The Growing Threat of Information Stealers in the Cybercrime Landscape

The Growing Threat of Information Stealers in the Cybercrime Landscape

Introduction

The rise of malicious software designed to steal sensitive information has become a significant problem in the cybercrime landscape. They are specifically created to infiltrate computer systems and extract valuable data, including personal information, login credentials, financial details, and intellectual property. Known as information stealers or data stealers, these malware programs pose a prevalent threat.

Cybercriminals use various tactics to distribute information stealers, and once installed on a victim’s device, these malware programs operate discreetly, often evading detection by security software. Information stealers target a wide range of applications, including web browsers, email clients, instant messaging platforms, and financial software.

The stolen data is usually sold on underground marketplaces or used for illegal activities like identity theft, financial fraud, corporate espionage, or blackmail. The financial motivation behind information stealers, combined with their ability to collect sensitive data from numerous victims, makes them appealing to cybercriminals.

In February 2023, a new information stealer called White Snake emerged, joining the list of threats in this category. In this blog we have delved into the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.

The White Snake Stealer

​​Focused on infiltrating diverse applications such as cryptocurrency wallets, FTP clients, and email clients among others, White Snake exhibits a range of capabilities. These include  execution of commands on the victim’s system enabling activities like taking screenshots and capturing webcam. Having undergone continuous development since its initial arrival, it has prompted Telegram announcements that suggest the addition of new capabilities.

Samples showcasing these enhanced features on public repositories strongly suggests the active distribution of new versions of the White Snake stealer in the Cybercrime scene.

White Snake Stealer offers versions for both Windows and Linux systems. However, we have not been able to find any samples specifically targeting Linux systems while others aimed at Windows platforms were identified, demonstrating advanced features.

Posts announcing White Snake Stealer Updates

Changes to Note in the Updated Version of White Snake Stealer

White Snake Stealer has undergone significant improvements, introducing the following key features:

  • Expanded Browser Support:Now compatible with a wider range of browsers, including Opera, CocCoc, CentBrowser, and Yandex, allowing it to extract sensitive data from a broader user base.
  • Extended Email Client Compatibility:It can now support popular email clients like Outlook, Foxmail, and ‘The BAT!,’ enabling the collection of data from these applications and expanding its reach.
  • 2FA App and VPN Targeting:It is capable of targeting and extracting information from 2FA (Two-Factor Authentication) apps and VPN (Virtual Private Network) applications, posing a threat to user security and privacy.
  • Enhanced Capabilities:Advanced features such as keylogging, webcam capture, and document grabbing have been incorporated, which allows it to easily compromise user data by recording keystrokes, capturing webcam footage, and collecting specific document types.
  • Beacon Functionality:It can now establish communication with the command and control (C2) server allowing the receipt of instructions, transmission of stolen data, and potential downloading of additional malicious payloads.
  • Document Grabber: Can now collect and exfiltrate files of interest from the victim’s machine.
  • USB Spread:Is able to spread through USB devices by making copies on removable drives such as USB flash drives and external hard drives.
  • Local User Spread:Is also able to propagate among local users by copying itself to their startup folders, ensuring automatic execution upon user login or system restart and facilitating its spread within the compromised system.

These noteworthy enhancements in White Snake Stealer highlights its dynamic evolution and adaptability, posing a significant threat to user privacy and security. 

Technical Analysis of the White Snake Stealer

The malware incorporates advanced string of obfuscation techniques which is used to deliberately obscure the code. This results in increased complexity and makes it challenging to decipher the underlying strings.

String Obfuscation Detected

The figure above shows the method responsible for deobfuscating strings within the stealer’s codebase. Its widespread usage adds complexity to the analysis process. Additionally, the deliberate incorporation of redundant codes within the stealer adds further layers of complexity. These intentional obfuscation techniques make the analysis of the stealer even more intricate.

Garbage Code

Anti Virtual Machines (VM) Checks

During the execution of the stealer’s main () method, the Anti VM method is invoked to prevent the malware from running in a virtual environment. This function employs Windows Management Instrumentation (WMI) queries to retrieve the system’s “Manufacturer” and “Model” information. Subsequently, it compares these details with predefined strings associated with VMs. If a match is detected, the malware terminates without proceeding with any further execution.

