New Java-Based Rude Stealer Abuses DirectX Diagnostic Tool – Cyble

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) recently came across a new stealer named “Rude”. This Java-based malware is specifically crafted to pilfer confidential data from compromised machines discreetly.
  • Rude Stealer specializes in extracting data from various browsers, capturing Discord tokens, Steam IDs, and information about installed games, along with the ability to take screenshots.
  • Additionally, it leverages the post, we unveiled the discovery of a new Remote Access Trojan (RAT) named “Sayler,” encapsulated within a JAR file. This malicious entity incorporates a range of harmful functionalities, encompassing a Keylogger, Information Stealer, Screen Capture tool, Ransomware, and supplementary features.

    On November 6th, CRIL identified a malicious Java Archive (JAR) file named “Stealer.jar” on VirusTotal. Upon further analysis, we were able to determine that the identified JAR file functions as a new information stealer named “Rude” designed to target the Windows Operating System.

    Rude Stealer, System Information
    Figure 1 – Rude Stealer capturing system information

    The primary objective of Rude Stealer is to collect sensitive information, such as passwords, cookies, history, and auto-fills, from various browsers. Furthermore, it targets tokens and IDs from installed applications such as Discord and Steam. Additionally, it is equipped with the capability to capture screenshots. An initial look at the decompiled code of this stealer is shown below.

    Rude Stealer, Decompiled code
    Figure 2 – Rude Stealer’s decompiled code

    Following the successful completion of the data theft process, Rude Stealer proceeds to transmit the pilfered data to the TAs through a designated Telegram channel.

    Initial Infection:

    While Rude Stealer’s initial infection vector is unknown, we were able to determine that it functions in a manner requiring the involvement of the TAs to commence data theft activities. To activate the stealer, the TAs need to execute it using command line arguments, specifying their Telegram channel chat ID and Bot Token. This action enables them to collect information from the compromised system.

    Technical Analysis

    The start function of the Rude Stealer is located in the class file “com.Rude.stealer.main.Start”, which contains a main method. This method takes an array of string arguments. The values of args[1] and args[0] (command line arguments) are assigned to the static fields chat_id and bot_token in the SendFile class.

    These arguments will later contribute to the establishment of a communication channel for TAs via Telegram. The image below shows the content of Start.class file.

    Figure 3 – Contents of Start.class file
    Figure 3 – Contents of Start.class file

    Upon receiving input arguments, Rude Stealer proceeds to initialize instances for various other class files. Each class file is responsible for executing operations related to extracting sensitive information from the system, installed applications, and browsers. The respective class file “NodeManager” is shown below. 

    Rude Stealer
    Figure 4 – Partial content of Nodemanager class file

    Upon the successful initialization of each method, representing distinct stealing operations, the stealer commences its various pilfering activities within the compromised system.

    Stealing Steam user data

    To steal a victim’s Steam user data, Rude Stealer scans the victim’s system for the Steam application directory, located at “Program Files (x86)Steamconfig” by default. If the Steam directory is identified, the stealer proceeds to copy all the files into a newly created folder – “C:Users[username]Steam”.

    Following that, the stealer generates a log file named “Log_Info.txt” in the same directory “C:Users[username]Steam” to log information related to any associated Steam accounts on the victim’s sys.

    Next, Rude Stealer traverses the directory containing the copied Steam files, inspecting each file for a name matching ‘loginusers’. Upon identifying this file, the stealer reads its content and searches for SteamID (typically presented as a 17-character string, for instance, 12345678900000000). If the search pattern identifies the victim’s SteamID, the stealer generates a URL using the SteamID, as shown below, and saves it in the log file:

    http[:]//Steamcommunity[.]com/profiles/12345678900000000

    The stealer also removes files with names that include either “coplay_” or “DialogConfigOverlay” from the copied files directory. This file deletion may indicate that the TAs are not focused on exfiltrating avatars (profile picture) and configuration files from compromised systems.

    The image below shows the code to steal Steam user data.

    Figure 5 Code snippet to steal Steam user data
    Figure 5 – Code snippet to steal Steam user data

    Upon acquisition of user account details associated with Steam, Rude Stealer proceeds to target installed games in the compromised system. To gather information about these games, the stealer retrieves a directory path, namely “C:Program Files (x86)SteamSteamapps“—the default location for Steam to store game manifest files on a Windows Operating System.

