Home / malwarePDF  

Win32/Gamker


First posted on 21 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Gamker.

Explanation :

Threat behavior

Installation

Win32/Gamker installs itself in your PC using one of these file names:

  • %ALLUSERSPROFILE% \Application Data\<random lowercase letters>.exe
  • %ALLUSERSPROFILE% \Application Data\<random lowercase letters>32.exe
  • %ALLUSERSPROFILE% \Application Data\<random lowercase letters>64.exe
  • %ALLUSERSPROFILE% \Application Data\explorer.exe.exe
  • %TEMP% \cryptbase.dll
  • %USERPROFILE% \winsat.exe


<random lowercase letters> varies depending on the version of Gamker that you have, but is typically 5 or 7 lowercase letters. For example, some names Win32/Gamker has used include:

  • pyzidyb.exe
  • pijulis32.exe
  • mezyfil64.exe


To make sure it automatically runs every time you start your PC, it creates a scheduled job:

  • %windir% \Tasks\nVidiaBootAgent32.job


It also changes this registry entry so that it runs every time you log onto Windows:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Sets value: "Userinit"
With data: "<original value>,<malware path>"

Payload

Records your keystrokes

Gamker records your keystrokes for all applications. Keystrokes are recorded in a randomly-named file in %AppData%.

An example of recorded keystroke information is shown below:



Takes screenshots

If Gamker detects that a certain program is running, it records ten screenshots of that program, with each screenshot taken at one second intervals.

An example of screenshot captures is shown below:



Records command-line arguments

Gamker records command-line arguments run by your programs. It then saves these commands to the file:

  • %APPDATA% \<random lowercase letters>\cmdline.txt


An example of command-line arguments saved is shown below:



Sends stolen information to a hacker

The screenshots, keylogs, and command-line arguments, are sent to a command-and-control (C&C) server controlled by a hacker.

The programs and applications that Gamker tries to steal information from include those that fall under these categories:

  • Online banking apps
  • Internal banking tools
  • SAP programs
  • Bitcoin wallets
  • Cryptography tools
  • Signing keys
  • FTP, POP3, and Squirrel apps


The complete list of applications that it takes screenshots of is below (note that this list is current as of publication date, and can be changed by the malware authors at any time):

Executable name Category assigned by malware author Description AdClient.exe Etc Unknown ARM\\ARM.exe Etc Unknown ASBANK_LITE.exe Etc Unknown avn_cc.exe Etc Unknown BANK32.exe Etc Unknown bankcl.exe Etc Unknown bb.exe Etc Unknown bb24.exe PSHEK Unknown BBCLIENT.exe Etc Unknown BBMS.exe Etc Unknown BC_Loader.exe Etc Unknown BCLIENT.exe Etc Unknown bcmain.exe BANKATCASH Unknown bestcrypt.exe CRYPT Tool used to manage BestCrypt protected filesystems bit4pin.exe IT Unknown bitcoin-qt.exe Etc Unknown bk.exe Etc Unknown Bk_kw32.exe Etc Unknown BUDGET.exe Etc Unknown cb193w.exe Etc Unknown Ceedo.exe IT Unknown CeedoRT.exe IT Unknown CLB.exe Etc Unknown CLBank.exe Etc Unknown clcard.exe Etc Unknown CliBank.exe Etc Unknown Client2.exe Etc Unknown Client32.exe Etc Unknown client6.exe Etc Unknown ClientBK.exe Etc Unknown ClntW32.exe Etc Unknown CNCCLIENT.exe Etc Unknown ContactNG.exe Etc Unknown contoc.exe IT Unknown CSHELL.exe Etc Unknown CyberTerm.exe CTERM Unknown Russian payment-related tool Dealer.exe Etc Unknown dikeutil.exe IT Unknown DTPayDesk.exe Etc Unknown ebmain.exe BANKATLOCAL Application by UniCredit Bank Australia eclnt.exe Etc Unknown avn_cc.exe Etc Unknown BANK32.exe Etc Unknown Edealer.exe Etc Unknown EELCLNT.exe Etc Unknown EffectOffice.Client.exe Etc Unknown el_cli.exe Etc Unknown ELBA5.exe ELBALOCAL Unknown ELBA5STANDBY.exe ELBALOCAL Unknown elbank.exe Etc Unknown ETSRV.exe Etc Unknown EximClient.exe Etc Unknown fcClient.exe Etc Unknown FileProtector.exe IT Unknown hbp.exe HPB Might be Deutsche Bundesbank Eurosystem Hob.exe HPB Might be Deutsche Bundesbank Eurosystem ibcremote31.exe Etc Unknown Ibwn8.exe Etc Unknown IDProtect Monitor.exe IT Unknown IMBLink32.exe Etc Unknown info.exe Etc Unknown iquote32.exe Etc Unknown iscc.exe Etc Unknown iWallet.exe Etc Unknown JSCASHMAIN.exe Etc Unknown kb_cli.exe Etc Unknown KB_PCB.exe PSHEK Profibanka by Komercní banka KBADMIN.exe Etc Unknown KLBS.exe Etc Unknown LBank.exe Etc Unknown legalSign.exe IT Unknown LFCPaymentAIS.exe Etc Unknown litecoin-qt.exe Etc Unknown LPBOS.exe Etc Unknown MMBANK.exe Etc Unknown MWCLIENT32.exe Etc Unknown NURITSmartLoader.exe Etc Unknown OEBMCC32.exe MCLOCAL Application by Omikron related to electronic banking OEBMCL32.exe MCLOCAL Application by Omikron Systemhaus GmbH related to electronic banking OKMain.exe Etc Unknown Omeg\\M7.exe Etc Unknown OnCBCli.exe Etc Unknown openvpn-gui CRYPT Client for VPN remote access to PCs oseTokenServer.exe MCSIGN Application by Omikron related to electronic banking payment_processor.exe Etc Unknown Payments.exe Etc Unknown PaymMaster.exe Etc Unknown Payroll.exe Etc Unknown PinPayR.exe Etc Unknown Pkkb.exe PSHEK Banking application, Komercní banka plat.exe Etc Unknown Pmodule.exe Etc Unknown PostMove.exe POST Unknown, likely a tool use to do HTTP POST operations PRCLIENT.exe Etc Unknown ProductPrototype.exe Etc Unknown Qiwicashier.exe Etc Unknown QIWIGUARD.exe Etc Unknown QUICKPAY.exe Etc Unknown rclient.exe CFT Client for Remote Administration RETAIL.exe Etc Unknown RETAIL32.exe Etc Unknown rmclient.exe Etc Unknown rpay.exe Etc Unknown RTADMIN.exe Etc Unknown RTCERT.exe Etc Unknown SAADM.exe Etc Unknown SACLIENT.exe Etc Unknown saplogon.exe SAP SAP Logon for Windows sapphire.exe Etc Unknown SecureStoreMgr.exe PSHEK Unknown selva_copy.exe Etc Unknown SGBClient.exe Etc Unknown SIManager.exe IT Unknown srclbclient.exee Etc Unknown StartCeedo.exe IT Unknown startclient7.exe Etc Unknown Sunflow.exe Etc Unknown SXDOC.exe Etc Unknown Telemaco.exe IT Unknown TelemacoBusinessManager.exe IT Unknown terminal.exe Etc Unknown TERMW.exe Etc Unknown Transact.exe Etc Unknown Translink.exe WU Tool by Western Union Inc truecrypt.exe CRYPT Tool used to manage TrueCrypt protected filesystems UARM.exe Etc Unknown ubs_net.exe Etc Unknown UNISTREAM.exe Etc Unknown UpOfCards.exe Etc Unknown URALPROM.exe Etc Unknown visa.exe Etc Unknown W32MKDE.exe Etc Unknown WClient.exe Etc Unknown WebLogin.exe Etc Unknown webmoney.exe WM Unknown WFINIST.exe Etc Unknown WinPost.exe POST Unknown, likely a tool use to do HTTP POST operations WinVal.exe Etc Unknown WUPostAgent.exe Etc Unknown xplat_client.exe Etc Unknown

