Attackers Use Keyloggers, Email to Steal Data in “NightHunter” Attacks

Researchers have been monitoring the activities of a cybercriminal group that has been harvesting login credentials from the computers of various organizations across the world.

According to security firm Cyphort, which has dubbed the campaign “NightHunter” because of the stealthy methods used to exfiltrate data, the operation has been active since 2009, but it wasn’t detected until recently.

The attackers have been stealing Google, Yahoo, Facebook, Skype, Dropbox, Amazon, Yahoo, Hotmail, LinkedIn, Rediff and banking credentials from a wide range of organizations, including in sectors like energy, health, insurance, education and even charities, Cyphort said.

The security firm has not been able to determine what the attackers are doing with the stolen information, but believes that they could be using it to prepare for targeted attacks, including extortion, espionage or bank fraud.

The cybercriminals distribute the malware they’re using with the aid of phishing emails that appear to be related to purchase orders, payments, jobs and inquiries. The malicious notifications are usually sent to the finance, sales and human resources departments of trading companies, broadcasters, insurance firms, auditors, retailers, educational institutions, charities, hospitals, import/export companies and organizations in the oil industry, Cyphort said.

Cyphort told SecurityWeek that victims have been spotted in various countries, including the United States, Saudi Arabia, the United Kingdom, India and Malaysia.

The phishing emails contain an archive file that in most cases hides a keylogger.  Several such threats have been identified in this campaign, including Limitless Logger Lite, Predator Pain, Spyrex, Aux Logger,  Neptune, Mr. Clyde Logger, Ultimate Logger, Syslogger and Syndicate Logger.

Once installed on a system, keyloggers enable the attackers to steal data from Web browsers, FTP applications, games, instant messaging apps, password managers, email clients and even Bitcoin programs. Additional threats include features like obfuscation, extension spoofing, screenshot capturing, website blocking, self-removal, fake error messages, file downloaders, application disabling and Web browser data removal.

Furthermore, the malware enables users to upload information via FTP, PHP or email. The cybercriminals first used PHP, but according to Cyphort, they’ve moved to email, as using the Simple Mail Transfer Protocol (SMTP) to exfiltrate data from infected computers is stealthier than using command and control (C&C) systems because such traffic is often overlooked by security systems, researchers said.

A large number of email servers have been used to upload stolen data, but the most popular appears to be Google’s Gmail.

 

“The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow ‘whitelist’ Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail,” Cyphort researcher McEnroe Navaraj wrote in a blog post. “Another possible reason is that Gmail imposes a lot of restrictions, such as how many emails a particular account can send on a particular day requiring actors to keep sending new malware with new accounts.”

“NightHunter is one the more unique campaigns we have researched at Cyphort due to the footprint and complex data collection models it exhibits, furthermore the use of low-signal evasion it is leveraging such as webmail for data exfiltration points to much larger end-goal,” Navaraj explaiend. “This points to the shifting ‘Tradecraft’ being adopted by actors leveraging BigData models to mine more interesting and strategically suitable data, whether it being for direct and targeted attacks or providing highly actionable content to other actors for economic benefits.”