对美国组织的朝鲜组织有关

A new keylogger, attributed to the North Korean group Andariel (also known as APT45, Silent Chollima, or Onyx Sleet) has been recently disclosed and linked to targeted attacks against U.S. organizations. Using Hybrid Analysis we reveal some of the malware’s capabilities, including its ability to capture sensitive information through keystroke and mouse activity logging. Additionally, we conduct a deep dive into the keylogger’s anti-analysis techniques, such as code obfuscation through the use of junk code, implemented in an effort to hinder analysis.
最近披露了一个名为朝鲜组织 Andariel（也称为 APT45、Silent Chollima 或 Onyx Sleet）的新键盘记录器，该键盘记录器与针对美国组织的针对性攻击有关。使用 Hybrid Analysis，我们揭示了恶意软件的一些功能，包括它通过击键和鼠标活动记录捕获敏感信息的能力。此外，我们还深入研究了键盘记录器的反分析技术，例如通过使用垃圾代码进行代码混淆，以阻碍分析。

A Hybrid Analysis Perspective
混合分析视角

Right at the top of the Hybrid Analysis report, the “Risk Assessment” section reveals that the malware sets a global Windows hook to intercept keystrokes and mouse events:
在 Hybrid Analysis 报告的顶部，“风险评估”部分显示恶意软件设置了一个全局 Windows 钩子来拦截击键和鼠标事件：

Figure 1 – Keylogger sets global hooks to intercept keystrokes and mouse events
图 1 – 键盘记录器设置全局钩子以拦截击键和鼠标事件

Another important find in the Malicious Indicators section is that the keylogger installs a hook procedure monitoring low-level mouse input events (WH_MOUSE_LL), as highlighted in the figure below.
Malicious Indicators 部分的另一个重要发现是，键盘记录器安装了一个钩子程序来监控低级鼠标输入事件 （WH_MOUSE_LL），如下图所示。

Figure 2 – API call with the WH_MOUSE_LL parameter
图 2 – 使用 WH_MOUSE_LL 参数的 API 调用

Expanding the “Spyware/Information Retrieval” malicious indicator reveals  that a hook procedure that monitors low-level keyboard input events (WH_KEYBOARD_LL) is also installed (Figure 3).
展开“Spyware/Information Retrieval”恶意指示器显示，还安装了监控低级键盘输入事件 （WH_KEYBOARD_LL） 的钩子过程（图 3）。

Figure 3 – API call with the WH_KEYBOARD_LL parameter
图 3 – 使用 WH_KEYBOARD_LL 参数的 API 调用

Moving forward to the Suspicious Indicators section and expanding the “Tries to save executable or command in registry” indicator, we notice the malicious process modifies the “(Default)” value found under the Run registry key in order to achieve persistence on the machine:
继续到 Suspicious Indicators 部分并展开“Tries save executable or command in registry”指示器，我们注意到恶意进程修改了 Run 注册表项下的“（Default）”值，以便在机器上实现持久性：

Figure 4 – Registry value modification detected by Hybrid Analysis
图 4 – 混合分析检测到的注册表值修改

Expanding the “Found strings related to keylogger” indicator under the Spyware/Information Retrieval category part of the Informative indicators reveals multiple strings indicative of keylogger activity:
展开信息指示器的“间谍软件/信息检索”类别部分下的“找到的与键盘记录器相关的字符串”指示器，将显示指示键盘记录器活动的多个字符串：

Figure 5 – Strings related to a potential keylogger were identified
图 5 – 识别出与潜在键盘记录器相关的字符串

Finally, checking the Extracted Files section of the Hybrid Analysis report reveals the malware creates an archive called “DT_0004.tmp” in the “%TEMP%” directory, which may indicate where the keylogger logs are stored:
最后，检查 Hybrid Analysis 报告的 Extracted Files 部分会发现恶意软件会在 “%TEMP%” 目录中创建一个名为 “DT_0004.tmp” 的存档，这可能表明键盘记录器日志的存储位置：