WMI Queries to Extract the Environment Information

Hardcoded Strings

Establishing Persistence

The stealer achieves persistence by duplicating itself in the Appdata directory and creating a scheduled task. Subsequently, it removes the original file to cover its tracks. Different versions are observed to be creating different directories.

Fig. Below shows the stealer creating a directory under the name “EsetSecurity.” Directory names may vary across different variants. It copies itself in this newly created directory.

Observed to be creating a director with “EsetSecurity” name

Stealer code for persistence, creating schedule task and deleting itself

         Creating a Scheduled Task

New Beacon Functionality

The latest version of the stealer introduces a new beacon feature that leverages The Onion Routing Project (TOR) for its implementation. This enhanced functionality enhances the capabilities of the stealer and involves the following key components:

  • TOR Download and Installation:The stealer now has the ability to download and install TOR, a network tool that enables anonymous communication on the internet.
  • Tailored TOR Service Configuration:The malware utilizes the “HiddenServicePort 80 127.0.0.1:2392” configuration directive in the TOR configuration file to set up a hidden TOR service. This directive specifies that incoming requests to the hidden service on port 80 will be redirected to a randomly generated port (2392) on the local machine. The malware specifically utilizes this redirected port to run an HTTPListener service responsible for handling the incoming requests.
  • Connection Establishment: The beacon functionality is implemented by establishing a connection between TOR and an open port on the victim’s system. The onion address, which serves as the unique identifier for the hidden service, is generated and stored in a file within the directory specified by the “HiddenServiceDir” configuration directive in the TOR configuration file. The attacker or Threat Actor (TA) connects to the hidden service using this onion address through the TOR network.

Through this communication channel facilitated by the HTTPListener(), the attacker can issue commands or exfiltrate stolen data from the victim’s machine. The attacker’s commands or requests are sent through the TOR network, reaching the hidden service configured on port 80, and subsequently forwarded to the local machine’s port 2392. The HTTPListener service of the stealer processes and responds to these requests.

Tailored TOR configuration in the malware code

TORRC (TOR configuration) file created by stealer

Onion address

Once a connection request is received from the TA, the stealer enters the processing phase. During this phase, it actively scans for incoming HTTP requests that utilize the POST method. The POST method is commonly used to send data to a web server, including commands or instructions in the payload of the request.

Upon detecting an incoming POST request, the stealer extracts and isolates the payload, which contains the commands encapsulated within the request. These commands may include instructions for various actions the stealer is designed to perform, such as collecting sensitive data, executing specific operations on the victim’s machine, or initiating further malicious activities.

By identifying and extracting the commands from the POST requests, the stealer gains access to the TA’s instructions and can proceed to execute them accordingly. This allows the TA to remotely control the stealer’s behaviour and carry out specific actions on the compromised system.

Processing the incoming request

Extracting the commands

Subsequently, once the TA’s commands have been extracted from the incoming HTTP requests, the stealer proceeds with its processing. The processing phase involves interpreting and executing the commands as instructed by the TA.

Further Processing of Commands

The updated version of the stealer includes an expanded set of command capabilities, allowing it to perform the following actions:

  • REFRESH: Transmits the stolen data back to the attacker.
  • COMPRESS: Compresses a file with TAR.
  • PING: Performs a ‘ping’ like operation and responds with a ‘pong’.
  • UNINSTALL: Terminates and removes itself from the system.
  • WEBCAM: Captures webcam footage
  • LIST_PROCESSES: Retrieves a list of all running processes.
  • GET_FILE: Retrieves the contents of a specific file.
  • SCREENSHOT: Captures a screenshot of the victim’s screen.
  • LIST_FILES: Lists files in the current directory.
  • TRANSFER: Transfers a file to the attacker’s server.
  • LOADEXEC: Downloads a file from remote location and executes it.
  • DECOMPRESS: Decompresses a file with TAR for transfer.
  • DPAPI: Decrypts the encryption protection applied to sensitive data stored on the victim’s system.
  • Keylogger: Capture keystroke

Keylogging using ‘hookCallback’ for monitoring of keystrokes

Screenshot Capability

USB Spread

The stealer has incorporated a USB spread capability, enabling it to propagate itself to removable disks. It achieves this by querying the system for removable disks and subsequently copying itself onto the identified media.

