New Trojan found – Shakti modifies Windows settings to steal files
Perspective Risk’s Cyber Security expert Sasha Raljic explores Shakti – a Trojan threat, in this blog post.
Shakti is a data exfiltration Trojan. It emerged a few days ago when it was sent to Bleepingcomputer.com by one of their readers. On closer inspection, it was discovered that this type of Trojan searches for particular file types on the victim’s computer and uploads them to a central server.
There are many indications that this Trojan was developed for industrial espionage; however, according to Malwarebytes (who performed deep technical analysis on Shakti), it is not sophisticated enough to be state sponsored. Instead, it seems to be developed by either an individual or a group of people who understand the basic concepts of malware development.
This article aims to provide a high-level overview of the malicious file and the actions it takes to remain invisible while harvesting potentially sensitive data and sending them to a command & control server.
Malware Infection and Persistence
Upon initial infection, the malware will configure itself to start automatically, by modifying Windows settings to allow such actions to take place. It will either install itself as a Windows service or by adding a special registry key that enables auto run every time an infected computer starts.
In order to disguise itself, it injects itself into a running process. The technical analysis shows that it tends to inject itself into one of the browser processes, such as Firefox or Google Chrome, thus remaining undetected from a windows process list.
One interesting behavior is that it does not attempt to move the original files to a new location, instead the original executable is left in its default location. This further indicates that the malware is either unsophisticated or was released prematurely.
Malware Network activity
Once the initial stage has been completed, the malicious executable begins basic operating system detection. This information is then transmitted to the command & control server (C&C) alongside the list of installed programs on the infected operating system.
The C&C server resolves to web4solution.net. This address did host a website which it was loading using an Iframe, making it appear like a trusted website; however, at the time of writing, no content is hosted at this address.
Malware Data exfiltration
The information that the malware transmits is as follows:
- User name
- Version of Windows
- Service Pack
- Computer name
Windows version detection is rather detailed and individual versions are hard-coded into the malware. The following screenshot demonstrates some of the Windows versions capable of being detected.
The full list lacks version detection for Windows 8, 8.1 and 10. This could confirm the initial assumption that the malware was designed back in 2012, as Windows 8 was not released until October 2012. Furthermore, the compilation stamps on several DLL files point back to February 2012.
The C&C server is registered in India, as seen from the screenshot below:
Once the initial host information is sent to the server, the malicious code will start uploading files that have specific extensions:
Up to Microsoft Office 2007 (Word)
|Microsoft Office 2007 and later (Word)|
|Up to Microsoft Office 2007 (Powerpoint)|
|Microsoft Office 2007 and later (Powerpoint)|
|Up to Microsoft Office 2007 (Excel)|
|Microsoft Office 2007 and later (Excel)|
|Plain Text files|
|Rich Text Format|
|Inpage Word processor for Arabic and Urdu languages|
Portable Document Format
If and when one of these file types are detected, they are uploaded to the C&C server located on the web4solution.net.
A full log of uploaded files along with file paths is stored in C:Users[username]uninst.dll. File permissions have been changed to prevent users from opening this file; however, it is possible to mount the Windows partition and inspect this file using an operating system booted from a flash drive.
At the time of writing, 37 out of 53 antivirus products successfully detect this malware; however, only 4 products successfully identify it as Shakti.
|AV Product||Detection Result|
|K7AntiVirus||Riskware ( 0040eff71 )|
|K7GW||Riskware ( 0040eff71 )|
|Avira (no cloud)||NO DETECTION|
Checking for Malware Presence
If you suspect that you have been infected with this malware, there are a couple of things you can do to confirm your suspicions. Having up-to-date antivirus signatures is crucial, as the detection rate is improving on a daily basis.
The malicious executable has a number of files associated with it. If these files, registry keys and network connections are present on your computer, there is a high probability that you have been infected; however, further investigation and professional advice would be required to rule out false positives.
The following table summarises files, registry keys, network connection and executable hash sums associated with this malware:
|Malware Executable Name||Aug_1st_java.exe (this can be changed easily)|
|File associated||%UserProfile%uninst.dll (contains logs of uploaded files)|
|Registry Key||HKCUSoftwareMicrosoftWindowsCurrentVersionRunigfxtray [pathtotrojan.exe]|
|Hash Sum (SHA25)||d6d64c61dada8b5ccfa970356057a6c2c7697f084922744c5a2e29aff079647b|
Malware Detection Delay
If this malware was designed back in 2012, then why has it remained undetected for over 4 years, especially as this malware is not sophisticated? In 2014, a generic Trojan Downloader was described that performs similar functionalities. It communicates with the domain name that is registered to the same person as the one used for the Shakti C&C (web4solution.net). It is also using http://domain_name/external/update URL to download and upload relevant files.
Apart from this information, no other useful information is revealed about this malware. While this does not prove that Shakti was detected back in 2014, this is certainly a strong indicator.
It is possible that Shakti was created for small operations and corporate espionage, meaning that it consistently remained under the radar.
Shakti Trojan Malware Conclusion
The risk of infection is no greater or lower than being infected with any other malware. Apart from stealing certain documents, this malware does not perform any other actions. For example, it does not contain any cryptolocker properties, where it would hold files at ransom, nor does it record key strokes.
Deep technical analysis has been performed by Malwarebytes Labs explaining the individual components that make up Shakti. Disassembled code snippets are also available further describing actions that Shakti undertakes during and after the infection phase.
The best way to mitigate the risk of infection is to have an up-to-date anti-virus solution. Being cautious when opening and running files originating from external sources is still applicable.
References – Shakti Trojan
New Information Stealing Trojan Steals and Uploads Corporate Files (Bleeping Computer) – http://www.bleepingcomputer.com/news/security/new-information-stealing-trojan-steals-and-uploads-corporate-files/
Shakti Trojan: Document Thief (Malwarebytes Labs)
Shakti Trojan: Technical Analysis (Malwarebytes Labs)
Shakti Deepviz Analysis (Deepviz)
Virus Total Anti-virus detection (Virus Total)