We continue to publish our analysis report of Stealc, an information stealer promoted by its supposed developer Plymouth on Russian-language underground forums and sold as malware as a service since January 9, 2023.
我们继续发布对 Stealc 的分析报告,Stealc 是一种信息窃取者,由其所谓的开发商普利茅斯在俄语地下论坛上推广,自 2023 年 1 月 9 日起作为恶意软件即服务出售。
In this part we are analyse exfiltration system information and downloader logic of stealer.
在这一部分中,我们将分析窃取程序的渗透系统信息和下载程序逻辑。
Download Browsers Configurations:
下载浏览器配置:
inside sub_0x403D5F() → renamed to mw_Download_1(), Stealc again will ask C2 to feed it with some configuration to be used in stealth behavior, it will do the same steps done before in the first connection but this time will ask for a different data, and if we look at the TCP stream.
在重命名为 mw_Download_1() → 中,Stealc 将再次要求 C2 为其提供一些配置以用于隐身行为,它将执行与之前在第一次连接中 sub_0x403D5F() 完成的相同步骤,但这次会要求不同的数据,如果我们查看 TCP 流。
but before that, if you remember the last decoded data in the first stream was like this
但在此之前,如果你还记得第一个流中最后一个解码的数据是这样的
“aa36b6d1c34621ab9876080e89e62c526f27572fa74ad766587fc1e832822fbc85b96f8f”
This stream of hexa values will be used in all communication tunnels and acts like a reference for the victim ID obtained before, so C2 receives the Victim ID which was the calculated “C” drive serial number, and then does some equation on this calculated serial and then send the new ID in the first packet received by the victim which will be used repeatedly in all the connection.
这个十六进制值流将用于所有通信隧道,并充当之前获得的受害者 ID 的参考,因此 C2 接收受害者 ID,这是计算出的“C”驱动器序列号,然后对这个计算出的序列号执行一些方程式,然后在受害者收到的第一个数据包中发送新 ID,该数据包将在所有连接中重复使用。
If we manually decode the above stream will result in another configuration data related to the browser’s paths where Application User Data is saved
如果我们手动解码上述流,则将产生与保存应用程序用户数据的浏览器路径相关的另一个配置数据
Google Chrome|\Google\Chrome\User Data |chrome|
Google Chrome Canary|\Google\Chrome SxS\User Data|chrome|
Chromium|\Chromium\User Data|chrome|
Amigo|\Amigo\User Data|chrome|
Torch|\Torch\User Data|chrome|
Vivaldi|\Vivaldi\User Data|chrome|
Comodo Dragon|\Comodo\Dragon\User Data|chrome|
EpicPrivacyBrowser|\Epic Privacy Browser\User Data|chrome|
CocCoc|\CocCoc\Browser\User Data|chrome|
Brave|\BraveSoftware\Brave-Browser\User Data|chrome|
Cent Browser|\CentBrowser\User Data|chrome|
7Star|\7Star\7Star\User Data|chrome|
Chedot Browser|\Chedot\User Data|chrome|
Microsoft Edge|\Microsoft\Edge\UserData|
chrome|360 Browser|\360Browser\Browser\User Data|chrome|
QQBrowser|\Tencent\QQBrowser\User Data|chrome|
CryptoTab|\CryptoTab Browser\User Data|chrome|
Opera Stable|\Opera Software|opera|
Opera GX Stable|\Opera Software|opera|
Mozilla Firefox|\Mozilla\Firefox\Profiles|firefox|
Pale Moon|\Moonchild Productions\Pale Moon\Profiles|firefox|
Opera Crypto Stable|\Opera Software|opera|
Thunderbird|\Thunderbird\Profiles|firefox|
Just like you see this config will be used to steal the browser’s databases and it will try for all Chromium-based browsers that share the same structure of databases and also will explore Mozilla-based web engines and “Thunderbird” mail client which is based on Mozilla also, finally, Opera web engine is on its consideration, also if you observed that for every web-engine at the end of the path it appends |chrome| or |firefox| as I have said that every engine will be treated differently in exfiltration process, so it calls mw_parse_configuration after decoding the stream to enable Stealc to separate.
就像你所看到的一样,这个配置将用于窃取浏览器的数据库,它将尝试所有共享相同数据库结构的基于 Chromium 的浏览器,并且还将探索基于 Mozilla 的 Web 引擎和基于 Mozilla 的“Thunderbird”邮件客户端,最后,Opera Web 引擎也在考虑之中,如果您观察到对于路径末尾的每个 Web 引擎,它都会附加 |chrome|或 |firefox|正如我所说,每个引擎在外泄过程中都会受到不同的处理,因此它在解码流后调用 mw_parse_configuration 以使 Stealc 分离。
and here is how this configuration is parsed in a format that enables it to be used later.
下面是如何以一种格式解析此配置的,以便以后使用。
00000000 00000000 00000000
| | |--> BrowserName length
| |-->4 null bytes
|--> pointer to BroswerName or path
Download Browsers Extensions
下载浏览器扩展
then the agent will ask C2 to feed it with plugins that will be used and I observed that it appends a string in the communication request that specifies which content will be retrieved from C2.
然后代理将要求 C2 为其提供将要使用的插件,我观察到它在通信请求中附加了一个字符串,该字符串指定将从 C2 检索哪些内容。
so again if we take a look at how our request and response look in our sniffer, it will confirm our previous analysis that the agent will ask for a plugin as a configuration request type.
因此,如果我们再次查看我们的请求和响应在嗅探器中的样子,它将证实我们之前的分析,即代理将要求插件作为配置请求类型。
the response is also base64 stream, I will decode it as past to reveal its secrets and also give us an indication about what will be done next.
响应也是 base64 流,我会将其解码为过去以揭示它的秘密,并告诉我们下一步将做什么。
Extenstion Name | Extenstion ID | flags or something
| | |
| | |
MetaMask |djclckkglechooblngghdinmeemkbgci|1|0|0|
MetaMask |ejbalbakoplchlghecdalmeeeajnimhm|1|0|0|
MetaMask |nkbihfbeogaeaoehlefnkodbefgpgknn|1|0|0|
TronLink |ibnejdfjmmkpcnlpebklmnkoeoihofec|1|0|0|
Binance Wallet |fhbohimaelbohpjbbldcngcnapndodjp|1|0|0|
Yoroi |ffnbelfdoeiohenkjibnmadjiehjhajb|1|0|0|
Coinbase Wallet extension |hnfanknocfeofbddgcijnmhnfnkdnaad|1|0|1|
Guarda |hpglfhgfnhbgpjdenjgmdgoeiappafln|1|0|0|
Jaxx Liberty |cjelfplplebdjjenllpjcblmjkfcffne|1|0|0|
iWallet |kncchdigobghenbbaddojjnnaogfppfj|1|0|0|
MEW CX |nlbmnnijcnlegkjjpcfjclmcfggfefdm|1|0|0|
GuildWallet |nanjmdknhkinifnkgdcggcfnhdaammmj|1|0|0|
Ronin Wallet |fnjhmkhhmkbjkkabndcnnogagogbneec|1|0|0|
NeoLine |cphhlgmgameodnhkjdmkpanlelnlohao|1|0|0|
CLV Wallet |nhnkbkgjikgcigadomkphalanndcapjk|1|0|0|
Liquality Wallet |kpfopkelmapcoipemfendmdcghnegimn|1|0|0|
Terra Station Wallet |aiifbnbfobpmeekipheeijimdpnlpgpp|1|0|0|
Keplr |dmkamcknogkgcdfhhbddcghachkejeap|1|0|0|
Sollet |fhmfendgdocmcbmfikdcogofphimnkno|1|0|0|
Auro Wallet(Mina Protocol) |cnmamaachppnkjgnildpdmkaakejnhae|1|0|0|
Polymesh Wallet |jojhfeoedkpkglbfimdfabpdfjaoolaf|1|0|0|
ICONex |flpiciilemghbmfalicajoolhkkenfel|1|0|0|
Coin98 Wallet |aeachknmefphepccionboohckonoeemg|1|0|0|
EVER Wallet |cgeeodpfagjceefieflmdfphplkenlfk|1|0|0|
KardiaChain Wallet |pdadjkfkgcafgbceimcpbkalnfnepbnk|1|0|0|
Rabby |acmacodkjbdgmoleebolmdjonilkdbch|1|0|0|
Phantom |bfnaelmomeimhlpmgjnjophhpkkoljpa|1|0|0|
Brave Wallet |odbfpeeihdkbihmopkbjmoonfanlbfcl|1|0|0|
Oxygen |fhilaheimglignddkjgofkcbgekhenbh|1|0|0|
Pali Wallet |mgffkfbidihjpoaomajlbgchddlicgpn|1|0|0|
BOLT X |aodkkagnadcbobfpggfnjeongemjbjca|1|0|0|
XDEFI Wallet |hmeobnfnfcmdkdcmlblgagmfpfboieaf|1|0|0|
Nami |lpfcbjknijpeeillifnkikgncikgfhdo|1|0|0
|Maiar DeFi Wallet |dngmlblcodfobpdpecaadgfbcggfjfnm|1|0|0|
Keeper Wallet |lpilbniiabackdjcionkobglmddfbcjo|1|0|0|