    Subsequently, the stealer searches for files within the identified directory containing the substring “appmanifest_”. It then processes the contents of these files, extracts the names of the installed games, and saves this information in the same log file created earlier – “C:Users[username]Steam Log_Info.txt”.

    The code snippet in the image below shows the part of the Steam class responsible for extracting information about installed games.

    Figure 6 Code snippet that steals information about installed games
    Figure 6 – Code snippet that steals information about installed games

    Stealing Discord tokens

    An additional threat that Rude Stealer poses is its ability to extract Discord tokens from the victim’s system by searching for Discord-related directories, such as:

    • C:Users[username]AppdataRoamingdiscordLocal Storageleveldb
    • C:Users[username]AppdataRoamingdiscordcanaryLocal Storageleveldb

    If any of these directories are identified, the stealer copies all the files to a newly created directory at “C:Users[username]Discord”.

    Subsequently, Rude Stealer filters through the files in these directories, employing a regex pattern “dQw4w9WgXcQ:” to identify Discord tokens. Once located, it writes these tokens to a newly created text file at “C:Users[username]DiscordAuth_Keys.txt”. The associated class file for this Discord token theft operation is displayed below.

    Discord, Rude Stealer
    Figure 7 – Class file to steal Discord Tokens

    Capturing Running Process Information

    After successfully pilfering Discord tokens and Steam IDs, Rude Stealer proceeds to retrieve a list of active processes running on targeted systems. It extracts information such as process name and its corresponding Process ID (PID). Subsequently, this extracted information is logged into a text file named “Process.txt” within the user profile directory “C:Users[username]”. The image below displays the class file responsible for extracting information regarding running processes.

    Running processes, Rude Stealer
    Figure 8 – Class file to steal running process details in the system

    Stealing System information

    In addition to stealing the aforementioned Steam, Discord, and process information, Rude Stealer can also retrieve system specifications from a victim’s machine. This is achieved by executing the DirectX Diagnostic Tool (dxdiag), a Windows utility for diagnosing and troubleshooting DirectX, graphics, and sound-related issues. The image below displays dxdiag’s output.

    DirectX, DxDiag,
    Figure 9 – Output of the DirectX Diagnostic Tool

    This collected diagnostic information is then saved to a text file named “Properties.txt” in the “C:Users[username]” directory. The image below displays the content of the Properties class file, which is responsible for retrieving system information.

    Class file, Rude Stealer
    Figure 10 – Content of the Properties class file

    Capturing Screenshots

    Further supplementing these already formidable information-stealing capabilities, Rude Stealer can also capture screenshots from a victim system by utilizing the Java Robot class, an inbuilt class in the Java AWT (Abstract Window Toolkit) package, to capture the current screen. Captured screenshots are saved as PNG files named “Screenshot.png” in the user profile directory “C:Users[username]”. The image below shows the content of the class file responsible for taking screenshots.

    Figure 11 Content of the Screenshot file
    Figure 11 – Contents of the Screenshot class file

    Stealing data from multiple browsers

    Rude Stealer is also designed to collect sensitive information from various web browsers, as outlined in the table below:

    Browser name AutoFill Cookies Credit Cards History Passwords
    Brave  Yes  Yes   Yes   Yes   Yes
    Edge   Yes   Yes   Yes   Yes   Yes
    Chrome   Yes   Yes   Yes   Yes   Yes
    Firefox     Yes      
    Opera   Yes   Yes   Yes   Yes   Yes
    OperaGX   Yes   Yes     Yes   Yes
    Vivaldi   Yes   Yes     Yes   Yes
    Yandex   Yes   Yes     Yes   Yes

    This decrypted data from various web browser databases is stored in log files, with the extracted content and corresponding log file paths outlined in the table below:

    Functions Information extracted Path of log files
    Autofill() Site name and autofill values C:Users[username]GeneralAutoFills.txt
    Creditcard() Credit card number, expiration month, and expiration year C:Users[username]GeneralCreditCards.txt
    Cookies() Path, domain, security attribute, HTTP-only attribute, expiration, decrypted cookie value C:Users[username]General Cookies[Browser-name].txt
    History() URL of the visited site and Title of the site C:Users[username]GeneralHistory.txt  
    Passwords() URL, Login or username, and password C:Users[username]GeneralPasswords[Browser-name].txt

    Stealing System information

    Rude Stealer also steals a variety of system-related details, which are listed below, and stores them in a respective text file located at “C:Users[username]”.