Figure 6 – A new file is created in the TEMP folder
图 6 – 在 TEMP 文件夹中创建一个新文件

A Deeper Dive into The Keylogger
深入了解 Keylogger

Taking the sample apart by performing some additional manual analysis reveals an anti-analysis technique that is used to obscure the program’s execution flow and make malware analysis more difficult. This technique consists of adding a lot of junk code as shown in the instructions presented in Figure 7.
通过执行一些额外的手动分析来拆开样本，可以发现一种反分析技术，该技术用于掩盖程序的执行流程并使恶意软件分析更加困难。该技术包括添加大量垃圾代码，如图 7 中的说明所示。

Figure 7 – Junk code seen in x64dbg
图 7 – 在 x64dbg 中看到的垃圾代码

Payload Decryption 负载解密

The binary stores a custom encrypted payload at a specific location found after 84 NULL bytes. It uses the ReadFile function to read the buffer:
二进制文件将自定义加密负载存储在 84 个 NULL 字节后找到的特定位置。它使用 ReadFile 函数读取缓冲区：

Figure 8 – ReadFile API used to read the encrypted payload
图 8 – 用于读取加密有效负载的 ReadFile API

The content is decrypted and an executable is revealed (see Figure 9). The PE file header is removed, and the rest of the content is copied to a new memory area.
内容被解密并显示一个可执行文件（参见图 9）。PE 文件头将被删除，其余内容将被复制到新的内存区域。

Figure 9 – New executable is decrypted in memory
图 9 – 新的可执行文件在内存中解密

Moving forward, we have used PE-sieve to dump the malicious executable. The execution flow is redirected to the newly decrypted code using the instruction displayed below, where the target address (stored in  RSP+60) of the CALL instruction points to an executable address in the decrypted payload range.
接下来，我们使用 PE-sieve 来转储恶意可执行文件。使用下面显示的指令将执行流程重定向到新解密的代码，其中 CALL 指令的目标地址（存储在 RSP+60 中）指向解密的有效载荷范围内的可执行地址。

Figure 10 – Redirect the execution flow to the decrypted payload
图 10 – 将执行流程重定向到解密的有效负载

The SetErrorMode method is utilized to avoid displaying error message boxes when certain errors occur (0x8007 = SEM_NOOPENFILEERRORBOX | SEM_NOALIGNMENTFAULTEXCEPT | SEM_NOGPFAULTERRORBOX | SEM_FAILCRITICALERRORS):
SetErrorMode 方法用于避免在发生某些错误时显示错误消息框 （0x8007 = SEM_NOOPENFILEERRORBOX |SEM_NOALIGNMENTFAULTEXCEPT |SEM_NOGPFAULTERRORBOX |SEM_FAILCRITICALERRORS）：

Figure 11 – SetErrorMode API call
图 11 – SetErrorMode API 调用

Persistence 坚持

Part of the persistence mechanism, the process opens the “Software\Microsoft\Windows\CurrentVersion\Run” registry key via a function call to RegCreateKeyExW:
作为持久性机制的一部分，该进程通过对 RegCreateKeyExW 的函数调用打开“Software\Microsoft\Windows\CurrentVersion\Run”注册表项：

Figure 12 – RegCreateKeyExW API call
图 12 – RegCreateKeyExW API 调用

It then modifies the “(Default)” registry value using the RegSetValueExW function to establish persistence on the machine.
然后，它使用 RegSetValueExW 函数修改“（Default）”注册表值，以在计算机上建立持久性。

Figure 13 – Persistence is achieved by modifying the registry value
图 13 – 通过修改注册表值实现持久性

Keylogging Installation 键盘记录安装

The binary installs two hook procedures that monitor low-level keyboard and mouse input events, as in the following pseudocode:
二进制文件安装两个 hook 过程，用于监视低级键盘和鼠标输入事件，如以下伪代码所示：

// Keyboard hooking 键盘挂钩

1. 1. KeyboardHook = SetWindowsHookEx(
   1.KeyboardHook=SetWindowsHookEx（

WH_KEYBOARD_LL, 
WH_KEYBOARD_LL， 

HookProcedure, HookProcedure、

NULL,  NULL，

   NULL 
   零 

);