Solflare Wallet |bhhhlbepdkbapadjdnnojkbgioiodbic|1|0|0|
Cyano Wallet |dkdedlpgdmmkkfjabffeganieamfklkm|1|0|0|
KHC |hcflpincpppdclinealmandijcmnkbgn|1|0|0|
TezBox |mnfifefkajgofkcjkemidiaecocnkjeh|1|0|0|
Temple |ookjlbkiijinhpmnjffcofjonbfbgaoc|1|0|0|
Goby |jnkelfanjkeadonecabehalmbgpfodjm|1|0|0|
Ronin Wallet |kjmoohlgokccodicjjfebfomlbljgfhk|1|0|0|
Byone |nlgbhdfgdhgbiamfdfmbikcdghidoadd|1|0|0|
OneKey |jnmbobjmhlngoefaiojfljckilhhlhcj|1|0|0|
DAppPlay |lodccjjbdhfakaekdiahmedfbieldgik|1|0|0|
SteemKeychain |jhgnbkkipaallpehbohjmkbjofjdmeid|1|0|0|
Braavos Wallet |jnlgamecbpmbajjfhmmmlhejkemejdma|1|0|0|
Enkrypt |kkpllkodjeloidieedojogacfhpaihoh|1|1|1|
OKX Wallet |mcohilncbfahbmgdjkbpemcciiolgcge|1|0|0|
Sender Wallet |epapihdplajcdnnkdeiahlgigofloibg|1|0|0|
Hashpack |gjagmgiddbbciopjhllkdnddhcglnemk|1|0|0|
Eternl |kmhcihpebfmpgmihbkipmjlmmioameka|1|0|0|
Pontem Aptos Wallet |phkbamefinggmakgklpkljjmgibohnba|1|0|0|
Petra Aptos Wallet |ejjladinnckdgjemekebdpeokbikhfci|1|0|0|
Martian Aptos Wallet |efbglgofoippbgcjepnhiblaibcnclgk|1|0|0|
Finnie |cjmkndjhnagcfbpiemnkdpomccnjblmj|1|0|0|
Leap Terra Wallet |aijcbedoijmgnlmjeegjaglmepbmpkpi|1|0|0|
Trezor Password Manager |imloifkgjagghnncjkhggdhalmcnfklk|1|0|0|
Authenticator |bhghoamapcdpbohphigoooaddinpkbai|1|0|0|
Authy |gaedmjdfmmahhbjefcbgaolhhanlaolb|1|0|0|
EOS Authenticator |oeljdldpnmdbchonielidgobddffflal|1|0|0|
GAuth Authenticator |ilgcnhelpchnceeipipijaljkblbcobl|1|0|0|
Bitwarden |nngceckbapebfimnlniiiahkandclblb|1|0|0|
KeePassXC |oboonakemofpalcgghocfoadofidjkkk|1|0|0|
Dashlane |fdjamakpfbbddfjaooikfcpapjohcfmg|1|0|0|
NordPass |fooolghllnmhmmndgjiamiiodkpenpbb|1|0|0|
Keeper |bfogiafebfohielmmehodmfbbebbbpei|1|0|0|
RoboForm |pnlccmojcmeohlpggmfnbbiapkmbliob|1|0|0|
LastPass |hdokiejnpimakedhajhdlcegeplioahd|1|0|0|
BrowserPass |naepdomgkenhinolocfifgehidddafch|1|0|0|
MYKI |bmikpgodpkclnkgmnpphehdgcimmided|1|0|0|
Splikity |jhfjfclepacoldmjmkmdlmganfaalklb|1|0|0|
CommonKey |chgfefjpcobfbnpmiokfjjaglahmnded|1|0|0|
Zoho Vault |igkpcodhieompeloncfnbekccinhapdb|1|0|0|
Opera Wallet |gojhcdgcpbpfigcaejpfhfegekdgiblk|0|0|1|
it’s a collection of browser extensions that Stealc will search for in the browser’s DB using the ID provided which adds more stealthy capabilities, the same operation of storing configuration is done with these plugins as browsers did.
它是浏览器扩展的集合,Stealc 将使用提供的 ID 在浏览器的数据库中搜索,这增加了更多隐身功能,这些插件的存储配置操作与浏览器相同。
Exfiltrate System Information
泄露系统信息
after that Stealc starts gathering system and hardware information like,
之后,Stealc 开始收集系统和硬件信息,例如,
ip address
country
processor name
operating system
arch 32 or 64
pc or laptob
UserName
computerName
Screenshot
installed apps
running process
etc.....
and after allocating this data it saves it in a format that is understandable by C2.
