FortiGuard Labs Threat Research Report
Back in the 90’s, the Internet was not too wild in terms of malicious software, hacking attacks, etc. Viruses and some Worms had started to emerge, and while some were really dangerous, a great majority were not. Different categories like Joke programs or other similar programs with non-destructive payloads were part of that era. Many developers were not really malware writers, but skilled developers that wanted to have a good time scaring people or simply making a joke by developing small pieces of software that performed behaviors such as opening the CD-ROM or displaying different characters walking across a screen. Unfortunately, one of these innocent categories turned into something more serious: the well-known PUAs. In this FortiGuard Labs article, we will define what a PUA is, describe its inherent risks, and how malware makes use of them by showcasing a malware sample.
Potentially unwanted applications (PUAs) refer to a general category used by all vendors to tag are particular applications that can be misused by malicious people. These tools are not really malicious and the program itself does not necessarily represent a risk. Instead, it is the usage of such tools and the related outcomes that are the real problem.
System Administration tools and other tools with similar functionalities can fall into the PUA category. These tools are useful when the user makes use of all the program functionalities and advantages provided by the software. There are a lot of tool categories, ranging from System Administration to Password Recovery. These can be very useful when someone with limited knowledge in program development has a specific requirement. These tools can then save the day.
But that is actually rare. Most of the time, users only leverage a small subset of the available functionality these programs provide. Instead, they are often used to provide greater capabilities for malicious actors when they attack or compromise a machine. In addition, instead of creating their own tools, attackers sometimes use 3rd party tools downloaded from the Internet and embed them as an integrated component to their framework, increasing its malicious payload. Some attackers are clever enough to modify the original content in the form of compression (Packers), encryption (Crypters / Protectors), or Obfuscators, with the objective of concealing the logic, code, and actions. These tactics make the PUAs strong enough to evade detection and therefore increase their dwell time in a targeted network, which is one of the main purposes of such “evasion” tactics, along with their true objective, since the longer an attack remains undetected, the more profit for them.
NirSoft is a website that offers easy access to System Administration tools, including a sub-set of tools focused on Password Recovery in different forms (e.g. Browsers, Mail Clients, Remote Access Clients, Wireless Networks, Routers, etc.). Such tools are often tagged as PUA by Anti-Virus (AV) vendors. Another popular website with similar tool sets is Security Xploded.
In the case of the NirSoft website, as of 2018, there are a total of 28 tools that are related to the “Password Recovery Utilities” category.
For people not familiar with these tools, the following is a description of one of them, called “Network Password Recovery.” The tool’s official description contains the following text:
“Windows allows you to save your password in order to use it in each time that you connect the remote server. This utility recovers all network passwords stored on your system for the current logged-on user. It can also recover the passwords stored in Credentials file of external drive, as long as you know the last log-on password.”
Below is an image that was taken from the official website that shows the results of running this particular tool after collecting credential information from the local machine.
In 2015, a blog post appeared on the NirBlog’s website (the official blog of nirsoft.net) where the tool’s author shared his concerns regarding how AV vendors detected his tools as malicious, and not properly notifying their customers that those tools, especially the password-recovery, should not be marked as such. In the same blog post, he shared a table that shows how many vendors detect his tools as malicious. Despite the fact that the assumptions in this blog post may seem valid from a Developer’s perspective, the argument does not fully apply from the perspective of an AV vendor. It is clear that an AV vendor must warn at all times of any artifact that is known - or behaves - in a suspicious manner. According to NirSoft’s False-Positive report, AV vendors began marking the password-recovery tools as PUA in 2004.
Imagine a hypothetical scenario in which a machine is compromised and the attacker uploads to the affected machine “netcat”, a tool not only known for Network testing and troubleshooting purposes, but one that is also commonly leveraged by attackers to backdoor systems for later access. This tool is commonly marked as a PUA, since the nature of its functionalities can easily be misused. If the owner of the compromised system had an AV installed, and it did not notice and warn the user about the presence of the tool on his system, then that user would have a legitimate right to blame the AV vendor for not properly noticing/blocking the program. After all, if the context of the use of the PUA is known by the user, most AV software has the ability to “white-list” any program of the user’s election, but if it is not specifically identified as authorized, the program must be treated as a PUA.
In 2018, an active campaign was spotted in the well-known Emotet Banking Trojan, which makes use of Freeware system tools but with an obscure purpose. The US-CERT released an alert for this particular version of Emotet, mentioning the use of some NirSoft “Password-Recovery” tools.
Regular malware has been doing this for years, but as time passes, more threat actors and groups are emerging and the usage of such tools is increasing. For instance, BitDefender spotted a targeted attack launched by Netrepser, a Cyberespionage group, which is one of many groups that are well-known for using 3rd party components (some from the aforementioned NirSoft tool-set) in their launched attacks.
From time to time in our FortiGuard Research Lab, we see the existence of these tools during malware sandboxed executions, usually as the 2nd stage, along with dropped files controlled by an external component of the main (launcher) malware. Each AV vendor uses its own naming convention, and for the NirSoft’s password-recovery category we use the following: Riskware/ChromePass, Riskware/PstPassword, Riskware/NetPass, and Riskware/Dialupass, among others.
The following pie chart shows all the occurrences of samples and the related detection categories, without being Packed or Protected, related to the Password-recovery tools downloaded in November 2018.
Based on this data, one can see the high prevalence of the “Riskware/NetPass” category, which encompasses three tools: “Network Password Recovery”, “IE PassView”, and “Opera PassView”.
By leveraging our Malware Analysis System, we have also identified different malware samples that use the aforementioned tools, but their content was modified to evade detection. Finding relationships between samples is not trivial, although, there are a number of methods for using certain information to get them, either by its file name, original file name (by parsing the contents of the VERSIONINFO resource of the executable file), off-line URLs inside the launcher/dropped binaries, and Common AV signature matching, etc.
During one sample hunting session, we found that one of the samples is an independent one (MD5: 0fd18e3cc8887dc821a9f8c4e481a416), which is a .NET program sample that apparently is not tied to an active campaign or group. However, it is a good example to talk about since it makes use of the NirSoft tools for malicious purposes. As mentioned earlier, attackers don’t always download external tools and implement them into their own attack frameworks just as they were downloaded. Instead, they attempt to conceal them by obscuring their codes, making them difficult to detect or analyze by malware analysts.
According to RDG Packer Detector, this particular sample was protected by a commercial tool called “Enigma Protector”, which protects executable files mainly for licensing purposes and preventing Software Piracy. However, malware writers also use it to protect their creations as well.
Once the malware is executed, it drops the tools and executes them by providing command-line arguments to save the collected data (e.g. mspass.exe /stext <destination_file.txt>) for later use.
In the following Figure, it can be seen how the “WebBrowserPassView.exe”, “mspass.exe” and “ProduKey.exe” were executed during the malware execution.
If we are on the same machine where the malware is executing, and run the “WebBrowserPassView” only, the tool will display the stored credentials in the browser, which is the expected behavior.
As soon as the collection activities are done, however, the malware exfiltrates the information to the C&C server. Figure 6, one can see the parameters and their related values used in the HTTP request, where “u=” is the URL, “p=” is the password, and “l” is the login.
To confirm how many credential stealing routines this malware has, how many are based on the password-recovery tool, and which ones were developed by the malware author, we unpacked the sample to examine the real code inside it in order to identify them and confirm what other actions this malware is capable of performing. We found that the malware used only three NirSoft tools, but the malware author had also developed additional routines to steal credentials from other popular network and instant messaging clients such as: CoreFTP, FileZilla, and SmartFTP, among others.
The main use of the NirSoft tools by this malware falls in the password-related category. But this particular sample also uses an additional System tool called “ProductKey”, with the description: “Recover lost Windows product key (CD-Key) and Office 2003/2007 product key.”.
This tool has been detected as “Riskware/ProductKey” by Fortinet Antivirus, and the collected data was used to exfiltrate serial-keys to the attacker’s C&C, presumably for user-identification. This is a clear example of how a powerful application can be used to perhaps recover serials directly from a computer because of a lost Software license, but which, in the hands of a malicious person can be used for a completely different purpose.
This malware sample exfiltrates the data collected by the previously mentioned tools. The user’s collected data not only combines information collected by the malware itself but also from the ProductKey output, including Current User, Windows Version, and the Windows Serial Number, as can be seen in Figure 9. It shows the network capture of the HTTP request sent to the C&C server, confirming that attackers can bundle different tool categories for the same target, in this case combining password-recovery with other system-related tools.
Using stand-alone System tools has been the default option for many people in the IT industry, especially IT Support. These tools provide an easy way to get quick results when dealing with automation, recovery, or simply making life easier when working with a computer.
NirSoft and similar tools are in fact not malicious in their native forms, but it is good practice to be aware of them once they have been installed on computers. This is especially true in Corporate environments where their presence may represent a potential risk, depending on the context of the computer owner and its day-to-day activities when using the system, as they can be easily manipulated for illegitimate purposes.
The reason why PUAs are so easily adapted by malware is because of their own built-in flexibility, especially in terms of automation, which allows attackers to easily develop a complex threat with minimum operational logic, but powerful implementation - and danger - when these tools are integrated within their attacker toolkits and then used maliciously afterward.
Advanced malware threats, such as Emotet, and a growing number of cyber criminal groups take advantage of these tools, and related threats will certainly continue to emerge. Additiionally, it is almost certain that malware developers and criminal organizations will continue to incorporate tools like these in their attack frameworks for a long time to come.
Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program.Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.