2. 2. MSG Msg;
   2.味精味精;
3. 3. while (GetMessageW(&Msg, NULL, 0, 0) > 0)
   3.while（GetMessageW（&Msg，NULL，0,0）>0）

At line 1, the sample calls the  SetWindowsHookExW API specifying the following parameters:
在第 1 行，该示例调用 SetWindowsHookExW API，指定以下参数：

• RCX: WH_KEYBOARD_LL (0xD), to monitor low-level keyboard input events
  RCX：WH_KEYBOARD_LL （0xD），用于监视低级别键盘输入事件
• RDX: the pointer to the hook procedure (described below in “Keylogger Routine”)
  RDX：指向 hook 过程的指针（在下面的 “Keylogger 例程” 中介绍）
• R8: NULL, since the hook routine is within the code associated with the current process
  R8：NULL，因为 hook 例程位于与当前进程关联的代码中
• R9: NULL, to monitor all the existing threads running in the same desktop as the calling thread
  R9： NULL，用于监视与调用线程相同的桌面上运行的所有现有线程

At line 3., the binary uses the GetMessageW API to to obtain messages from the calling thread’s message queue, which will be stored in the first parameter (RCX: &Msg). Since the rest of the parameters are NULL,  the function retrieves all the messages for any window that belongs to the current thread and any thread messages, allowing keyboard events to be handled by the hooking procedure.
在第 3 行，二进制文件使用 GetMessageW API 从调用线程的消息队列中获取消息，该消息将存储在第一个参数 （RCX： &Msg） 中。由于其余参数为 NULL，因此该函数检索属于当前线程的任何窗口的所有消息以及任何线程消息，从而允许挂钩过程处理键盘事件。

The installation of the hook procedure for mouse input events is very similar, with the first parameter being WH_MOUSE_LL (0xE).
鼠标输入事件的钩子过程的安装非常相似，第一个参数是 WH_MOUSE_LL （0xE）。

Interestingly, a similar implementation of the keylogger mechanisms can also be found on GitHub.
有趣的是，在 GitHub 上也可以找到键盘记录器机制的类似实现。

The new thread creates a file called “DT_0004.tmp” in the temporary folder. The file is a password protected archive that extracts a file called “a04.log”. The password is “Pass@w0rd#384”.
新线程将在临时文件夹中创建一个名为 “DT_0004.tmp” 的文件。该文件是一个受密码保护的存档文件，用于提取一个名为 “a04.log” 的文件。密码为 “Pass@w0rd#384”。

Figure 14 – A new file is created and will store the keylogger logs
图 14 – 创建一个新文件，并将存储键盘记录器日志

In the new thread, the sample retrieves the current local date and time using the GetLocalTime method to track the starting time of the keylogger. It converts the output to file time format using SystemTimeToFileTime. The result will be stored in the log file before new keystrokes or mouse events are written.
在新线程中，该示例使用 GetLocalTime 方法检索当前本地日期和时间，以跟踪键盘记录器的开始时间。它使用 SystemTimeToFileTime 将输出转换为文件时间格式。在写入新的击键或鼠标事件之前，结果将存储在日志文件中。

Figure 15 – Local date and time will be written to the file when new events occur
图 15 – 当新事件发生时，本地日期和时间将写入文件

The malware writes content to the archive one byte at a time. The first two written bytes are “PK”, which indicate that the file will be a ZIP archive:
恶意软件一次将内容写入存档一个字节。前两个写入的字节是 “PK”，这表示该文件将是 ZIP 存档：

Figure 16 – New file is populated
图 16 – 填充新文件

Keylogging Routine 键盘记录例程

When detecting new keystrokes or mouse events (see Figure 17), the keylogger hooking procedure (specified in the second parameter of  SetWindowsHookEx) extracts the text of the foreground window:
当检测到新的击键或鼠标事件时（参见图 17），键盘记录器挂钩过程（在 SetWindowsHookEx 的第二个参数中指定）会提取前台窗口的文本：

Figure 17 – Foreground window’s title is obtained using multiple APIs
图 17 – 使用多个 API 获取前景窗口的标题

