Trojan:Win32/EyeStye is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/EyeStye sends captured data to a remote attacker, may download additional malicious components, and may use a rootkit component to hide malicious activity.
Installation
The trojan may be installed by other malware such as TrojanDropper:Win32/EyeStye. In the wild, we have observed the trojan dropping files in the directory in which it's executed, using the following file name format:
%CurrentDirectory%\<filename>.exe\<filename>.exe
Where <filename> may be, but is not limited to, any of the following:
- cleansweep.exe
- windowseep.exe
- systemhost.exe
- mssetupers.exe
- msixxxxxxx.exe
- systemrxxt.exe
- cleanswepx.exe
- malacuxatx.exe
- fheydbueyj.exe
- windowsxxx.exe
- portwexexe.exe
- bofabotxxx.exe
- cxlacuxatx.exe
- googlemaps.exe
- windowsdvd.exe
- ciaxxxxxxx.exe
- onweretetr.exe
- moneyxmexx.exe
- wlcwlcwlcw.exe
- shitspykid.exe
- rundllxxxx.exe
- jdsfjsdijf.exe
- usxxxxxxxx.exe
- inetserver.exe
- intelcored.exe
- bbbxxxxxxx.exe
- defenderxx.exe
- bootstartx.exe
- mdnsrespon.exe
- winstackxx.exe
When executed, the trojan creates the mutex to ensure only one instance of the trojan executes.
In the wild, we have observed the trojan using the following mutexes:
- __SPYNET__
- __INDDNI__
- __WINNET__
- __mytmsi__
- __pipent__
- __Window__
- __efryhu__
- __ViXyzp__
- __spnxxx__
- __SYSTEM__
- __usxxxx__
- __twxter__
- __mynetx__
- __pitizK__
- __GOLNET__
- __CIAxxx__
- __INTSRV__
- __Intell__
- __Readme__
- __vmware__
- __mnetxx__
- __spykid__
- __smssxx__
- __wlcwlc__
- __xxxxxx__
- __BIGNVx__
- __settin__
- __mutxxx__
- __diuhgu__
- __MSCSRV__
- __austxx__
- __romxca__
- __oaiweo__
- __intern__
- __oigeiw__
- __dorodr__
- __rrrrrr__
- __plugin__
- __MKOLNE__
- __pqoerw__
- __dwadhx__
- __CASSIE__
- __austrx__
- __GOLTEL__
- __mutnam__
- __ZSnetD__
- __aoeiuw__
If found, the trojan will delete any old copies of itself from the affected computer.
The trojan makes the following registry modifications to endure its copy executes at each system start:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<filename>.exe”
With data: "%CurrentDirectory%\<filename>.exe\<filename>.exe”
The trojan injects malicious code into running processes and newly created processes, however, it avoids injecting code into the following system processes:
- system
- smss.exe
- csrss.exe
- <malware executable>
Payload
Hides files and registry data
Win32/EyeStye employs a user-mode rootkit that hooks the following low-level APIs to hide its malicious files and directory and registry data:
- NtQueryDirectoryFile
- NtVdmControl
- NtEnumerateValueKey
Captures sensitive data
The trojan hooks several system APIs to capture login information, such as form data and keystrokes. Win32/EyeStye hooks the following APIs:
- TranslateMessage
- NtResumeThread
- LdrLoadDll
- InternetCloseHandle
- HttpSendRequestA
- HttpSendRequestW
- PR_Write
- send
By hooking the APIs mentioned above, the trojan can also inject malicious code into existing and new processes and monitor the loading of DLLs.
Sends captured data to a remote server
The trojan attempts to send captured data via HTTP post to a remote server. In the wild, we have observed this trojan connecting to one of the following remote servers:
- microsoft-windows-security.com (not a Microsoft.com domain)
- vinodelam.net
- overclock.osa.pl
- qualitaetvorun.org
- svetodioduk.net
- rtjhteyjtyjtyj.orge.pl
- airiston.net
- superboy999.ru
- vertime.ru
- bettasbreed.co.cc
- nusofttechnologies.info
- svetodioduk2.com
- fieldsoflove.cc
- fightforce.cc
- totalhidden.cc
- feldmar.ru
- lyambosok.ru
- picomarkets.ru
- primedyl.com
- domain391.org
- securegateonline.com
- reg.kygalu.ru
- domain191.org
- black-hosting.ru
- hfhfhfhfee.com
While sending captured data, it may include the following other information:
- Bot guid - unique identifier associated with the trojan
- User name
- Computer name
- Volume serial number
- Process name associated with captured data
- Name of hooked API function (for example PR_Write)
- Captured raw data
- Keys, logged keystrokes
- Other information specific to computer locale such as:
- Local time
- Time zone
- Operating system version
- Language
Download updates and arbitrary files
Once connected to the attacker’s website and depending on the command, Trojan:Win32/EyeStye may update and execute the trojan itself as the following:
%CurrentDirectory%\<filename>.exe\<filename>upd.exe
It may also update a configuration file in ZIP archive format as the following:
%CurrentDirectory%\<filename>.exe\config.bin
The trojan communicates via a mutexes named "__<MUTEX NAME>_UNINSTALL__" and "__<MUTEX NAME>_RELOADCFG__" to instruct existing instances of malicious code in memory to reload data, uninstall, etc from the new configuration file. This allows the trojan and associated components to change the target server.
Analysis by Rodel Finones and Matt McCormack