The world of cybercrime is changing, and more and more malware variants have spread every day. To keep your system safe, one of the things you can do is following a cyber doctrine focused on the threats that lunk on the web.

One of the most recent threats is the info stealer TroyStealer, first shared by Abuse.ch on Twitter, and targeting Portuguese users.

An information stealer (or info stealer) is a Trojan that is designed to gather information from a system. The malware gathers login information, like usernames and passwords stored on web-browsers, which it sends to another system via email. Another common form this malware is to log user keystrokes which may reveal sensitive information.

h/t: abuse.ch

Figure 1: Email template TroyStealer (in the Portuguese language).

The message sent in the email template is related to problems with the victim’s bank account. When the problems are overcome, the victim will receive payment in your account.

The binary file

Threat name: TroyStealer.exe
MD5: DAB6194F16CEFDB400E3FB6C11A76861
SHA1: C76A9FB1A2AE927BF9C950338BE5B391FED29CD7
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
Created: Thu Jun 11 19:53:24 2020

At first glance, the info stealer malware is packed (entropy 7.177), and it was compiled on Thu Jun 11 19:53:24 2020 via a .NET compiler (Microsoft Visual C# v7.0).

Figure 2: Compilation and packing details of TroyStealer malware.

Before executing the PE file, some details can be observed such as specific call references used to decrypt/unpacking the binary and execute another instance in memory via Process Injection technique.

Figure 3: Process of unpacking the binary. 

Figure 4: Smart Assembly 6.9.0.114 – used to obfuscate the binary.

After unpacking it, we observed the binary was also obfuscated in a second-round with .NET Reactor(4.8-4.9). 

Figure 5 depicts the high flow diagram of TroyStealer malware.

Figure 5: TroyStealer malware high flow diagram.

In detail, the malware detects if it is running inside a VM and stops the execution. In contrast, the malware is executed and a new process is created and executed using the process injection technique. After that, the harvesting process is initiated. Some modules of collecting details from the browser are started as well as another module to collect mail credentials from outlook.

In sum, the following steps are performed during the malware execution:

• Obtaining victim’s details (credentials info from browser and email)
• Getting HKEY_CURRENT_USER\Software\Paltalk passwords
• Deleting browser specific files
• Getting Security products installed on the device
• Obtaining Operating system version
• Getting Keystrokes
• Sent information via email to the attacker

Filles accessed during the malware execution

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\logins.json

Deleted files during the malware execution

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqlite
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\places.sqlite
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History

Getting security products, OS version, and Reg Keys

IWbemServices::ExecQuery - root\cimv2 : SELECT Caption FROM Win32_OperatingSystem
IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Key opened: HKEY_CURRENT_USER\Software\Paltalk
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Finally, the malware validates there is a valid Internet connection through a speed test website. If so, it establishes SMTP communication with the authenticated email server and sends the victim’s details via email.

Figure 6: Snippet of code with the email sent to the attacker inbox with the victim’s details.

Figure 7: Details sent to the attacker’s email addressed.

Final Thoughts

Malware is nowadays one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list presents some tips on how you can prevent a malware infection. It is not a complete list, just a few steps to protect yourself and your devices.

• Get outdated software of your system
• Get email savvy; take several minutes looking at the new email and not a few seconds
• Beware of fake tech support, emails related do bank transactions, invoices, COVID19, everything you think be strange
• Keep Internet activity relevant
• Log out at the end of the day
• Only access secured  and trusted sites (not only websites with green lock – please think you are doing, as many phishing campaigns are abusing of free CA to create valid HTTPS certificates and to distribute malicious campaigns over it)
• Keep your operating system up to date
• Make sure you are using an antivírus
• Beware of malvertising

Take-home message
Be proactive and start taking malware protection seriously!

Mitre Att&ck Matrix

Indicators of Compromise (IOCs)

Threat name: TroyStealer.exe
MD5: DAB6194F16CEFDB400E3FB6C11A76861
SHA1: C76A9FB1A2AE927BF9C950338BE5B391FED29CD7
Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744
Created: Thu Jun 11 19:53:24 2020

smtp.]ionos.]es - 213.165.67.102
domionhuby@gmail.com
Subject: TROY STEALER

--/---/---/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/--/---/
https://bazaar.abuse.ch/sample/9bc17db7e037caa4b6f176fdfc89a132dc63445bf66cf51050bb77cac0e09e75/
Malspam distributing TroyStealer:

HELO: miranda.wv.]pt
Sending IP: 195.22.19.123
From: domingos.borges@feppv.]pt
Subject: Pagamento Recusado
Attachment: FA.202005.0069771.DOC.img (contains "FA.202005.0069771.DOC.exe")

TroyStealer SMTP exfil email address:
domionhuby@gmail.com

References

– Email template, Abuse.ch