London: 020 0200 8142

Shakti Trojan – latest malware revealed

New Trojan found – Shakti modifies Windows settings to steal files

Perspective Risk’s Cyber Security expert Sasha Raljic explores Shakti – a Trojan threat, in this blog post.

Shakti is a data exfiltration Trojan. It emerged a few days ago when it was sent to Bleepingcomputer.com by one of their readers. On closer inspection, it was discovered that this type of Trojan searches for particular file types on the victim’s computer and uploads them to a central server.

Trojan Horse

There are many indications that this Trojan was developed for industrial espionage; however, according to Malwarebytes (who performed deep technical analysis on Shakti), it is not sophisticated enough to be state sponsored. Instead, it seems to be developed by either an individual or a group of people who understand the basic concepts of malware development.

This article aims to provide a high-level overview of the malicious file and the actions it takes to remain invisible while harvesting potentially sensitive data and sending them to a command & control server.

Malware Infection and Persistence

Upon initial infection, the malware will configure itself to start automatically, by modifying Windows settings to allow such actions to take place. It will either install itself as a Windows service or by adding a special registry key that enables auto run every time an infected computer starts.

In order to disguise itself, it injects itself into a running process. The technical analysis shows that it tends to inject itself into one of the browser processes, such as Firefox or Google Chrome, thus remaining undetected from a windows process list.

One interesting behavior is that it does not attempt to move the original files to a new location, instead the original executable is left in its default location. This further indicates that the malware is either unsophisticated or was released prematurely.

Malware Network activity

Once the initial stage has been completed, the malicious executable begins basic operating system detection. This information is then transmitted to the command & control server (C&C) alongside the list of installed programs on the infected operating system.

The C&C server resolves to web4solution.net. This address did host a website which it was loading using an Iframe, making it appear like a trusted website; however, at the time of writing, no content is hosted at this address.

Malware Data exfiltration

The information that the malware transmits is as follows:

  • User name
  • Version of Windows
  • Service Pack
  • Computer name

Windows version detection is rather detailed and individual versions are hard-coded into the malware. The following screenshot demonstrates some of the Windows versions capable of being detected.

Screenshot

Windows versions capable of detection

The full list lacks version detection for Windows 8, 8.1 and 10. This could confirm the initial assumption that the malware was designed back in 2012, as Windows 8 was not released until October 2012. Furthermore, the compilation stamps on several DLL files point back to February 2012.

The C&C server is registered in India, as seen from the screenshot below:

C&C server registered in India

C&C server registered in India

Once the initial host information is sent to the server, the malicious code will start uploading files that have specific extensions:

  Extension   Description

doc

   Up to Microsoft Office 2007 (Word)

docx

   Microsoft Office 2007 and later (Word)

ppt

   Up to Microsoft Office 2007 (Powerpoint)

pptx

   Microsoft Office 2007 and later (Powerpoint)

xls

   Up to Microsoft Office 2007 (Excel)

xlsx

   Microsoft Office 2007 and later (Excel)

txt

   Plain Text files

rtf

   Rich Text Format

sql

   Database Dumps

inp

   Inpage Word processor for Arabic and Urdu languages

pdf

   Portable Document Format

If and when one of these file types are detected, they are uploaded to the C&C server located on the web4solution.net.

A full log of uploaded files along with file paths is stored in C:\Users\[username]\uninst.dll. File permissions have been changed to prevent users from opening this file; however, it is possible to mount the Windows partition and inspect this file using an operating system booted from a flash drive.

Anti-virus Detection

At the time of writing, 37 out of 53 antivirus products successfully detect this malware; however, only 4 products successfully identify it as Shakti.

AV Product Detection Result
ALYac Trojan.GenericKD.3441125
AVG Generic37.CLGV
AVware Trojan.Win32.Generic!BT
Ad-Aware Trojan.GenericKD.3441125
AegisLab Troj.W32.Generic!c
AhnLab-V3 Trojan/Win32.Agent.N81
Antiy-AVL Trojan[:HEUR]/Win32.AGeneric
Arcabit Trojan.Generic.D3481E5
Baidu Win32.Trojan.WisdomEyes.151026.9950.9999
BitDefender Trojan.GenericKD.3441125
CAT-QuickHeal Trojan.Shakti
Cyren W32/Trojan.JSUY-8015
DrWeb Trojan.DownLoad3.43078
ESET-NOD32 Win32/Spy.Agent.OYE
Emsisoft Trojan-Spy.Win32.Infostealer (A)
F-Secure Trojan.GenericKD.3441125
Fortinet PossibleThreat
GData Trojan.GenericKD.3441125
Ikarus Trojan-Dropper.Win32.Dorifel
Jiangmin Trojan.Generic.agmkl
K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )
Kaspersky HEUR:Trojan.Win32.Generic
Malwarebytes Trojan.Downloader
McAfee RDN/Generic.grp
McAfee-GW-Edition BehavesLike.Win32.MultiPlug.cc
eScan Trojan.GenericKD.3441125
Microsoft TrojanSpy:Win32/Skeeyah.A!rfn
NANO-Antivirus Trojan.Win32.DownLoad3.efbfni
Panda Trj/CI.A
Sophos Troj/Agent-ASZJ
Symantec Trojan.Gen
TrendMicro TROJ_SHAKTI.A
TrendMicro-HouseCall TROJ_SHAKTI.A
VIPRE Trojan.Win32.Generic!BT
ViRobot Trojan.Win32.Shakti.164698[h]
Zillya Trojan.GenericKD.Win32.17311
Alibaba Trojan.GenericKD.3441125
Avast NO DETECTION
Avira (no cloud) NO DETECTION
Bkav NO DETECTION
CMC NO DETECTION
ClamAV NO DETECTION
Comodo NO DETECTION
F-Prot NO DETECTION
Kingsoft NO DETECTION
Qihoo-360 NO DETECTION
Rising NO DETECTION
SUPERAntiSpyware NO DETECTION
Tencent NO DETECTION
TheHacker NO DETECTION
VBA32 NO DETECTION
Zoner NO DETECTION
nProtect NO DETECTION

