Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150814-259-Eset Lib
erp
y
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 14 Au
g
2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) The following report discusses Operation Liberpy which was comprised of Botnet
activity in Latin America that lasted eight months. The operation used a very simple keylogger
that was delivered via an email attachment and propagated through USB memory sticks.
(S//NF) The Liberpy keylogger is a Python script compiled with PyInstaller. This packing
methodology allowed for a simple unpacking of the executable resulting in the fully readable
Python script. The keylogger gains persistence by writing a key to the registry. It periodically
calls out to a hard coded update URL to obtain a new command and control (C2) URL or to send
information to the C2 server. Liberpy creates an HTML based log file and transmits this file over
port 80 using HTTP. This communication method also makes it easy for analysts to understand
the data that is being sent. The second version of this keylogger added the ability to download
and install other pieces of malware on the infected system.
(S//NF) Liberpy propagated through spam email campaigns and through USB memory sticks.
The keylogger would copy all files on the USB drive to a hidden folder on that drive. It would
then create links to the original files. When the user would click on the link the machine would
become infected.
(S//NF) In conclusion, this report detailed a very simple keylogger that propagates via known
USB memory stick methods. As such no PoC is recommended.
2.0 (U) Description of the Technique
(S//NF) No techniques are recommended for PoC development.
3.0 (U) Identification of Affected Applications
(U) Windows
4.0 (U) Related Techniques
(S//NF) Keylogger
5.0 (U) Configurable Parameters
(U) None
6.0 (U) Exploitation Method and Vectors
(S//NF) No exploitation methods were discussed in this report.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh