Malware-as-a-Service Provides Sophisticated Features To Threat Actors
Cyble Research and Intelligence Labs (CRIL) has been continuously monitoring malware families that are new and active in the wild. Recently, CRIL observed a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. The CRIL also observed multiple active instances of DuckLogs C&C servers in the wild, indicating that the malware is emerging now.
DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server. The below figure shows the Threat Actors (TAs) advertisement in the cybercrime forum about DuckLogs.
The TA has also claimed in the post that the malware has several features, as mentioned in the figure below.
The TA sells DuckLogs malware with three different plans, as listed below.
The DuckLogs provides a sophisticated web panel that allows TAs to perform several operations, such as building the malware binary, monitoring, and downloading victims’ stolen logs, etc. The login page of the DuckLogs web panel is shown below.
The image below shows the dashboard page of the DuckLogs web panel, which displays overall global statistics of the victims infected by DuckLogs malware.
The TA can also build the malware binary by customizing the options provided on the Settings page of the web panel, as shown below.
The below image shows the Builder page of the stealer & dropper, allowing the TAs to build the required payload after enabling the necessary features on the Settings page. The dropper builder is an add-on feature in the web panel that builds another binary that acts as a dropper for delivering the customized DuckLogs malware to the users’ machine.
We have taken the sample hash (SHA256), e9bec9d4e28171c1a71acad17b20c32d503afa4f0ccfe5737171854b59344396, for our analysis. It is a 32-bit, .NET executable file named “BkfFB.exe”.
Upon execution of the BkfFB.exe, the Main() function decodes the hardcoded base64 encoded module named “Bunifu.UI.dll,” which is present in the binary and loads it in the memory using Invoke method as shown in Figure 8.
The new module “Bunifu.UI.dll” is an obfuscated .NET file that further executes the Bunifu_TextBox() function to retrieve the embedded bitmap image “Gmtpo” present in the resource of the parent malware file BkfFB.exe.
The malware uses the steganography technique to hide malicious content in the compressed bitmap image. The successful decompression of the bitmap image retrieves another .NET file in memory which is “MajorRevision.exe”, as shown in Figure 9. The “Bunifu.UI.dll” module now loads “MajorRevision.exe” using the Assembly.Load method passes the decompressed bitmap content as an argument and then invokes it.
Upon execution of the “MajorRevision.exe” module, it initially converts the larger array of bytes present in the module into HEX values which contains multiple Anti-Analysis, and Anti-Detection checks to prevent the execution of the malware in a controlled environment, as shown below.
In the next phase, the malware retrieves the final payload (“DuckLogs.exe”) in memory by converting another larger array of bytes which is also present in the “MajorRevision.exe.”
Finally, it injects the payload by creating a new process with the parent file name (“BkfFB.exe”) using the process hollowing technique shown below.
The below figure shows the file information of the final malware payload, “DuckLogs.exe”. Our static analysis indicates that the malware payload is a 32-bit, .NET compiled executable file protected by Obfuscator(1.0).
Final Payload Analysis
The DuckLogs final payload has code to perform malicious activities such as stealer, keylogger, and clipper functionalities. Additionally, the malware has the features such as persistence, UAC bypass, windows defender bypass, disabler, remote access, file grabber, etc.
Persistence and UAC Bypass
Upon execution, the malware creates a copy of itself into the Startup folder to establish persistence. Copying files into the Startup folder enables the TAs to execute the malicious file automatically when users log into infected systems.
The malware also bypasses the UAC (User Access Control) and automatically executes itself using admin privileges. After gaining elevated privileges, the attacker can steal sensitive data, change security settings, install additional malware, etc., on the victim’s system. The figure below shows the functions used by DuckLogs to perform persistence and UAC bypass.
Windows Defender Bypass
The malware executes the below PowerShell command to disable Windows Defender features in the Victims’ system.
- “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Uninstall-WindowsFeature -Name Windows-Defender
The “Stealer” module steals information such as bookmarks, history, cookies, downloads, and passwords from installed browsers and steals sensitive information from the applications such as email clients, messenger, VPN, etc.
The stealer also targets crypto wallets installed in the victim’s machine and sends all the stolen information to the TA. The figure below shows the functions used by the stealer module.
