Stealer (3).exe
The PowerShell script will connect to hxxp://45.93.201[.]114/docs/fzLJerifqJwFtnjbrlnJPNrfnupnYg[.]txt to get another MSIL file named Ferriteswarmed.exe, which will then be AES-decrypted, GZIP-decompressed, and loaded in PowerShell via .NET reflective loading. It has a debugger check that will exit once a debugger is found.
Stealer (3).exe
Undoubtedly used to configure and create Windows executables that contain the Raccoon stealer payload, the JavaScript resource provides an indication of the functionality present in the Builds and Configs sections of the control panel.
Given the file loader capability provided by Raccoon, it is possible for a threat actor to initiate the download and execution of additional payloads once the stealer has completed its data exfiltration.
While other info-stealers threat groups look to put their focus on one product, this new, fairly ambitious, group comes with the sole purpose of creating a real game-changer and setting a new standard and introducing a whole ecosystem for threat actors looking to get into the game.
It seems that most of the early adopters of this stealer are looking for personal gain and are targeting more crypto-related assets such as wallets, tokens and NFTs rather than Redline or Raccoon threat actors who mostly look to resell the findings.
Although malspam is a fairly popular technique, we have seen several cases where threat actors spread Jester Stealer in forums, and mostly Discord channels with gaming or cryptocurrency content. Currently, spreading the stealer in Discord channels is the most common technique we have observed.
As the vast majority of the modern info stealers often look to exfiltrate the stolen data to fairly classic C2 infrastructures, Jester offers better anonymity and several extraction channels that the threat actor can use.
The onion page is a node in the chain that receives the stolen data from the stealer and sends it to a Telegram bot (Figure 16) the threat actor has provided. This additional hop assures the threat actor even more anonymity.
In addition to this infrastructure, Jester Stealer is also capable of having a fallback data exfiltration technique. Each threat actor can config an anonfile, an anonymous file-sharing platform, account that the stealer will send the stolen data to in case the first option did not work properly.
MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Analysts at Israeli dark web intelligence firm Kela first identified its emergence on underground marketplaces [1] and later as being used in a spam campaign by SANS Internet Storm Centre Handler Brad Duncan [2], where the initial stages and traffic were detailed. This analysis further describes the final MetaStealer payload detailing its functionality.
With the Microsoft Defender exclusion in place another PowerShell command is issued that proceeds to rename the original file to a hardcoded value with an .exe extension. In this case Original filename.xyz to hyper-v.exe
We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries. The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information.
The campaign was first seen in May 2022 and was initially attributed to the Ducktail operation by Zscaler. (This attribution was later discovered to be incorrect.) In this blog we explore the various methods used to distribute SYS01 stealer.
Option d checks if the file %localappdata%\m.txt exists. If it does, the program exits because it means the info stealer is already running on the machine. If the file does not exist, the executable decodes and drops the next stage Inno-Setup executable to %temp%\\ and executes it with /VERYSILENT /SUPPRESSMSGBOXES /NORESTART as arguments. As before, when the execution finishes the file is deleted to remove evidence from the machine.
Once the Inno-Setup installer executes, it drops a PHP application with additional files, usually to %localappdata\[A-Z]4\. Between different variants of this information stealer, we saw the following files used to execute the malicious logic:
But humans are fallible, and limiting device functionality is not always possible when you need to ensure effective business functions. This is why the best protection is all-of-the-above plus a Defense-in-Depth approach. Security tools like next generation anti-virus (NGAV), endpoint protection platforms (EPP), and endpoint detection and response (EDR, XDR, and MDR) are necessary, but not sufficient to stop stealers like SYS01 stealer.
WebBrowserPassView.exe is a password recovery utility from Nirsoft that reveals the passwords saved in web browsers. This utility has a history of being used by threat actors to steal the stored passwords and send them back to their C2. TroubleGrabber uses WebBrowserPassView.exe to do the same.
TroubleGrabber, a new credential stealer, serves as yet another example of a trend of attackers using cloud apps to abuse the trust users place in those apps and evade detection. The malware uses Discord and Github to deliver the next stage payloads and uses Discord webhooks as a C2 to send the victims credentials. Such attacks require security solutions with application-layer detections, multiple threat detection solutions, DLP, and machine learning techniques that understand the language and nature of the cloud and web. Customers using Netskope Threat protection are protected from this threat.
The basic stealer is capable of extracting device data and information from installed applications. It can obtain data from browsers, at the time of writing, from Microsoft Edge and Gecko specifically. From these apps, stealers usually target: browsing and search engine histories, Internet cookies, personally identifiable details, stored log-in credentials (usernames/passwords), saved credit card numbers, etc.
Additionally, this stealer can have clipper functions that are used to replace content copied into the clipboard (copy/paste buffer). This variant of Cinoshi can detect and replace nine different cryptocurrency wallet addresses.
Hancitor uses a specific domain to send Ficker Stealer and Cobalt Strike as followup malware. This domain changes each day Hancitor is active, but you should see three HTTP GET requests to the same domain for followup malware. One of the URLs ends with .exe, which is for Ficker Stealer. Two of the URLs end with .bin, which are for Cobalt Strike.
The result is another HTTP GET request to backupez[.]com, which is the domain used by Hancitor to push followup malware in part one of this example. The URL ends with 47.exe. See the result below in Figure 33.
An unusual malicious bundle (a collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality) recently caught our eye. Its main payload is the widespread RedLine stealer. Discovered in March 2020, RedLine is currently one of the most common Trojans used to steal passwords and credentials from browsers, FTP clients and desktop messengers. It is openly available on underground hacker forums for just a few hundred dollars, a relatively small price tag for malware.
The stealer can pinch usernames, passwords, cookies, bank card details and autofill data from Chromium- and Gecko-based browsers, data from cryptowallets, instant messengers and FTP/SSH/VPN clients, as well as files with particular extensions from devices. In addition, RedLine can download and run third-party programs, execute commands in cmd.exe and open links in the default browser. The stealer spreads in various ways, including through malicious spam e-mails and third-party loaders.
The last malicious file in the bundle is upload.exe, which uploads the video previously downloaded using download.exe, to YouTube. This file is also written in NodeJS. It uses the Puppeteer Node library, which provides a high-level API for managing Chrome and Microsoft Edge using the DevTools protocol. When the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the uploaded video.
Cybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview of gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats and cracks. The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customized open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution.
As Formbook is injected in a normal process that is in the directory of explorer.exe and system32, the malicious behaviors are performed by the normal process. Besides user credentials in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing. Below is the list of confirmed C&C server URLs of Formbook.
Predator the Thief is an information stealer type malware, which attackers use to collect information from infected machines. Predator trojan can steal passwords, information from crypto wallets, access the camera to collect visuals of a machine owner and more.
However, despite these functions, and although Predator can steal data from many sources the same as ransomware, it is still considered a relatively primitive malware compared to some other stealers. Not surprisingly for its well affordable price. However, while the punch that it packs may not be enough to shatter the defense of most modern large-scale corporations, small businesses and individuals can still suffer serious damage from Predator attacks. 041b061a72