JAVA-based Sophisticated Stealer Using Discord Bot as EventListener

Executive Summary:

In mid-November 2023, Trellix Advanced Research Center team members observed a Java-based stealer being spread through cracked software zip files using JDABuilder Classes to create an instance of the EventListener to easily register. The Stealer uses Discord bot channel as an EventListener.

Delivery Mechanism:

Figure 1: Infection Mechanism

Figure 1: Infection Mechanism

Threat Analysis:

The Malicious ZIP File #1:

Let’s inspect the zip file to see what we have:

Figure 2: Inspecting the ZIP

Figure 2: Inspecting the ZIP

The LNK File #2:

While inspecting the LNK file, we learned one of the JAR files has been targeted by the LNK file with cmd.exe.

Figure 3: Inspecting LNK file.

Figure 3: Inspecting LNK file.

The Malicious JAR File #3:

Main class “org.reallyworld.proverka.CheatDetector”.

The first thing the malware does is create a folder named “NS-<11-digit_random_number>” for storing the exfiltrated data. Later zipping it.

Figure 4: Creating NS-11_random_num

Figure 4: Creating NS-<11_random_num>

Exfiltration:

#Screenshot:

The first thing the threat looks for is the screenshot of the active window using the API – “GraphicsEnvironment.getLocalGraphicsEnvironment”.

Figure 5: Taking screenshot

Figure 5: Taking screenshot.

#Cookies:

Stealing cookies from the browsers supported, shown below:

Opera Stable

Torch

Opera GX Stable

Comodo

Microsoft Edge

Slimjet

Google Chrome & Beta

360Browser

Comodo Dragon

Maxthon3

Chromium

K-Melon

Brave-Browser

Sputnik

Epic Privacy Browser

Nichrome

Amigo

CocCoc Browser

Vivaldi

uCozMedia Uran

Orbitum

Chromodo

Mail.Ru Atom

YandexBrowser

Kometa

360Browser

#Cookies & Autofill:

Figure 6: Cookies Export

Figure 6: Cookies Export

The malware supports certain browsers, including chrome, edge, opera, etc. The cookies were queries through JDBC driver “select * from cookies;”, taking the “encrypted_value” having the password in encrypted format has been decrypted using “Crypt32Util.cryptUnprotectData” API by searching the folders

Cookies,

NetworkCookies”

with cookie details.

Figure 7: Querying for cookies

Figure 7: Querying for cookies

The details crawled from the cookies include:

  • host_key (domain)
  • is_httponly
  • path
  • is_secure
  • expires_utc
  • name
  • decrypted_password

It also crawls for Autofill credentials, which users often use to save their passwords to eliminate having to type their credentials every time they visit the site. This has been queried using “select * from autofill;” by searching the folder

Web Data”
with the autofill details. The details crawled from Autofill include “name, value, count”.

Figure 8: Querying for Autofill

Figure 8: Querying for Autofill

#Credentials (username, password):

Usernames & passwords were exfiltrated from the supported browser’s folder “Login Data” and queried with “select * from logins;” where all the usernames & passwords are stored.

Figure 9: Querying for credentials.

Figure 9: Querying for credentials.

#SystemInfo:

The malware fetches various information, such as:

  • OS Name & Arch
  • JAR file path
  • System Username
  • IP Address
  • System Time zone
  • Monitor’s screen size
  • System’s language and located country

Figure 10: System Info.

Figure 10: System Info.

#Installed Programs:

The threat also looks for programs installed in the victim’s machine through the sub-registry path “SOFTWAREMicrosoftWindowsCurrentVersionUninstall**DisplayName” of both HKLM and HKCU,.

Figure 11: Installed Programs

Figure 11: Installed Programs

#Tokens:

The malware looks for tokens specifically from discord with filter “roaming” and “discord” from the DB

User DataDefaultLocal Storageleveldb”
where all the session tokens are stored.

