Skip to main content

Credential Stealers

Malware trying to steal credentials

  • MFA makes them less useful (but still exploitable)
  • Also other things that can act as a credential
  • Particularly for cloud/web based services
  • Often done by storing a session identifier in a cookie. Cookies are key-value pairs stored in your browser
  • Can steal the file, and then impersonate the user

Three general approaches

  1. Programs that wait for a user to login
  2. Programs that dump information stored in Windows
  3. Programs that log keystrokes

Keyloggers

  • Intercepting Windows login or hash duping will provide details of the username and password to log into the computer
  • Potentially other computers on the network
  • Will not provide details of logins for other resources
  • Keylogging will capture all keys pressed
  • This will capture any password typed into the system (and a lot more)
  • Need to find the passwords
  • Can be implemented in both kernel and user space
  • Kernel-based keyloggers are difficult to detect with user-mode applications

User-Space Keyloggers

Windows API provides two ways to implement in user-space

  • Hooking - get Windows to notify the malware every time a key is pressed
  • Polling - Malware interrogates windows to see if a specific key is pressed

Hooking Keyloggers

  • Typically make use of SetWindowsHookEx() - Allows you to monitor for various events
  • Typically will include a .exe which will initiate the hook function
  • .dll to handle the logging
  • Injected into other processes on the system

Implementing

  • Create a DLL that exports a KeyboardProc or LowLevelKeyboardProc call-back function
  • Should call CallNextHookEx() to ensure that the program still works as expected
  • Load the library with LoadLibraryA()
  • Get the address of the function (GetProcAddress())
  • Call SetWindowsHookEx() to hook the function in
  • A dwThreadID of zero will hook into all threads on the current desktop

Implementing a polling keylogger

  • Polling keyloggers are conceptually much simpler
  • Make use of the GetAsyncKeyState() API function
  • Can also tell you if key was pressed last time GetAsyncKeyState() was called
  • Tests whether a specific key is pressed
  • Can iterate through every key on the keyboard to test all of them to find which are pressed
  • Check the state of Shift/Caps lock as well
  • Test each key on keyboard to see if pressed, sleep for a bit, repeat

Identifying Keyloggers

  • Polling keyloggers will often leave tell-tale signs in the strings of the program
  • If the malware wants to log all keys, then it will need to have names for keys
  • Follow the strings back to the code that implements it

Windows Login

  • Allows you to extend the login mechanism
  • In XP done by Graphical Identification and Authentication (GINA)
  • Later uses Credential Providers
  • Possible to use these to install credential stealers by pretending to be a provider

Gina Interception

  • fsgina.dll exports the same function that msgina.dll exported
  • Most functions get called directly, apart from WlxLoggedOutSAS() - password would be copied

Hash Dumping

  • Aim to copy the password hashes off the system
  • Often get the equivalent
  • Source code for several tools available, often used by malware authors
  • Recognised by antivirus software