Queries removable media

Copies itself on removable media

Local Users Spread

The updated stealer now includes a Local User Spread capability, allowing it to propagate among local users. The malware achieves this by iterating over user profiles and copying itself to the startup folder of each user. This ensures that the malware is automatically executed when users log in or the system restarts. By leveraging this persistence mechanism, the malware can effectively spread among local users, resulting in its widespread presence throughout the compromised system.

Iterating over management objects

Copies itself to startup folder

Application Data Collection

The malware exhibits the capability to extract sensitive information from various types of applications:

 

 

 

 

 

Stealer configuration with reference to various application for information stealing

Furthermore, the malware possesses the capability to gather additional information from the victim’s system. This includes retrieving the username, computer name, public IP address, screen size, CPU, GPU, RAM, Disk, Model, OS information, running process and execution timestamp. These data points provide the attacker with valuable insights into the victim’s system and can be used for further analysis or exploitation.

Extracting username

Extracting computer name

Exfiltration

Once the data is gathered, the malware employs the XmlSerializer to transform it into a serialized format. Subsequently, the serialized data undergoes compression and encryption using the RSA encryption algorithm. This multi-step process ensures the secure protection of the data, preserving its integrity and maintaining confidentiality. It is worth noting that the malware embeds the RSA key necessary for encryption within its own code.

Captured data being serialized into XML format

RSA Key

Encryption using RSA Key

Now, the stealer will proceed to affix tags, including the filename (e.g., Username@Computername_report.wsr), to the gathered information. Subsequently, the malware establishes a connection to a predetermined server controlled by the attacker using the WebClient class’s ‘uploadData’ method with the PUT HTTP method. The malware code includes hardcoded IP addresses that specify the destination server for transmitting the encrypted data. This allows the attacker to receive the stolen information from infected systems.

WebClient Class instantiation

Obfuscated code used to send the PUT request for data exfil

Hardcoded IP addresses of the attacker’s server

PUT request issued for data exfil

To notify attacker about the data exfiltration, the malware sends a notification through a Telegram chat by executing an HTTP GET request to the Telegram BOT API.

The contents of the URL are encoded with URL encoding. Decoding the Telegram message reveals valuable resources for the attacker: the stolen data’s URL and victim details. This allows the attacker to directly access and exploit the information for malicious purposes, increasing their effectiveness in carrying out harmful activities.

URL decoded contents

Quick Heal Protection

All Quick Heal customers are protected against this threat through the following signature:

  • Trojan.WhiteSnake.S30222827

To know more about Quick Heal’s range of digital protection visit – 

https://www.quickheal.com/

Conclusion

The White Snake Stealer is an evolving threat that is being actively developed and distributed through the Malware-as-a-Service (MaaS) model. The threat actors responsible for this stealer is dedicated to improving the code and implementing techniques to bypass detection measures. This ongoing development highlights the persistent and evolving nature of the threat landscape, re-emphasizing the criticality for individuals and organizations to stay updated on the latest security practices, implement robust Défense mechanisms, and maintain strong cybersecurity hygiene to protect themselves against such threats.

Indicators of Compromise (IOCs)

b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b
b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
bc7536cb39c4dc0ef7522b46efbc97b87edd958248267932c46cdda2d571a72b
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910
0d5996e68d654bb1ab31c89ae0a5b3c810f9f761f20df825d4ab5bba3d510bde
c219beaecc91df9265574eea6e9d866c224549b7f41cdda7e85015f4ae99b7c7
b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
0000028f80066ad99544cc7a79caa649ee72eca2711b1b1128df61ffd13b0657
f8fd7b7eabb7b70e3f5a13bf8526eb620522a3c0aac6caf05b4db83d13e1e625
0c6705665e94b4d7184fe34185d0ea2706c745ddb71bb45bb194c96ebe2d7869
df78f7993dc9aaee7666a06a6dae52ba0fc6e63e01376474fa96af360cf566de
a4191e00cd9dfeda78901ef9dae317e23c73408e7b4c1eeef8de6a8c70fe9db7
b4c9d3abd4fe5b4be84884c933e8d9a6a80ce326e05432a7ecb8a7c28f393941

Vinay Kumar

The post “The Growing Threat of Information Stealers in the Cybercrime Landscape” appeared first on Quick Heal Antivirus Blog

Source:Quick Heal Antivirus Blog – Vinay Kumar