Beware of information-stealing malicious code disguised as installation file

StealC malware disguised as an installer is being distributed in large quantities .

It has been confirmed to be downloaded from Discord, GitHub, Dropbox, etc. , and considering previous cases of distribution in a similar manner , it is presumed that the malicious page disguised as a specific program download page will lead to the download URL through several redirects .

StealC malware is an information-stealing malware that steals various important information such as system information, browser, cryptocurrency wallet, Discord, Telegram, and mail client.

Figure 1. Malicious code uploaded to Github

The malicious code and operation techniques used are similar to malicious code distributed disguised as existing cracks, but the distribution site is confirmed to be different. The process of distributing crack disguised malware has been introduced several times through this blog, and you can refer to the link below.

This distribution was unusual in that a very large number of users downloaded the file in a short period of time . There is a high possibility that it was disguised as a famous program in Korea .

The following two types of samples are the most widely distributed and are still in circulation to this day. They have the file names “setup_2024.008.20534_win64_86.exe” and “Setup_21.4_win64_86”, respectively. If you change the file name, no malicious behavior will occur, and this is intended to bypass analysis environments such as sandboxes.

Figure 2. StealC malware sample icon

When running malware, a PNG file is downloaded from an image hosting site. This PNG file has a structure in which encoded malicious data is inserted in the middle of the image data. Each malicious code sample had three different site addresses, and the files downloaded from each site were the same.

Figure 3. Malicious PNG file

When decoding the data inside a PNG file, shell code and file binaries necessary for malicious actions are created. When this shell code is executed, it goes through file creation, execution, and various injection processes, and finally the StealC information-stealing malware is executed.

In this process, SysWOW64 sub-normal processes (netsh.exe, more.com) and normal Auto-It processes (WinAPIHObj.au3, DllCall.au3) created in the Temp path are executed, and the StealC malware is injected and executed in the Auto-It process. do. The execution process tree is as follows.

Figure 4. StealC execution process tree

During injection, the ntdll manual mapping technique and Heaven’s Gate technique are used. The former is a method of manually loading ntdll.dll and executing internal functions, and the latter is a technique of executing x64 instructions in a Wow64 process. Both techniques are used to bypass security products and interfere with analysis.

Figure 5. Heaven’s Gate Code

These behavioral characteristics are identical to the malware distributed under the guise of crack that occurred a few weeks ago. The sample distributed at the time was Vidar information stealing malware, and like this sample, it disguised the installer and used file name checking, PNG file downloading, normal process creation and injection, ntdll manual mapping technique, and Heaven’s Gate technique. The image hosting site used to download PNG files is also the same.

Figure 6. Vidar malware sample icon
Figure 7. Vidar execution process tree

At that time, a normal file (imewdbld.exe) included by default in Windows 11 that could only be executed in the corresponding OS environment was created and injected. Therefore, although only the Win11 environment was the target of the attack, the recently distributed StealC sample operates normally even in previous versions of the OS environment.

Vidar malware is also an information-stealing malware that has the characteristic of acquiring C2 addresses by accessing account pages of platforms such as Steam and Telegram. Therefore, C2 may change continuously.

Figure 8. Vidar malware C2 page

In addition, among the crack camouflaged malware distributed around 5 am today, a sample with C2 identical to the StealC sample in the text was distributed. Different malicious codes with the same operating method and malicious codes with different operating methods but the same C2 are constantly generated and distributed.

They are all presumed to be the same attacker or have a significant relationship, and pose a constant threat to users.

  • d58a6009dec024aee176df38d39bc32b (Stealc MD5)
    413aa458fb04b7ff1c455cefdb720135 (Stealc MD5)
  • hxxps://mega[.]nz/file/AhEBmaBI#lyluDB_AcC4qphklfyKhGYHyJnwyRCfvX2UC-zi6YA8 (distribution site)
    hxxps://mega[.]nz/file/VWs2HKSQ#PnyLXgyDKNY1REGwFIG2D_K0Vmw8K0z_KM-aVGVEBWI (distribution site)
  • hxxp://193.143.1[.]226/129edec4272dc2c8.php (Stealc C2)

As malware disguised as installation files is actively distributed, caution is required. When downloading an executable file, you must check that it is the official website domain, and you should not run files downloaded from untrustworthy links.

AhnLab is diagnosing the malware samples introduced in this text as follows.

[IOC Information]

– StealC

  • MD5
    c935f54929475d06b6d11c746ac64156 (setup_2024.008.20534_win64_86.exe)
    d3bbe6f53dec9b65400f6477fb7ad697 (Setup_21.4_win64_86)
  • URL
    hxxps://i.ibb[.]co/FxjS8cy/1492239061.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/ZZsYr33PtdW0.png?o=1 (PNG)
    hxxps://pixeldrain [.]com/api/file/Qutj1LyJ (PNG)
    hxxps://iili[.]io/JV2qk2p.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/eZYxpEiX6alk.png?o=1 (PNG)
    hxxp://193.143.1[.]226/129edec4272dc2c8.php (StealC)
  • Diagnosis
    Infostealer/Win.Stealc.C5598726
    Malware.Win.Generic.R638023

–Vidar

  • MD5
    2c7c25d67a82fd3ab94ec5a84ce0bf9c (S3tup.exe)
    56043b1a19ee26f8a1886992a4db63fd (Setap.exe)
    a1a3f635d93b9326202bdad56492f68f (Setap.exe) b226d4ea
    9a9532321e1b3fec2924ba61(Setap.exe) c7270a045c095dc78da8596c456aedd5
    (Set3pCrack.exe)
    e5a9d16cf0d3d545add724a27a8e8556(Set3pCrack.exe)
  • URL
    hxxps://gcdnb.pbrd[.]co/images/U8847YouMZ4x.png?o=1 (PNG)
    hxxps://i.ibb[.]co/pyz97pz/1094446753.png (PNG)
    hxxps://gcdnb .pbrd[.]co/images/TkqrZotY6Ps8.png?o=1 (PNG)
    hxxps://i.ibb[.]co/dmyD1nF/2941038318.png (PNG)
    hxxps://i.ibb[.]co /c1szv4r/3351445504.png (PNG)
    hxxps://i.ibb[.]co/sQxVVvz/648044317.png (PNG)
    hxxps://qu[.]ax/JRUO.png (PNG)
    hxxps://gcdnb .pbrd[.]co/images/v5x684hwBX2v.png?o=1 (PNG)
    hxxps://qu[.]ax/BVmc.png (PNG)
    hxxps://i.ibb[.]co/Qk1PrqS/2373180300 .png (PNG)
    hxxps://qu[.]ax/CwQB.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/oXcmE8xyi8RR.png?o=1 (PNG)
    hxxps://qu [.]ax/Ppkk.png (PNG)
    hxxps://qu[.]ax/dpfx.png (PNG)
    hxxps://37.27.36[.]6/ (Vidar)
    hxxps://t[.] me/hypergog/ (Vidar)
    hxxps://142.132.224[.]223:9001/ (Vidar)
    hxxps://steamcommunity[.]com/profiles/76561199642171824/ (Vidar)
    hxxps://65.109.172[. ]49/ (Vidar)
  • Diagnosis
    Infostealer/Win.Vidar.R635589
    Infostealer/Win.LummaC2.R635589