Checking for Malware Presence

If you suspect that you have been infected with this malware, there are a couple of things you can do to confirm your suspicions. Having up-to-date antivirus signatures is crucial, as the detection rate is improving on a daily basis.

The malicious executable has a number of files associated with it. If these files, registry keys and network connections are present on your computer, there is a high probability that you have been infected; however, further investigation and professional advice would be required to rule out false positives.

The following table summarises files, registry keys, network connection and executable hash sums associated with this malware:

Description   Value
Malware Executable Name   Aug_1st_java.exe (this can be changed easily)
File associated   %UserProfile%\uninst.dll (contains logs of uploaded files)
Registry Key   HKCU\Software\Microsoft\Windows\CurrentVersion\Run\igfxtray [\path\to\trojan.exe]
Network Connections   http://web4solution.net/external/update
Hash Sum (SHA25)   d6d64c61dada8b5ccfa970356057a6c2c7697f084922744c5a2e29aff079647b

Malware Detection Delay

If this malware was designed back in 2012, then why has it remained undetected for over 4 years, especially as this malware is not sophisticated? In 2014, a generic Trojan Downloader was described that performs similar functionalities. It communicates with the domain name that is registered to the same person as the one used for the Shakti C&C (web4solution.net). It is also using http://domain_name/external/update URL to download and upload relevant files.

Apart from this information, no other useful information is revealed about this malware. While this does not prove that Shakti was detected back in 2014, this is certainly a strong indicator.

It is possible that Shakti was created for small operations and corporate espionage, meaning that it consistently remained under the radar.

Shakti Trojan Malware Conclusion

The risk of infection is no greater or lower than being infected with any other malware. Apart from stealing certain documents, this malware does not perform any other actions. For example, it does not contain any cryptolocker properties, where it would hold files at ransom, nor does it record key strokes.

Deep technical analysis has been performed by Malwarebytes Labs explaining the individual components that make up Shakti. Disassembled code snippets are also available further describing actions that Shakti undertakes during and after the infection phase.

The best way to mitigate the risk of infection is to have an up-to-date anti-virus solution. Being cautious when opening and running files originating from external sources is still applicable.

References – Shakti Trojan

New Information Stealing Trojan Steals and Uploads Corporate Files (Bleeping Computer) – http://www.bleepingcomputer.com/news/security/new-information-stealing-trojan-steals-and-uploads-corporate-files/

Shakti Trojan: Document Thief (Malwarebytes Labs)

https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/

Shakti Trojan: Technical Analysis (Malwarebytes Labs)

https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/

Shakti Deepviz Analysis (Deepviz)

https://sandbox.deepviz.com/report/hash/b1380af637b4011e674644e0a1a53a64/

Virus Total Anti-virus detection (Virus Total)

https://www.virustotal.com/en/file/d6d64c61dada8b5ccfa970356057a6c2c7697f084922744c5a2e29aff079647b/analysis/

 

Category: Blog, Malware

We are Perspective Risk

  • Information security is crucial to every aspect of your business – operational efficiency, profitability, business continuity, customer confidence, brand loyalty, protection against fraud and meeting regulatory requirements.

    Our penetration testing, pen testing, pen tests and cyber security testing has proven time and time again to be an effective security assessment of business IT infrastructure.

    Perspective Risk provides in-depth security assessments, risk management and compliance solutions to help you keep your confidential information safe and your critical systems secure. We’re innovative, flexible and supportive, helping you through any information security issues to deliver real business benefits and excellent value.

  • Call Me

    Pop your details in below and we’ll be in touch soon!

    • This field is for validation purposes and should be left unchanged.

    ×
    Get Quote
    • This field is for validation purposes and should be left unchanged.
    ×