Threat Research

Venture Wolf Aims to Disrupt Russian Enterprises with MetaStealer

Securonix

Summary:

Venture Wolf is a cyber threat actor that employs sophisticated loaders to deliver the MetaStealer malware. These loaders utilize various decoy files and obfuscation techniques to inject malicious payloads into compromised systems, primarily targeting sensitive data from browsers and applications.

Keypoints:

  • Venture Wolf disseminates loaders with .com and .exe extensions.
  • Loaders inject malicious payloads into either a dummy .NET file or the RegAsm.exe process.
  • Malicious payloads are encrypted and obfuscated to evade detection.
  • MetaStealer, a fork of RedLine, is used to steal sensitive information from compromised systems.
  • Decoy files include various image and document formats to trick users.

    • MITRE Techniques

  • Execution (T1203): Exploits vulnerabilities in applications to execute malicious code.
  • Credential Dumping (T1003): Collects credentials from various sources, including browsers and email clients.
  • Data from Information Repositories (T1213): Retrieves sensitive information from applications like Steam and FileZilla.
  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Obfuscated Files or Information (T1027): Employs obfuscation techniques to hide the presence of malicious code.

    • Venture Wolf disseminates archives containing a loader with the .com (and occasionally .exe) extension, as well as one or more phishing documents. After the launch, the loader either creates a dummy .NET file where it injects the malicious payload or injects it into the RegAsm.exe process.

    The adversaries use various image (JPG and PNG) and text (PDF, DOC/DOCX, and ODT) files as decoys.

    Company record.pdf
    Company record.pdf
    Company bank details.jpg
    Company bank details.jpg
    Individual entrepreneur record.png
    Individual entrepreneur record.png

    The loaders are portable executable (PE) files. Their code is obfuscated, and the names of the WinAPI functions—employed for malicious code injections—are encrypted. Depending on the loader’s type, the malicious payload and the dummy .NET file are RC4‑encrypted and stored in the loader’s body. In most cases, the malicious payload is injected into the suspended process of the running dummy .NET file. It is worth mentioning that some loaders do not have a dummy file and inject the malicious payload into the RegAsm.exe process.

    Depending on the loader’s type, the payload is decrypted and a randomly named dummy .NET file is created in the %TEMP% folder. The name is generated arbitrarily from the alphabet sequence set in the loader. Thus, the dummy .NET file name may contain Chinese characters. Notably, the dummy file does not contain any code in the Main function.

    The names of the WinAPI functions (namely, CreateProcessW, VirtualAllocEx, WriteProcessMemory, Wow64SetThreadContext/SetThreadContext, ResumeThread) used for injecting the code into the running process are decrypted.

    The MetaStealer malicious payload is also decrypted and injected into the process.

    The injection of the malicious payload code goes as follows:

    • CreateProcessW with dwCreationFlags = 0×00000004 (CREATE_SUSPENDED) creates the process in the suspended mode of either the dummy .NET file or RegAsm.exe.
    • VirtualAllocEx allocates memory in the suspended process.
    • WriteProcessMemory writes the malicious payload into the allocated memory section.
    • Wow64SetThreadContext/SetThreadContext changes the thread context to set the entry point for the execution of the injected malicious payload.
    • ResumeThread resumes the suspended process (transfers control over to the malicious payload).

    We have also discovered multiple loaders with section names typical of various protectors: Enigma (.enigma1, .enigma2), VMProtect (.vmp0, .vmp1), Themida (.themida).

    Section names in one of the loaders
    Section names in one of the loaders

    However, such loaders are not defended by any of the mentioned protectors. This technique may be used to deceive the signature analysis tools or antivirus engines into issuing favorable verdicts.

    The adversaries use MetaStealer as the payload. Written in C#, this malware is a fork of RedLine, yet another stealer. The key difference between the two is that MetaStealer’s developers do not prohibit its use in attacks against Russian and other CIS organizations.

    When running, MetaStealer does the following:

    • collects information about the compromised system, including the OS version and hardware specifications (hard disk, processor, and video controller specifications)
    • retrieves data from a wide range of browsers, such as Edge, Chromium, Google Chrome, Opera, CentBrowser, Chedot, Vivaldi, Kometa, Yandex Browser, Sputnik Browser, Mozilla Firefox, etc.
    • steals crypto wallet data from Electrum Bitcoin Wallet, Exodus Crypto Wallet, BTC, Electron, etc.
    • retrieves data from such email clients as Mozilla Thunderbird
    • obtains data from multiple applications, such as Steam and FileZilla

    Notably, Venture Wolf uses the .NET Reactor protector to obfuscate the MetaStealer code.

    Source: Original Post

    Tags: BROWSER, CRYPTO, EMAIL, CREDENTIAL, PAYLOAD, BANK, PHISHING