So a little introduction. Kpot Stealer is a piece of malware designed to steal credentials and other sensitive information (such as licence keys), from windows machines. Kpot was initially discovered on Russian language hacking forums.
Throughout the last few days, with the help of individuals in the security community, I was able to access the database files and web interface of a successful malware campaign. These databases contained over 200,000 credentials, along with other information about the victims.
In this post, I am going to cover how the command and control server was discovered, how I found the databases and also how a vulnerability lead to the destruction of the data on the web server. I will also cover how the malware spread and other bits of information I have learnt.
Discovering the C&C Server
Shodan, a fantastic search engine made for finding devices connected to the internet. Dorking on Shodan can provide a security researcher with a massive insight into vulnerable devices, open ports etc. Even more powerful is the filtering options. Just like in the Google search engine, you can apply filters to discover devices or services of your choice more accurately.
In this instance, a simple search was applied that returned results of the Kpot command and control servers open to the internet.
So after finding a page or so of results, I thought why not see if any directories are open on these command and control servers? I added the common directory /img onto the end of the URL. I had access to view all the content of that folder on the web server.
Finding the Databases
Knowing that I had access to view the web servers folder, I thought it would be best to brute force some directories. I opened up Dirbuster and ran a scan.
Within thirty minutes I had found some exciting directories and PHP files. Points of notability include; info, files, delete.php and global.php (not seen in the screenshot).
So armed with this new information, I decided to check out /info first within the directory there .db files. One of these had a pretty interesting name.
Knowing I stumbled across victim credentials and possibly their system information, I downloaded these files. I ran the Linux command “file”, against them, to figure out what type of database they were. I proceeded to open them up in SQLite reader. The results were pretty impressive.
Over 200,000 records, all recent, and still being updated daily. Due to the number of credentials, and the fact they are public facing, I couldn’t just leave them. I messaged a contact on twitter to try and figure out what to do with all this data. We set up a spreadsheet to try and sort the credentials into large organisations, to start disclosing the data.
After a few hours, we managed to sort everything into big companies and removed any duplicates. The list below shows the number of accounts after sorting.
|Total after removed duplications||105,442|
As you can see, a lot of data. We decided its best to contact some of the larger companies. I spent the rest of the night on chats and talking to contacts about where and how to send the data. By the end of the night, I had successfully given a number of companies a heads up.
It became apparent that there were a large number of emails associated with government bodies and large organisations. With password reuse becoming such a prevalent issue, it gave me an idea for a project to start in my spare time. I will update when I have the ball rolling.
So after poking around with the password database, I moved onto the files directory. I opened it up and boy, were there a lot of files. I performed a Wget against the directory, and once it finished, there were 2.84Gb of ZIP folders.
These zip folders contained a treasure trove of information for an attacker – but also gave me insight on how the malware spread and how it worked. The ZIP folders contain the country code at the start of the file name. There were a lot of countries, with the most infections in the USA. (surprise surprise).
Within every ZIP folder, a set amount of files could exist. A full folder with the successful execution of every module in the malware would look like this:
|Battle.net||Contained login information and login files for the battle.net client.|
|Cookies||Contained cookie text files for all installed browsers.|
|Discord||Contained Discords local storage file|
|Steam||Contained configuration and login users files.|
|Autofill.txt||Contained chrome’s auto fill data.|
|cc.txt||Any stored credit card information.|
|credentials.txt||Contained any stored credentials|
|passwords.txt||Contained browser stored credentials.|
|screen.png||Screenshot of the victims desktop at the time of execution.|
|sysInfo.txt||Victims system information|
|Grabber||A module that grabbed interesting documents from the victim’s machine.|
|Skype||Contained any Skype conversations.|
Most of the files contain private information that is irrelevant to the investigation, unless the attacker pwned himself, testing the malware. After some time of searching, I had no luck. However, after taking a look at several screenshots taken at the time of infection, the method of spreading became apparent.
Most infections originated from a pirate version of a game named “Man of the House”. The game originates from a designer on Patreon named Faerin. A torrent is downloaded by the victims that contain the game, and an executable named “Crack.exe”. The crack executable seems to contain the malware. Once executed, the malware modules will collect data, and then proceed to send the data to the command and control server.
The malware is also distributed with a game called “Witch Trainer” — another adult themed game, designed by another Patron user called Akabur. It would appear that the attacker is attempting to target adult males who are avid gamers. The pirate adult games along with the specific steam and Battle.net modules suggests that gaming accounts may be a prime target. There are other Adult themed games thrown into the mix. However, I don’t fancy working through 2,025 screenshots to find them all out.
At this point, I went to bed. Thinking I have done all I could for the night, I messaged Oliver with my progress.
The next morning, I wake up, check Twitter. I have a message from Oliver who tells me there is an LFI vulnerability within the web portal. Apparently, the attack was running an older version of Kpot that allowed us to find the credentials to the login page. I exploit the vulnerability…and just like that, I had the credentials to log in.
The web interface did not contain anything, particularly hat I had not found already. However, it did give me an understanding of how it was constructed. One feature that I took advantage of was the “delete all” feature on the reports list page. It was a very satisfying moment to remove all the records from this C&C server.
To ensure the attacker was unable to use the C&C server, to prevent other individuals from downloading the password dump, and to stop the bots calling back to the C&C server, we utilised the LFI vulnerability to remove most of the PHP files from the web server. We also contacted the hosting provider, who shut down the webs server the same day.
At this point in time, I am just contacting companies in an attempt to responsibly disclose the information. Several companies are now aware and have received the information they need to combat this data dump.