The “Clipper” module hijacks cryptocurrency transactions by swapping the victim’s wallet address with the TA’s wallet address. The malware gets the victim’s clipboard data using the Clipboard.GetText() method, identifies the victim’s cryptocurrency wallet address by matching the regex pattern, and then the clipper replaces it with the TAs wallet address using the Clipboard.SetText() method.
It supports crypto wallets such as BCH (Bitcoin Cash), BTC (Bitcoin), DOGE (Dogecoin), ETH (Ethereum), LTC (Litecoin), XLR (Solaris), XMR (Monero), and XRP (Ripple). The below figure shows the code snippet used to perform the clipper activity.
The “Logger” module monitors and stores the keystrokes in the victim’s machine. The captured keystrokes are saved in the %temp% folder for exfiltration. The below image shows the code snippet used by the malware for keylogging purposes.
The “Disablers” module can disable the features such as Task manager, Run, CMD, and RegEdit on the victim’s machine by using the function shown in the figure below.
The “Grabber” module grabs browser-related files such as Bookmark, History, LoginData, LocalState, and Cookies from the victim’s system and sends them to the attacker. The figure below shows the browser names targeted by the File Grabber Module.
The TAs can take control of the victim’s machine by using the “Control” module and perform activities such as:
- Transfer and execute other files in the Victims machine.
- Open any URL in the browsers
- Shut down, Restart, Logoff, and Lock the machine.
- Uninstall malware from the system
- Send message
- Perform a DoS (Denial-of-Service)attack
- Show BSOD (Blue Screen Of Death)
- Disable mouse and keyboard inputs etc.
The below figure shows the functions used by the malware for performing remote control activities.
Command and Control
Finally, the malware exfiltrates all sensitive data from the victims’ machine to its Command and Control (C&C) server ducklogs[.]com. CRIL has also observed the following DuckLogs C&C domains active in the wild:
DuckLogs is a unique combination of Stealer, Keylogger, and Clipper malware bundled into one malicious software package available in cybercrime forums for a relatively low price, making this threat dangerous to a wider set of potential victims.
Cyble Research and Intelligence Labs will continue monitoring the new malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
- The initial infection may happen via spam email, so enterprises should use email-based security to detect phishing emails. One should also refrain from opening untrusted links and email attachments without verifying their authenticity.
- The compiled DuckLogs binary is packed and protected by multiple layers. Using a reputed antivirus is thus recommended on connected devices, including PCs and laptops. The security software should have the latest security updates to detect new malware families such as DuckLogs.
- DuckLogs is capable of performing Clipper activity. Users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution PowerShell Windows Management Instrumentation|
|Persistence||T1547||Registry Run Keys / Startup Folder|
|Privilege Escalation||T1055||Process Injection|
|Defense Evasion||T1562 |
|Disable or Modify Tools Virtualization/Sandbox Evasion|
|Process Discovery System Information Discovery Security Software Discovery|
|Command and Control||T1071 |
|Application Layer Protocol |
Ingress Tool Transfer
Indicators of Compromise (IOCs)
|BkfFB.exe (Main file)|
|lovableduck[.]ru ilovetheducks[.]ru quackquack[.]ru smallduck[.]ru||Domain||Similar C&C|
|hxxp://lovableduck[.]ru/host/drops/eYjqq6Ezx/ee48v958r[.]exe hxxp://ilovetheducks[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe hxxp://quackquack[.]ru/host/drops/g6tujhiry/hjt50kzbo[.]exe hxxp://quackquack[.]ru/host/drops/Gh879pKQj/btvM8o8sv[.]exe hxxp://quackquack[.]ru/host/drops/jgh1zyoel/fsgrvawrq[.]exe hxxp://smallduck[.]ru/host/drops/ezQEvGqPI/nZAQiWiHm[.]exe hxxp://smallduck[.]ru/host/drops/SrM7WQD2E/7s4udn5F1[.]exe hxxp://smallduck[.]ru/host/drops/20NVT6CUe/9GseGAVEy[.]exe hxxp://lovableduck[.]ru/host/drops/KI2kRAS0x/rrxgKvAJd[.]exe hxxp://lovableduck[.]ru/host/drops/k1rf7fmny/lr2xfd9m9[.]exe hxxp://ilovetheducks[.]ru/host/drops/e563bgj4y/hrldcrajl[.]exe hxxp://ilovetheducks[.]ru/host/drops/JTQ4iHTm3/wT9lPlvPK[.]exe||URL||Payload|