PWS:Win32/Kheagol.D

PWS:Win32/Kheagol.D is a trojan that hooks APIs used by certain web browsers to capture logon credentials for online financial institutions. The captured data is sent to a remote server to benefit a remote attacker.

Installation

PWS:Win32/Kheagol.D is installed by other malware, such as TrojanDropper:Win32/Kheagol.A, and is present as a DLL component in the Windows system folder as a randomly named file. The randomly named file is in the following formats:

• ms<random>.dll (such as msofqsb.dll, msgrmif.dll, msvctvrl.dll and so on)
• net<random>.dll (such as netqlwlmorf.dll, netftu.dll, netbdr.dll and so on)

The DLL contains a single dummy exported function with a random name. If the DLL file name exists, the trojan dropper generates new files. The trojan modifies a copy of "<system folder>\imm32.dll" by adding an imported function that references the dropped malicious DLL.

The system file 'imm32.dll' is commonly loaded by various programs including Internet Explorer and Mozilla Firefox. Upon loading the modified 'imm32.dll', the dropped trojan DLL is then loaded as well.

PWS:Win32/Kheagol.D checks if it is loaded by any of the following web browsers:

• iexplore.exe
• myie.exe
• maxthon.exe
• avant.exe
• aexplore.exe

If none of the applications above are discovered, the trojan 'assumes' that the default browser is Mozilla Firefox. The trojan hooks certain APIs based on the installed web browser. It hooks the APIs "PR_Write" and "PR_Close" found in "nspr4.dll", a DLL loaded via Mozilla Firefox.

Payload

Connects to a remote server
PWS:Win32/Kheagol.D may download program updates from and communicate with a remote server. In the wild, we observed PWS:Win32/Kheagol.D to communicate with the following servers:

• flickeroo.com
• pharma-capitalgroup.com
• sichuans.cn

Steals sensitive data

PWS:Win32/Kheagol.D steals confidential data when a user logs on to certain financial websites. The trojan steals additional credentials including the following:

• certificates
• user name and passwords from Windows credential manager
• credentials entered by a user while browsing

All captured data is sent to an attacker remotely via HTTP POST.

The trojan hooks additional APIs contained in various DLLs to aid in capturing sensitive data:

• Hooks the following APIs found within the DLL "WININET.dll":
  InternetCloseHandle
  InternetReadFile
  HttpSendRequestA
  HttpSendRequestW
  HttpOpenRequestA
  InternetConnectA
  InternetQueryDataAvailable
  InternetReadFileExA
• Hooks the following APIs found within the DLL "CREDUI.dll"
  CredUIPromptForCredentialsA
  CredUIPromptForCredentialsW
• Hooks the following APIs found within the DLL "KERNEL32.dll"
  ExitProcess
  CreateFileW
• Hooks the following APIs found within the DLL "CRYPT32.dll"
  PFXImportCertStore
• Hooks the following APIs found within the DLL "USER32.DLL"
  GetWindowTextA
  GetWindowTextW

Shuts down Windows
PWS:Win32/Kheagol.D may shut down the computer.

Analysis by Rodel Finones