Sticky Attacks: when key sticking helps hackers

Cyber ​​criminals are always looking for new ways to overcome the protection systems installed on computers in order to avoid detection and steal user data. In this sense, Black Hat hackers have always turned to malicious attacks (phishing, network worms or terrible Trojans with cryptographers as the scariest example) to achieve their goals: penetrate companies to steal accounts or huge amounts of data in exchange for a ransom ... By at least it has been so far.

The PandaLabs anti-virus lab recently discovered a rather clever attack on one of the companies in Hungary. What made this attack so special? So, the attack does not use any malware at all, but it uses scripts and other tools belonging to the operating system itself to bypass the security scanners. This is just another example of the growth of self-confidence and professionalism of hackers that we have seen among cyber criminals in recent months.
')
Malware Attack Analysis

First, as it has already become the norm in the latest security-related incidents analyzed in our laboratory, the attack begins with the hackers launching a brute-force attack (password guessing) against a server with a remote desktop protocol enabled (Remote Desktop). Protocol, RDP) . After the criminals receive registration data to enter the computer system, they get full access to it.

Then the first thing the hackers did was launch the sethc.exe file with parameter 211 from the computer window with the command line (CMD). This allowed them to enable sticky keys (“Sticky Keys”) in the system. We are sure that you have previously seen this message:



Further, they downloaded and launched the “Traffic Spirit” program. This application is a traffic generator, which in this case is used to earn extra money with the help of infected computers.


Traffic Spirit website

Then a self-extracting file is launched, which unzips the following files in the% Windows% \ cmdacoBin folder:

• registery.reg
• SCracker.bat
• sys.bat

After that, hackers started running the Windows Registry Editor (Regedit.exe) to add the following key contained in the registery.reg file:



This key is designed so that each time the key sticking function (sethc.exe) is used, a file called SCracker.bat is also launched. This is a batch file that implements a very simple authentication system. When you run the file, the following window is displayed:



The username and password are extracted from two variables that are included in the sys.bat file:



Thus, the hacker installs a backdoor on the infected machine. With it, the hacker will be able to connect to this computer without having to enter any registration data, turn on the key sticking function (for example, by pressing the SHIFT key five times), and enter the appropriate username and password to open the command line:



The hot keys on the command line will allow the hacker to access certain folders, change the color of the console, and use other standard commands for the command line.



However, the attack did not stop there. In their attempt to maximize profits from this company, hackers installed a bitcoin miner to benefit from each compromised computer to receive “free” money. Bitcoin mining software is designed to use its computer resources to generate virtual currency without the victim’s knowledge. Cheap and very effective way to monetize computer infections.

How does key sticking help cyber crooks?

If a hacker can really access the required computer through an RDP connection, then why do they need a backdoor? The answer to this question is very simple: installing a backdoor on the affected machine, even if the victim understands that his system is compromised, and changes the registration data to connect to the remote desktop, all the hacker needs to do is press the SHIFT key five times to enable sticking keys and launch a backdoor, after which he will again be able to access the system. And remember that all this is done without a single malicious program on the affected computer.

Panda Security’s Adaptive Defense 360 enhanced information security solution was able to stop this targeted attack by continuously monitoring the company's IT network, protecting it from serious financial and reputational damage.