Adventures in Security

MiKey - A Linux keylogger

Summary:

Linux malware is slowly becoming more popular. Within the past couple years there were several major incidents that cited the use of Windows backdoors being ported to Linux. Through our research on the Windows KLRD keylogger from the Odinaff report, we were able to discover several new keyloggers. The focus of this blog post is MiKey, a little-known and poorly detected keylogger.

At the time of this writing, the malware wasn’t detected by a single engine on Virustotal.

Analysis

The malware is a 64 bit Linux executable:

9c07ed03f5bf56495e1d365552f5c9e74bb586ec45dffced2a8368490da4c829: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=550c58e6a9bc88b8724fd8ab7fd79a6c58c12d28, not stripped

And depends on the following libraries:

       linux-vdso.so.1 (0x00007ffd25123000)
       libX11.so.6 => /usr/lib/x86_64-linux-gnu/libX11.so.6 (0x00007f7f56420000)
       libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f7f5621c000)
       libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f55e7e000)
       libxcb.so.1 => /usr/lib/x86_64-linux-gnu/libxcb.so.1 (0x00007f7f55c56000)
       /lib64/ld-linux-x86-64.so.2 (0x00005597839c6000)
       libXau.so.6 => /usr/lib/x86_64-linux-gnu/libXau.so.6 (0x00007f7f55a52000)
       libXdmcp.so.6 => /usr/lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007f7f5584a000)

Analyzing the symbol table for this binary yielded some interesting function names. (Full output omitted for readability):

    63: 00000000004014b2    79 FUNC    GLOBAL DEFAULT   14 createProccess
    64: 0000000000400ed6   128 FUNC    GLOBAL DEFAULT   14 initPlugins
    67: 0000000000400f56   105 FUNC    GLOBAL DEFAULT   14 moduleFeed
    68: 000000000040102d  1157 FUNC    GLOBAL DEFAULT   14 keylogger
    75: 0000000000400dc6   159 FUNC    GLOBAL DEFAULT   14 handleArgs
    83: 0000000000400e65   113 FUNC    GLOBAL DEFAULT   14 moduleHandleArgs
    85: 00000000004015fc   209 FUNC    GLOBAL DEFAULT   14 addData
    87: 0000000000400cd0    42 FUNC    GLOBAL DEFAULT   14 _start
    88: 0000000000400fbf   110 FUNC    GLOBAL DEFAULT   14 addParentheses
    92: 0000000000401501   126 FUNC    GLOBAL DEFAULT   14 main
   103: 0000000000400b00     0 FUNC    GLOBAL DEFAULT   11 _init

Comments left by the compiler provide evidence it was compiled on Ubuntu 16.04.2:

9c07ed03f5bf56495e1d365552f5c9e74bb586ec45dffced2a8368490da4c829:     file format elf64-x86-64

Contents of section .comment:

 0000 4743433a 20285562 756e7475 20352e34  GCC: (Ubuntu 5.4
 0010 2e302d36 7562756e 7475317e 31362e30  .0-6ubuntu1~16.0
 0020 342e3229 20352e34 2e302032 30313630  4.2) 5.4.0 20160
 0030 36303900                             609.  

This is further evidenced by the build path in the binary:

/home/ubuntu/MiKey-64-ubuntu

The strace tool was used to quickly identify high-level function workflows and identify potential focus areas. One anomaly identified was a failed file opening, “mikey-text.so.” So we began there.

open("./tls/x86_64/mikey-text.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("./tls/mikey-text.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("./x86_64/mikey-text.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("./mikey-text.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

The malware isn’t explicitly searching these directories for mikey-text.so. This is a side effect of dlopen. From the man page:

“If, at the time that the program was started, the environment variable LD_LIBRARY_PATH was defined to contain a colon-separated list of directories, then these are searched. (As a security measure this variable is ignored for set-user-ID and set-group-ID programs.)”

After a little searching we located a second binary (SHA-256 bc6d25dff00dfb68b19b362c409d2cf497e5dd97d9d6e5ce2bde2ba706f2bdb3) which contained the string “mikey-text.c.” From this, we assessed that mickey-text.so is the compiled version of this binary.

Using this assertion, we renamed the second binary to mikey-text.so and placed it in the load path identified using strace. This caused the successful execution of the malware. The output file (out.log) contained the logged keystrokes with associated timestamps.

Through static analysis, we were able to identify that when the keylogger starts up, it loaded plugins, handle arguments, and then forked its process.

When loading the plugins, the keylogger looked for a single hardcoded plugin name “mikey-text.so” and called dlopen to obtain a handle to it.

Once everything was loaded, the main functionality of the program was handled through the “keylogger” function.

To better understand Linux keyloggers and associated function calls, basic X function knowledge is critical. As a quick primer, here are some routines used by the “keylogger” function to query information about keystrokes or simply harvest raw keystroke data.

Function Purpose
XOpenDisplay Returns a display structure that serves as the connection to the X server. Communication is then carried out through TCP or IPC.
XQueryKeymap Uses the structure from the display to gather information about the state of the keyboard. Information about which keys are currently pressed can be gathered using this call.
XkbKeycodeToKeysym Uses the structure from the display to return the keysym for a particular key.
XKeysymToString Converts the previously obtained keysym.
XGetInputFocus Controls focus on the desktop.

Once the keycode is retrieved, it’s compared against a large switch table to convert each keycode into a string. This is no different than most keyloggers.

Non-printable keystrokes are then identified and substituted with human-readable outputs.

If there is a non-printable character returned, a small method to format the string in parentheses is called to make for nice output into the log.

Once completed, the data is stored into a buffer and passed to a loadable module. The Linux dlsym method provides similar functionality as “LoadLibrary” on Windows. The previous handle from dlopen is being passed to dlsym, which we can now use to call the method “getFeed” from mikey-text.so.

Peering into the “getFeed” function on mikey-text.so it simply calls the _log function.

The _log function will call _time and _localtime (to harvest the timestamps) and build these into a format string.

At this point, the output file is opened for writing with the appended (“a+”) flag and the file is written to using the _fputs method. If no option for –output was provided to mikey-text.so then the default name of “out.log” is provided. The screenshot below identifies the contents of cs:outputfile_ptr as a pointer to the name of the output file.

Outside of a small method to parse arguments, there isn’t much more functionality to mikey-text.so. It’s a simple logging plugin for the main MiKey keylogger. Booz Allen assesses that additional plugins may exist (for C2 communication, or to hook to other files), but is unable to confirm at this time.

To run the keylogger and give a custom argument for an output file named keylogged.txt, the following command can be used. In addition, providing the “-b” option will “background” the process.

Checking processes on the host, the command “ps aux” was issued.

And checking the output of the keylogged file:

Conclusion

Small utilities that are built for a specific purpose often bypass AV with ease. Attackers are able to write a functional keylogger that will dump the contents to a local file. By having modular code, the authors could build plugins that achieve whatever task they need. The plugin nature of this code also puts the reverse engineer at a disadvantage. Without access to each module, only specific known functions of the tool can be documented.

One unnerving aspect of this keylogger is that, without an active command and control capability, the attacker would need to be confident in their ability to repeatedly gain remote access to the victim computer to retrieve the keylogged information.

All it takes to catch this is basic process and file monitoring, but if our Linux field experience is any indicator, there aren’t many shops with this level of visibility on non-Windows workstations.

This project is maintained by securitykitten