The world of cybercrime is changing, and more and more malware variants have spread every day. To keep your system safe, one of the things you can do is following a cyber doctrine focused on the threats that lunk on the web.
One of the most recent threats is the info stealer TroyStealer, first shared by Abuse.ch on Twitter, and targeting Portuguese users.
An information stealer (or info stealer) is a Trojan that is designed to gather information from a system. The malware gathers login information, like usernames and passwords stored on web-browsers, which it sends to another system via email. Another common form this malware is to log user keystrokes which may reveal sensitive information.
Figure 1: Email template TroyStealer (in the Portuguese language).
The message sent in the email template is related to problems with the victim’s bank account. When the problems are overcome, the victim will receive payment in your account.
Threat name: TroyStealer.exe
Created: Thu Jun 11 19:53:24 2020
At first glance, the info stealer malware is packed (entropy 7.177), and it was compiled on Thu Jun 11 19:53:24 2020 via a .NET compiler (Microsoft Visual C# v7.0).
Figure 2: Compilation and packing details of TroyStealer malware.
Before executing the PE file, some details can be observed such as specific call references used to decrypt/unpacking the binary and execute another instance in memory via Process Injection technique.
Figure 3: Process of unpacking the binary.
Figure 4: Smart Assembly 220.127.116.11 – used to obfuscate the binary.
After unpacking it, we observed the binary was also obfuscated in a second-round with .NET Reactor(4.8-4.9).
Figure 5 depicts the high flow diagram of TroyStealer malware.
Figure 5: TroyStealer malware high flow diagram.
In detail, the malware detects if it is running inside a VM and stops the execution. In contrast, the malware is executed and a new process is created and executed using the process injection technique. After that, the harvesting process is initiated. Some modules of collecting details from the browser are started as well as another module to collect mail credentials from outlook.
In sum, the following steps are performed during the malware execution:
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataC:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniC:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\logins.json
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqliteC:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\places.sqliteC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
IWbemServices::ExecQuery – root\cimv2 : SELECT Caption FROM Win32_OperatingSystemIWbemServices::ExecQuery – root\SecurityCenter2 : SELECT * FROM AntivirusProductKey opened: HKEY_CURRENT_USER\Software\PaltalkKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Finally, the malware validates there is a valid Internet connection through a speed test website. If so, it establishes SMTP communication with the authenticated email server and sends the victim’s details via email.
Figure 6: Snippet of code with the email sent to the attacker inbox with the victim’s details.
Figure 7: Details sent to the attacker’s email addressed.
Malware is nowadays one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list presents some tips on how you can prevent a malware infection. It is not a complete list, just a few steps to protect yourself and your devices.
Technical details about the malware, including Mitre Att&ck Matrix and Indicators of Compromise (IoCs) are available in the original post published here:
About the author Pedro Tavares
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
(SecurityAffairs – TroyStealer, malware)