    • System Time
    • IP Address
    • Country
    • Drives
    • Current Username
    • Computer Name
    • Language
    • CPU Architecture
    • Number of CPU Kernels
    • GPU Name
    • RAM (Random Access Memory)
    • Screen Resolution
    • Working Path

    Data Compression, Transmission and Termination

    Once it successfully gathers all required information from the victim’s system, Rude Stealer creates a ZIP archive labeled with the computer name. This archive is located at “C:Users[username]”. This archive includes all the TXT files containing stolen information, as well as subdirectories (such as Discord and Steam) found within the user profile directory created by the stealer.

    Following the creation of the ZIP file, the stealer proceeds to transmit this data to the TA’s Telegram chat ID utilizing the Telegram bot API. The image below shows the content of the sendFile.class responsible for exfiltrating this stolen data.

    Exfiltration, infostealer
    Figure 12 – Code for exfiltrating stolen data

    As a final step, Rude Stealer engages in a cleanup procedure, deleting specific files and directories generated during its operation. This cleanup includes removing both the folder and any ZIP files associated with the computer’s name, after which the program terminates.

    Attribution

    Upon analysis of the discovered evidence, we can assume that Rude Stealer is likely operated by a TA associated with or operating from Turkey. This assessment is supported by the stealer’s action of retrieving the compromised system’s time and then converting it to Turkey’s time zone. The accompanying image shows the function responsible for this time conversion process.

    Turkey, Rude Stealer
    Figure 13 – Function to convert victim’s system time to Turkey time zone

    Conclusion

    Being a relatively straightforward stealer developed using Java, Rude Stealer may not have gained a lot of traction and relevance in the infosec community, unlike some other stealers in the wild that we have observed and analyzed.

    However, as per our findings in this analysis, we believe Rude Stealer still poses a noteworthy threat to both individual users and organizations. Its use of Dxdiag to obtain sensitive information adds yet another layer of significance to its capabilities.

    Rude Stealer’s adeptness in targeting various categories of highly sensitive information from diverse applications and browsers raises concerns in the current cybersecurity threat landscape. This compromised information, once in the hands of attackers, creates potential risks for financial exploitation and can be leveraged to launch additional attacks on individuals or organizations.

    Recommendations

    • To enhance security, we advise that users disable the automatic saving and storage of passwords by web browsers and opt for password managers instead.
    • Establish stringent access controls or policies to regulate the execution of system tools such as dxdiag.
    • Enforce strict rules to block the creation of text files within the user profile folder, particularly in sensitive paths like “C:Users[username]”.
    • Use reputed anti-virus and internet security software packages on your connected devices, including PC, laptop, and mobile.

    MITRE ATT&CK® Techniques

    Tactic  Technique Procedure
    Execution  (TA0002) User Execution (T1204) Manual execution required
    Credential Access (TA0006) OS Credential Dumping (T1003) Tries to harvest and steal browser information
    Credential Access  (TA0006) Steal Application Access Token (T1528) Steal Application Access Token
    Credential Access  (TA0006) Credentials from Web Browsers (T1555) Steals credentials from Web Browsers
    Discovery  (TA0007) System Information Discovery (T1082) The stealer gathers system information through various methods
    Collection (TA0009) Screen capture (T1113) Takes a screenshot of the victim’s screen
    Collection (TA0009) Data from the Local System
    (T1005)
    The malware collects sensitive data from
    victim’s system.
    Exfiltration(TA0010) Exfiltration Over Web Service (T1567) Uses Telegram channel to exfiltrate data

    Indicators Of Compromise

    Indicators Indicator
    Type
    Description
    05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94   7fd1fea4f939b5350a5699a69866e7714767a68f   92aa4673f7885c6f6b4ea39cb2f1b643 SHA256   SHA1   MD5   Rude Stealer

    YARA Rules

    rule Rude_Stealer

    {

    meta:

    author = “Cyble”

    description = “Detects Rude Stealer”

    date = “2023-11-20”

    os = “Windows”

    threat_name = “Rude Stealer”

    scan_type = “file”

    severity = 90

    reference_sample = “05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94”

    strings:

    $a = “com/Rude/stealer/” ascii wide

    $b = “/decrypt/password/Password.class” ascii wide

    $c = “/nodes/impl/Screenshot.class” ascii wide

    condition:

    uint16(0) == 0x504B and all of them

    }

    Source: https://cyble.com/blog/new-java-based-rude-stealer-abuses-directx-diagnostic-tool/