The world of cybercrime is changing, and more and more malware variants have spread every day. To keep your system safe, one of the things you can do is following a cyber doctrine focused on the threats that lunk on the web.
One of the most recent threats is the info stealer TroyStealer, first shared by Abuse.ch on Twitter, and targeting Portuguese users.
There seems to be a new stealer in town called #TroyStealer, targeting Portuguese internet users 🇵🇹
Exfil email address:
Has anyone seen this threat before?
— abuse.ch (@abuse_ch) June 12, 2020
An information stealer (or info stealer) is a Trojan that is designed to gather information from a system. The malware gathers login information, like usernames and passwords stored on web-browsers, which it sends to another system via email. Another common form this malware is to log user keystrokes which may reveal sensitive information.
Figure 1: Email template TroyStealer (in the Portuguese language).
The message sent in the email template is related to problems with the victim’s bank account. When the problems are overcome, the victim will receive payment in your account.
The binary file
Threat name: TroyStealer.exe
Created: Thu Jun 11 19:53:24 2020
At first glance, the info stealer malware is packed (entropy 7.177), and it was compiled on Thu Jun 11 19:53:24 2020 via a .NET compiler (Microsoft Visual C# v7.0).
Figure 2: Compilation and packing details of TroyStealer malware.
Before executing the PE file, some details can be observed such as specific call references used to decrypt/unpacking the binary and execute another instance in memory via Process Injection technique.
Figure 3: Process of unpacking the binary.
Figure 4: Smart Assembly 22.214.171.124 – used to obfuscate the binary.
After unpacking it, we observed the binary was also obfuscated in a second-round with .NET Reactor(4.8-4.9).
Figure 5 depicts the high flow diagram of TroyStealer malware.
Figure 5: TroyStealer malware high flow diagram.
In detail, the malware detects if it is running inside a VM and stops the execution. In contrast, the malware is executed and a new process is created and executed using the process injection technique. After that, the harvesting process is initiated. Some modules of collecting details from the browser are started as well as another module to collect mail credentials from outlook.
In sum, the following steps are performed during the malware execution:
- Obtaining victim’s details (credentials info from browser and email)
- Getting HKEY_CURRENT_USER\Software\Paltalk passwords
- Deleting browser specific files
- Getting Security products installed on the device
- Obtaining Operating system version
- Getting Keystrokes
- Sent information via email to the attacker
Filles accessed during the malware execution
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\logins.json
Deleted files during the malware execution
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqlite C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\places.sqlite C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Getting security products, OS version, and Reg Keys
IWbemServices::ExecQuery - root\cimv2 : SELECT Caption FROM Win32_OperatingSystem IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct Key opened: HKEY_CURRENT_USER\Software\Paltalk Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Finally, the malware validates there is a valid Internet connection through a speed test website. If so, it establishes SMTP communication with the authenticated email server and sends the victim’s details via email.
Figure 6: Snippet of code with the email sent to the attacker inbox with the victim’s details.
Figure 7: Details sent to the attacker’s email addressed.
Malware is nowadays one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list presents some tips on how you can prevent a malware infection. It is not a complete list, just a few steps to protect yourself and your devices.
- Get outdated software of your system
- Get email savvy; take several minutes looking at the new email and not a few seconds
- Beware of fake tech support, emails related do bank transactions, invoices, COVID19, everything you think be strange
- Keep Internet activity relevant
- Log out at the end of the day
- Only access secured and trusted sites (not only websites with green lock – please think you are doing, as many phishing campaigns are abusing of free CA to create valid HTTPS certificates and to distribute malicious campaigns over it)
- Keep your operating system up to date
- Make sure you are using an antivírus
- Beware of malvertising
Be proactive and start taking malware protection seriously!
Mitre Att&ck Matrix
Indicators of Compromise (IOCs)
Threat name: TroyStealer.exe MD5: DAB6194F16CEFDB400E3FB6C11A76861 SHA1: C76A9FB1A2AE927BF9C950338BE5B391FED29CD7 Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 Created: Thu Jun 11 19:53:24 2020 smtp.]ionos.]es - 126.96.36.199 [email protected] Subject: TROY STEALER --/---/---/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/---/ https://bazaar.abuse.ch/sample/9bc17db7e037caa4b6f176fdfc89a132dc63445bf66cf51050bb77cac0e09e75/ Malspam distributing TroyStealer: HELO: miranda.wv.]pt Sending IP: 188.8.131.52 From: domingos.borges@feppv.]pt Subject: Pagamento Recusado Attachment: FA.202005.0069771.DOC.img (contains "FA.202005.0069771.DOC.exe") TroyStealer SMTP exfil email address: [email protected]
– Email template, Abuse.ch
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.