Lets a hacker to gain access to your PC

Gamker can implement a hidden VNC (Virtual Network Computing) server, which lets a hacker remotely control your PC to do malicious activities like these:

  • Transport stolen data out of your PC
  • Install or update Gamker
  • Spread to other PCs in your network


Steals keys from your PC

Gamker steals both private and public keys found in your PC.

Additional information

To do its payload, Gamker hooks these functions:

  • advapi32.dll::CryptEncrypt
  • chrome.dll::somefunction
  • kernel32.dll::CreateFileW
  • nspr4.dll::PR_Close
  • nspr4.dll::PR_Connect
  • nspr4.dll::PR_GetNameForIdentity
  • nspr4.dll::PR_Read
  • nspr4.dll::PR_SetError
  • nspr4.dll::PR_Write
  • ssleay32.dll::SLL_get_fd
  • ssleay32.dll::SLL_write
  • Urlmon.dll:URLDownloadToCacheFileW
  • Urlmon.dll:URLDownloadToFileW
  • user32.dll::CreateDialogParamW
  • User32.dll::GetMessageA
  • User32.dll::GetMessageW
  • user32.dll::GetWindowTextA
  • User32.dll::SendInput
  • User32.dll::TranslateMessage
  • Wininet.dll::HttpSendRequestA
  • Wininet.dll::HttpSendRequestExA
  • Wininet.dll::HttpSendRequestExW
  • Wininet.dll::HttpSendRequestW
  • Wininet.dll::InternetCloseHandle
  • Wininet.dll::InternetQueryDataAvailable
  • Wininet.dll::InternetReadFile
  • Wininet.dll::InternetReadFileExA
  • Wininet.dll::InternetReadFileExW
  • ws2_32.dll::getaddrinfo
  • ws2_32.dll::gethostbyname
  • ws2_32.dll::recv
  • ws2_32.dll::send
  • ws2_32.dll::WSARecv
  • ws2_32.dll::WSASend




Analysis by Geoff McDonald

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    • %TEMP%\cryptbase.dll
    • %USERPROFILE%\winsat.exe
    • %windir%\Tasks\nVidiaBootAgent32.job
  • You have this registry entry:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    Value: "Userinit"
    Data: "<original value>,<malware path>"

    where by default:

    Data: "<system folder>\userinit.exe"

Last update 21 November 2013

 

TOP

Malware :