Figure 12: Discord tokens

Figure 12: Discord tokens

#Sessions:

The sessions of Telegram & Steam are hijacked with Registry key path and file path. Telegram sessions are crawled if “%appdata%Telegram DesktopTelegram.exe” exists in the system. Steam sessions will be searched only if the registry path “HKCUSOFTWAREValveSteam” exists.

Figure 12.1: Telegram sessions

Figure 12.1: Telegram sessions

Figure 12.2: Steam sessions

Figure 12.2: Steam sessions

Zipping all the Data #4:

Once all the information is exfiltrated into the folder ““%LOCALAPPDATA%NS-<11-digit_random_number>”, the malware has a zip call where the folder is zipped with the name of “%LOCALAPPDATA%NS-<11-digit_random_number>.zip”, which we found earlier. Once the zip function completes, the folder is deleted from the location.

Figure 13: Zipping the folder

Figure 13: Zipping the folder

Sending data to Discord Bot #5:

The final stage of this malware is to send the zip file containing all the collected data to the Discord bot channel – ID
“1135690821988012052” with the title
“***@here NS-STEALER*** $$$” followed by uploading the zip file.
Figure 14: Sending data to Discord Bot

Figure 14: Sending data to Discord Bot

Conclusion:

Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with JRE. TheDiscord Bot channel as an EventListener for receiving exfiltrated data is also cost-effective. Discord webhook bot’s are more often used by Threat Actors for stealer activities and to form a URL for sending messages. Taking all of this into account, this threat will likely spread more in the wild, with additional users falling victim.

IOC:

f02496f4b9da09ae0fbf1b59fbdc4b2193cc9e03134ee4c5e71141bb618fdd0c

506b40e0f199b32a597bb44aa90343cc14830796f2bf3fd7c3fa281a52ce27c9

6d6c788c928c1408dd19de83b6dd1a12092c96b179fc17a66414886cf8d1daf0

90ba262acdb6fd1ead5167a7347a1d66ee0075c24ed18d5b4cb07933a4c42805

a8be7f50b0554e519a8c98ec39d2ba76e0655da133c8795a41d36dc29d9c7433

d5a528f524401a36a6366619f3b2d83efed740801128f527e9dce80e68060922

ded871d290ad309d228c00107d87e88dfadbc9d682ff3e04d9fb63f2c34aa256

ecb4b09bfd34adc671537c98d1b1cd6f662e66077904db0da9f88e2054ef9edd

85eec9d888d584c33b597d6e40f1a74b4d00db9838d681339b845bb87c14cd10

3dd8439a4fcc880a5cd5df005e15638be298993c141c200e47c769ef2e3ca1f4

3dc895e597d503590ef117dd942709a180392c9522c704901e272113bea8310f

9486f5c47b037e87732c0c7d7d686334d7c3761133735f8b6d65b3aa479ec113

3013ab2c5c8c8a217e9484f6a46fbacacbce92475dbe7f8d5e3f04d23974de83

eb845853386ca89043ac04ec399e5111a906fd2bcde24ab02494eb035fdd1224

89665ab4e6ed00809208a4656bc38da81831fd4b8044d7039e5542fe47b81d0e

bcff5e6d151126f0c3691b8c0fc46fb4e586ee5559068ac3acc2bd478c1c9ca1

Discord Bot Channel’s ID:

  • 1135690821988012052
  • 1157615140024365119
  • 1166717820332159097
  • 1167760743488311387
  • 1146788754883891243
  • 1156247828516061325

JAR Package Name:

org.reallyworld.proverka.CheatDetector

Trellix HX Detections:

Malware.Binary.jar

Protecting Against These Threats:

  • Avoid proxy software as it may contain additional scripts leading to these attacks.
  • Use strong cyber security solutions to ensure you are protected against these types of malicious behaviors.

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

Source: https://www.trellix.com/about/newsroom/stories/research/java-based-sophisticated-stealer-using-discord-bot-as-eventlistener/