在分配这些数据后,它会以 C2 可以理解的格式保存它。
then the Collected Data is base64 encoded before transferring to C2
则收集的数据在传输到 C2 之前进行 base64 编码
and here is the stream of the fully allocated data
这是完全分配的数据流
System Summary:
- HWID: 8658E8B4266B114684123
- OS: Windows 10 Enterprise
- Architecture: x64
- UserName:
- Computer Name: DESKTOP-2C3IQHO
- Local Time: 2023/9/14 18:47:27
- UTC: -5
- Language: en-US
- Keyboards: English (United States)
- Laptop: FALSE
- CPU: Intel(R) Core(TM) i7-4600M CPU @ 2.90GHz
- Cores: 1
- Threads: 1
- RAM: 4095 MB
- Display Resolution: 1536x864
- GPU:
-VMware SVGA 3D
-VMware SVGA 3D
User Agents:
Installed Apps:
All Users:
HxD Hex Editor version 1.7.7.0 - 1.7.7.0
Npcap - 1.55
VB Decompiler Lite
WinSCP 5.13 - 5.13
Wireshark 3.6.0 64-bit - 3.6.0
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 - 10.0.30319
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 - 9.0.30729.4148
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 - 14.32.31326.0
Current User:
Progress Telerik Fiddler - 5.0.20173.50948
Microsoft OneDrive - 18.025.0204.0009
Opera Stable 91.0.4516.77 - 91.0.4516.77
Python 3.9.9 (64-bit) - 3.9.9150.0
Process List:
System
smss.exe
csrss.exe
wininit.exe
csrss.ex
SearchIndexer.exe
SearchUI.exe
RuntimeBroker.exe
RuntimeBroker.exe
svchost.exe
SettingSyncHost.exe
svchost.exe
svchost.exe
vmtoolsd.exe
msdsrv.exe
svchost.exe
svchost.exe
svchost.exe
ApplicationFrameHost.exe
svchost.exe
svchost.exe
Downloader 下载器
after exfiltrating system info, Stealc will download Sqlite3 Dll which will be used to execute some queries to retrieve data from Ghrome Application data, so I will not skip this and try to explain it in detail.
在泄露系统信息后,Stealc 将下载 Sqlite3 Dll,该 Dll 将用于执行一些查询以从 Ghrome 应用程序数据中检索数据,因此我不会跳过这一点并尝试详细解释它。
first, it asks for Sqlite3.dll
首先,它要求 Sqlite3.dll
after downloading the file it starts checking if the file is correct by checking some magic byte related to the dos header and PE header, and after that, it will not copy the whole file just from the start of section headers till the end of the file.
下载文件后,它开始通过检查与 DOS 标头和 PE 标头相关的一些魔术字节来检查文件是否正确,之后,它不会仅从部分标头的开头复制到文件末尾。
Stealc does all of that just to get addresses of some APIs that will assist in retrieving data from Chrome databases which Chrome itself uses
Stealc 做所有这些只是为了获取一些 API 的地址,这些 API 将有助于从 Chrome 本身使用的 Chrome 数据库中检索数据
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
after that, it will start to check the browser structure built before and check the web engine then it will start to iterate over all browsers and if it hits any browser that exists on the victim machine it will then get a handle to db files which I will explain next…….
之后,它将开始检查之前构建的浏览器结构并检查 Web 引擎,然后它将开始遍历所有浏览器,如果它命中受害机器上存在的任何浏览器,它将获得 db 文件的句柄,我接下来将解释……
first, it will resolve
首先,它会解决
%USER%AppData\Local\Google\Chrome\User Data\LocalState
that exists in Chrome folders, but why this file exactly because it is used to store some more technical information about Chrome
存在于 Chrome 文件夹中,但为什么这个文件正是因为它用于存储有关 Chrome 的更多技术信息
The user’s preferred language
用户的首选语言The user’s theme and font settings
用户的主题和字体设置The user’s startup settings (e.g., whether to open Chrome maximized)
用户的启动设置(例如,是否将 Chrome 打开最大化)The user’s privacy settings (e.g., whether to enable cookies)
用户的隐私设置(例如,是否启用 Cookie)The user’s extensions and their settings
用户的扩展程序及其设置The user’s bookmarks and history
用户的书签和历史记录
after getting a handle on the file it will read file data and save a pointer to it into the first passed argument.
获取文件句柄后,它将读取文件数据,并将指向该文件的指针保存到第一个传递的参数中。
after that, it will search for the “encrypted_key “ string on the buffer, then it will try to retrieve the key from the file buffer because the key is saved in a format that I will show in the next figure.