The virtual-key code corresponding to keyboard keys or mouse buttons is compared with multiple values, as highlighted below:
将对应于键盘键或鼠标按钮的虚拟键代码与多个值进行比较，如下所示：

Figure 18 – Virtual-key codes are compared with specific values
图 18 – 将虚拟密钥代码与特定值进行比较

A partial list of virtual-key codes corresponding to special keys is displayed in the figure below.
下图显示了与特殊键对应的虚拟键代码的部分列表。

Figure 19 – Special keys are recorded by the keylogger
图 19 – 键盘记录器记录特殊键

The malicious process obtains the active input local identifier by calling the GetKeyboardLayout API:
恶意进程通过调用 GetKeyboardLayout API 获取活动输入本地标识符：

Figure 20 – GetKeyboardLayout API call
图 20 – GetKeyboardLayout API 调用

ToUnicode is utilized to translate virtual-key codes and keyboard states to the corresponding Unicode character. For example, 0x50 key is translated to the “P” character:
ToUnicode 用于将虚拟键代码和键盘状态转换为相应的 Unicode 字符。例如，0x50键被转换为“P”字符：

Figure 21 – Virtual-key codes translation
图 21 – 虚拟密钥代码转换

On finishing the hook routine, the information is passed to the next hooking procedure in the hook chain using CallNextHookEx (Figure 22).
在完成钩子例程后，使用 CallNextHookEx 将信息传递给钩子链中的下一个钩子过程（图 22）。

Figure 22 – Pass the hook information to the next hook procedure
图 22 – 将钩子信息传递给下一个钩子过程

The keylogger also steals data from the clipboard. It uses the OpenClipboard and GetClipboardData methods to achieve its objective:
键盘记录器还会从剪贴板中窃取数据。它使用 OpenClipboard 和 GetClipboardData 方法来实现其目标：

Figure 23 – OpenClipboard and GetClipboardData API calls
图 23 – OpenClipboard 和 GetClipboardData API 调用

An example of a log file is displayed below. Strings such as “[Lm]” and “[Rm]” are recorded when pressing the left mouse button and right mouse button, respectively.
日志文件的示例如下所示。“[Lm]”和“[Rm]”等字符串分别在按下鼠标左键和鼠标右键时录制。

Figure 24 – Example of a log file created by the keylogger
图 24 – 键盘记录器创建的日志文件示例

Through the Eyes of Hybrid Analysis
通过混合分析的眼睛

Hybrid Analysis has been able to identify the API calls used to install hook procedures and strings that might indicate keylogger activity, presenting all that information in a rich, detailed, and structured report. The keylogger’s persistence mechanism and the file created for storing logs are both revealed in the report, enabling threat hunters, analysts and researchers to quickly assess the impact and capabilities of the threat.
Hybrid Analysis 已经能够识别用于安装钩子程序的 API 调用和可能指示键盘记录器活动的字符串，并在丰富、详细和结构化的报告中呈现所有这些信息。报告中揭示了键盘记录器的持久性机制和为存储日志而创建的文件，使威胁猎人、分析师和研究人员能够快速评估威胁的影响和能力。

Hybrid Analysis is an ideal platform for identifying and analyzing  malware both sophisticated and mundane. It provides detailed context and information that can be investigated further during the dynamic analysis of the malware. For performing a more in-depth analysis of malware samples, you can download them by registering with a Hybrid Analysis account and becoming a vetted user.
Hybrid Analysis 是识别和分析复杂和普通恶意软件的理想平台。它提供了详细的上下文和信息，可以在恶意软件的动态分析期间进一步调查。要对恶意软件样本进行更深入的分析，您可以通过注册 Hybrid Analysis 账户并成为经过审查的用户来下载它们。

Indicators of Compromise 感染指标

SHA 256 沙 256

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a

File created 已创建文件

%TEMP%\DT_0004.tmp %温度%\DT_0004.tmp

原文始发于hybrid-analysis：Recent Keylogger Attributed to North Korean Group Andariel Analyzed Through A Hybrid Analysis Perspective