PWS:Win32/Kheagol.D is a trojan that hooks APIs used by certain web browsers to capture logon credentials for online financial institutions. The captured data is sent to a remote server to benefit a remote attacker.
Installation
PWS:Win32/Kheagol.D is installed by other malware, such as TrojanDropper:Win32/Kheagol.A, and is present as a DLL component in the Windows system folder as a randomly named file. The randomly named file is in the following formats:
- ms<random>.dll (such as msofqsb.dll, msgrmif.dll, msvctvrl.dll and so on)
- net<random>.dll (such as netqlwlmorf.dll, netftu.dll, netbdr.dll and so on)
The DLL contains a single dummy exported function with a random name. If the DLL file name exists, the trojan dropper generates new files. The trojan modifies a copy of "<system folder>\imm32.dll" by adding an imported function that references the dropped malicious DLL.
The system file 'imm32.dll' is commonly loaded by various programs including Internet Explorer and Mozilla Firefox. Upon loading the modified 'imm32.dll', the dropped trojan DLL is then loaded as well.
PWS:Win32/Kheagol.D checks if it is loaded by any of the following web browsers:
- iexplore.exe
- myie.exe
- maxthon.exe
- avant.exe
- aexplore.exe
If none of the applications above are discovered, the trojan 'assumes' that the default browser is Mozilla Firefox. The trojan hooks certain APIs based on the installed web browser. It hooks the APIs "PR_Write" and "PR_Close" found in "nspr4.dll", a DLL loaded via Mozilla Firefox.
Payload
Connects to a remote server
PWS:Win32/Kheagol.D may download program updates from and communicate with a remote server. In the wild, we observed PWS:Win32/Kheagol.D to communicate with the following servers:
- flickeroo.com
- pharma-capitalgroup.com
- sichuans.cn
Steals sensitive data
PWS:Win32/Kheagol.D steals confidential data when a user logs on to certain financial websites. The trojan steals additional credentials including the following:
- certificates
- user name and passwords from Windows credential manager
- credentials entered by a user while browsing
All captured data is sent to an attacker remotely via HTTP POST.
The trojan hooks additional APIs contained in various DLLs to aid in capturing sensitive data:
- Hooks the following APIs found within the DLL "WININET.dll":
InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestA
InternetConnectA
InternetQueryDataAvailable
InternetReadFileExA
- Hooks the following APIs found within the DLL "CREDUI.dll"
CredUIPromptForCredentialsA
CredUIPromptForCredentialsW
- Hooks the following APIs found within the DLL "KERNEL32.dll"
ExitProcess
CreateFileW
- Hooks the following APIs found within the DLL "CRYPT32.dll"
PFXImportCertStore
- Hooks the following APIs found within the DLL "USER32.DLL"
GetWindowTextA
GetWindowTextW
Shuts down Windows
PWS:Win32/Kheagol.D may shut down the computer.
Analysis by Rodel Finones