之后,它将在缓冲区上搜索“encrypted_key”字符串,然后尝试从文件缓冲区中检索密钥,因为密钥以我将在下图中显示的格式保存。
until that, it will iterate over the buffer until it hits the end of the key which is marked by the “}” symbol
在此之前,它将遍历缓冲区,直到它命中由“}”符号标记的键的末尾
after retrieving the key it will base64 decode it, at the first 5 bytes of the decoded stream the word “DPAPI” indicates a DPAPI decrypted stream, after that, it will use the decoded key to decrypt the AES key using CryptUnprotectData, and the result is an AES key which will be used to decrypt cookies and credentials that because chrome(v80+) is encrypting data using AES and the AES key is encrypted with DPAPI,
检索密钥后,它将对其进行 base64 解码,在解码流的前 5 个字节处,单词“DPAPI”表示 DPAPI 解密流,之后,它将使用解码后的密钥使用 CryptUnprotectData 解密 AES 密钥,结果是一个 AES 密钥,该密钥将用于解密 cookie 和凭据,因为 chrome(v80+) 使用 AES 加密数据,并且 AES 密钥使用 DPAPI 加密,
then it will AES decrypted key to generate a symmetric key which will be used for the decryption operation, this is done in 3 steps
然后它将AES解密密钥以生成一个用于解密操作的对称密钥,这分3个步骤完成
1- call BCryptOpenAlgorithmProvider to handle a cryptographic algorithm provider which in this case is AES.
1- 调用 BCryptOpenAlgorithmProvider 来处理加密算法提供程序,在本例中为 AES。
2-call BCryptSetProperty to set the mode to ChainingModeGCM, It specifies that the Galois/Counter Mode (GCM) chaining mode should be used. GCM is a mode of operation for block ciphers that provides both encryption and authentication (with the help of Bard chat)
2-调用 BCryptSetProperty 将模式设置为 ChainingModeGCM,它指定应使用 Galois/Counter 模式 (GCM) 链接模式。GCM 是一种分组密码的操作模式,它提供加密和身份验证(在 Bard 聊天的帮助下)
3- call BCryptGenerateSymmetricKey, used to generate a symmetric key for cryptographic operations and save a handle for it in Phkey var.
3-调用BCryptGenerateSymmetricKey,用于为加密操作生成对称密钥,并在Phkey var中保存其句柄。
after that, it will retrieve the browser path that was received from C2, and in our case the first folder path is
之后,它将检索从 C2 接收的浏览器路径,在我们的例子中,第一个文件夹路径是
%USER%AppData\Local\Google\Chrome\User Data
%USER%AppData\Local\Google\Chrome\User 数据
so it will iterate over all folders on this path looking for some Browser DB files, these files are
因此,它将遍历此路径上的所有文件夹,以查找一些浏览器 DB 文件,这些文件是
AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
AppData\Local\Google\Chrome\User Data\Default\Network\CookiesAppData\Local\Google\Chrome\User Data\Default\Network\CookiesAppData\Local\Google\Chrome\User Data\Default\Network\CookiesAppDataAppData\Local\Google\Chrome\User Data\Default\Login Data
AppData\Local\Google\Chrome\User Data\Default\Web Data
AppData\Local\Google\Chrome\User Data\Default\Web 数据AppData\Local\Google\Chrome\User Data\Default\History
which enables it to steal history and web sessions also autofill data will be exfiltrated.
这使它能够窃取历史记录和网络会话,自动填充数据也将被泄露。
We hope this post spreads awareness to the blue teamers of this interesting malware techniques, and adds a weapon to the red teamers arsenal.
我们希望这篇文章能让蓝队员了解这种有趣的恶意软件技术,并为红队员的武器库增添武器。
Big thanks to @farghlymal for this detailed report.
非常感谢 @farghlymal 提供这份详细的报告。
By Cyber Threat Hunters from MSSPLab:
来自 MSSPLab 的 Cyber Threat Hunters:
References 引用
https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
https://farghlymal.github.io/Stealc-Stealer-Analysis/
https://twitter.com/farghlymal
Stealc config decryptor
Stealc 配置解密器
Malware Analysis Stealc – part 1
恶意软件分析窃取 – 第 1 部分
Thanks for your time happy hacking and good bye!
感谢您抽出宝贵时间,祝您黑客愉快,再见!
All drawings and screenshots are from farghlymal blog
所有图纸和截图均来自farghlymal博客
原文始发于MSSP Lab:Malware analysis report: Stealc stealer – part 2
相关文章
