Unmasking AsukaStealer: The $80 Malware Threatening Your Digital Security – Blogs on Information Technology, Network & Cybersecurity | Seqrite

Estimated reading time: 5 minutes

AsukaStealer, marketed on a Russian-language cybercrime forum by the alias ‘breakcore,’ has been exposed. The perpetrator offers its services for a monthly fee of $80, targeting individuals and organizations seeking to exploit its capabilities for malicious purposes.
Written in C++, AsukaStealer features customizable configurations and an intuitive web-based interface, enhancing its usability for cybercriminals seeking to deploy and manage malware efficiently.
It is a sophisticated malware designed to infiltrate a wide range of browsers, including popular ones like Mozilla Firefox, Google Chrome, and Microsoft Edge. It has the capability to extract valuable information such as extension data, internet cookies, and saved login credentials from these browsers, posing a significant threat to user’s privacy and security. With its ability to target both Gecko and Chromium-based browsers, Asuka ensures a broad reach across various browsing platforms, making it a potent tool for cybercriminals seeking to harvest sensitive data.
In addition to browser data, Asuka is equipped to target other applications and software commonly used by individuals and businesses. It seeks information related to cryptocurrency wallets, FTP clients like FileZilla, messaging platforms like Discord and Telegram, and gaming software like Steam.
Moreover, Asuka’s capabilities extend beyond data extraction to include exfiltrating files from infected systems and taking screenshots.

Technical Details
AsukaStealer r is a C++ custom malware. While analyzing the sample, it initially uses the API hashing technique.

Fig 1: API resolution done by malware

Upon our analysis, we found that Asuka has some base64-encoded and hexadecimal values.

It is utilizing “1d6f6623f5e8555c446dc496567bd86e” as the key and “WRBCFgwZHQZIAVcWAwMbUQEOBVRTBA==” as the base64-encoded C2 address

After decoding the c2c address is hxxp://5.42.66.25:3000/

Fig 2: Decoding c2c base 64 value with key

C2C download of config file

The most interesting fact is that it downloads configuration files from the c2c server hxxp://5.42.66.25:3000/ and tries to utilize them.

Fig 3: Configuration file

From the configuration file, we can see that it is utilizing browser and discord details.

Data Exfiltration

Fig 4: Desktop version and language ID check

It tries to collect desktop version and language ID and checks if they are from Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, or Russia.

Fig 5: OS details capture

It also tries to capture CPU details, OS version, RAM, time zone, and other details.

Fig 6: Browser credential details

It also tries to collect login details like cookies, passwords, and web Data of browsers.

Fig 7: Chromium browser details

The above figure shows how it tries to steal data from the chromium browsers.

List of browsers it tries to steal are,

  1. OperaGX
  2. net
  3. Chromium
  4. Google
  5. Google86
  6. Opera
  7. ChromiumPlus
  8. Iridium
  9. 7Star
  10. CentBrowser
  11. Chedot
  12. Vivaldi
  13. Kometa
  14. Elements
  15. EpicPrivacyBrowser
  16. Uran
  17. Sleipnir5
  18. Citrio
  19. Coowon
  20. liebao
  21. QIPSurf
  22. Orbitum
  23. Amigo
  24. Torch
  25. YandexBrowser
  26. Comodo
  27. 360Browser
  28. Maxthon3
  29. K-Melon
  30. Sputnik
  31. Nichrome
  32. CocCoc
  33. Uran2
  34. Chromodo2
  35. Atom
  36. BraveSoftware
  37. Edge
  38. GeForceExperience
  39. Steam
  40. CryptoTabBrowser

It also tries to steal the following Crypto wallet details:

  1. osmwallet
  2. DogeLabsWallet
  3. Safepal
  4. KeplrWallet
  5. Zecrey
  6. LeapCosmosWallet
  7. EthosSuiWallet
  8. Nightly
  9. Z3US
  10. Bitski
  11. ABCWallet
  12. BitPay
  13. AuroxWallet
  14. WalletGuard
  15. EOFinanceWallet
  16. BitKeep-Wallet
  17. CoreWallet
  18. Crypto-Wallet
  19. VenomWallet
  20. BraavosWallet
  21. SolflareWallet

Fig 8: Storing browsing data in database file

Then malware collects and transmits crucial files for decrypting browser data, including cookies.sqlite, logins.json, cert9.db, and key4.db.

Each file is associated with a unique UUID generated using the UuidCreate function, enhancing tracking and organization of the exfiltrated data. Notably, UuidCreate is also employed for other data extracted from the host, spanning cryptocurrency wallets, the Grabber module, Steam, Telegram, and additional sources, showcasing the malware’s comprehensive data exfiltration capabilities.

Downloads Coinminer

It also downloads the Coinminer file, saves it in a temp folder with the name tempik22814838.exe, and executes it.

C2c of Coinminer: hxxp://www.marrem.ee/altushka1488228pudge.exe

Fig 9: Coinminer downloaded and dropped in the temp folder

When we tried to check the c2c, we found the login page of AsukaStealer, where the attacker stored all the user’s details.

Fig 10: Login page of AsukaStealer malware

Mitre attack techniques:

Initial Access TA0001
Execution TA0002
Defense Evasion TA0005
Credential Access TA0006
Discovery TA0007
Collection TA0009
Command and Control
TA0011
Steal Application Token T1528
Steal Web Session Cookie T1539
Screen Capture T1113
Exfiltration Over C2 T1041

Conclusion:

With the increasing number of malware and the prevalence of Malware-as-a-Service, it is becoming easier for threat actors to consume what is readily available without spending much time. Data is the most important commodity for an individual or a business, which threat actors can steal and sell on underground forums, resulting in massive breaches. So, it becomes more crucial to keep your antivirus up to date to avoid such circumstances.

IOCs:

24bb4fc117aa57fd170e878263973a392d094c94d3a5f651fad7528d5d73b58a   AsukaStealer

6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4  Coinminer

Authors:

Soumen Burma

Rumana Siddiqui

Source: https://www.seqrite.com/blog/unmasking-asukastealer-the-80-malware-threatening-your-digital-security/