Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) has uncovered a malware campaign that utilizes multiple phishing domains to target users who are downloading Virtual Private Network (VPN) Windows applications.
- In this campaign, the downloaded VPN application is utilized to disseminate an information-stealing malware known as “BbyStealer.”
- BbyStealer malware was first reported in early 2022. Currently, it has resurfaced with a different developer, as the previous developer has been ousted from the project.
- BbyStealer is designed to collect sensitive details from various web browsers and crypto wallet extensions, sending the stolen information to a remote server. Furthermore, it performs a clipper operation on the victim’s system.
Overview
Threat Actors (TAs) employ phishing websites as their primary means of disseminating malware. These TAs often incorporate brand impersonation into their phishing campaigns, skillfully deceiving users by creating a facade of trustworthiness and legitimacy, ultimately luring unsuspecting individuals.
CRIL recently discovered a phishing website with the name “totalvpn[.]tech” that distributes a RAR archive file named “TotalVPN.rar.” After decompressing the downloaded archive file, it contains an executable file named “TotalVPN.exe” – an NSIS installer file. Upon investigation, it was determined that the identified file is actually an information-stealing malware known as “BbyStealer.”
BbyStealer malware was initially reported at the beginning of 2022. BbyStealer was previously associated with the “Try my game” scam and was reported by a Reddit user ‘Beautiful_Ad_4680″. Currently, BbyStealer has made a return with a new developer, as stated in their Telegram channel, shown below.
CRIL has encountered numerous RAR files bearing the names of VPN applications uploaded to VirusTotal since the beginning of October. These files are being used to distribute BbyStealer malware to the users’ systems.
This malware campaign targets VPN applications and employs the following file names:
- TotalVPN.rar
- WolferVPN.rar
- CyberFortressVPN.rar
- FortresVPN.rar
- FlazerVPN.rar
- FlazerVPN-v18.16.0-x64.rar
- ProxtyVPN-v18.16.0-x64.rar
- iTropperVPN.rar
Initial Infection
The initial infection commences with a phishing website that specifically targets individuals seeking a Windows VPN application such as FlazerVPN, TotalVPN, and more.
CRIL has recently identified several VPN phishing websites, and the following figures illustrate the findings. These websites serve as a means to disseminate a malware payload as part of this malware campaign.
The following URLs are employed to download the RAR archive file from the phishing websites mentioned above, which include an executable responsible for distributing the BbyStealer malware payload.
- hxxps://totalvpn[.]tech/download/TotalVPN[.]rar
- hxxps://wolfervpn[.]com/download/WolferVPN[.]rar
- hxxps://vpnfortres[.]online/download/FortresVPN[.]rar
- hxxps://itroppervpn[.]online/download/iTropperVPN[.]rar
- hxxps://cdn.discordapp[.]com/attachments/1160770898966622230/1161087215963738174/CyberFortressVPN.rar?ex=653705bc&is=652490bc&hm=b9417ffe67ed173e46c662f30bd7f0d642770438b07040b99d4bd217c44c7942&
The figure below displays some of the executable files associated with VPN applications in this campaign responsible for disseminating BbyStealer.
During our analysis, we found that none of the Anti-Virus vendors detected the malware executable files extracted from the downloaded RAR archives, as shown below.
Technical Details
BbyStealer
We have taken the “TotalVPN.rar” file for the purpose of this analysis. After extracting the archive, we found an executable file named “TotalVPN.exe” within it, as shown below.
Upon execution of the “TotalVPN.exe” file, it only displays the installation window (shown below) to deceive users. It does not proceed to display any other wizard for continuing and completing the installation.
After that, it drops the installation files within the “%localappdata%ProgramsTotalVPN” directory, as shown below, and initiates the execution of “TotalVPN.exe,” which is actually a BbyStealer executable.
The figure below illustrates the process tree of the malware infection that occurs after the successful execution of the “TotalVPN.exe.”
Persistence
Upon execution, the malware creates a copy of itself and drops it into the startup folder, using the name “Updater.exe” to ensure persistence, as shown in the figure below.
After establishing persistence, the stealer terminates the process of web browsers such as Google Chrome, Microsoft Edge, Opera GX, and BraveSoftware by using the following commands:
- “taskkill /IM chrome.exe /F”
- “taskkill /IM msedge.exe /F”
- “taskkill /IM brave.exe /F”
Typically, Threat Actors (TAs) aim to pilfer valuable information like login credentials, personal details, or financial data from the web browser installed locations. Terminating the browsers facilitates easier access to this data for the malware.
Following the termination of running browser processes, the stealer proceeds to gather sensitive information, including login data, web data, autofill, and cookies from the user data folder of the browser. This is accomplished by making duplicates of these files, created with the “.bby” extension, as shown below.
Subsequently, the malware performs a scan to identify specific browser extensions associated with cryptocurrency wallets, as outlined in the table below.
TAs target cryptocurrency wallet extensions to gain access to sensitive data such as private keys, which are essential for accessing the wallet’s funds, as well as public addresses, transaction histories, wallet balances, and user-specific information.
| Crypto Wallet Name | Crypto Wallet Extension |
| Bitget Wallet | jiidiaalihmmhddjgbnbgdfflelocpak |
| Tippin | knhkeligkfmclgkeedceenpopaleokfh |
| Exodus Web3 | aholpfdialjgjfhomihkjbmgjidlcdno |
| GeroWallet | bgpipimickeadkjlklgciifhnalhdjhe |
| Enkrypt | kkpllkodjeloidieedojogacfhpaihoh |
| MultiversX DeFi | dngmlblcodfobpdpecaadgfbcggfjfnm |
| OKX Wallet | mcohilncbfahbmgdjkbpemcciiolgcge |
| Core | Crypto Wallet | agoakfejjabomempkjlepdflaleeobhb |
| Math Wallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
| MetaMask | ejbalbakoplchlghecdalmeeeajnimhm |
| SafePal | lgmpcpglpngdoalbgeoldeajfclnhafa |
| Sui Wallet | opcgpfmipidbgpenhmajoajpbobppdil |
| Yoroi | ffnbelfdoeiohenkjibnmadjiehjhajb |
| Trust Wallet | egjidjbpglichdcondbcbdnbeeppgdph |
| Temple – Tezos Wallet | ookjlbkiijinhpmnjffcofjonbfbgaoc |
| TON Wallet | nphplpgoakhhjchkkhmiggakijnkhfnd |
| MetaWallet | bkklifkecemccedpkhcebagjpehhabfb |
| Taho | eajafomhmkipbjmfmhebemolkcicgfmd |
| XDEFI Wallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf |
| Fewcha Move Wallet | ebfidpplhabeedpnhjnobghokpiioolj |
| Vigvam | lccbohhgfkdikahanoclbdmaolidjdfl |
Clipper Functionality
Additionally, the malware performs clipper operation, which actively observes the clipboard activity of the victim system. Whenever it detects an attempt to copy a cryptocurrency wallet address for conducting a transaction, it intervenes by substituting the threat actor’s wallet address obtained from the Command-and-Control (C&C) server. As a result, the transaction is rerouted to the TA’s wallet address.
The malware carries out the clipper activity, where it employs PowerShell’s “Get-Clipboard” command to retrieve the clipboard’s content. It subsequently checks it with the regular expression patterns shown in the table below.
| Crypto Currencies | Regular Expression |
| Bitcoin (BTC) | ^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$ |
| Litecoin (LTC) | (?:^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$) |
| Ethereum (ETH) | (?:^0x[a-fA-F0-9]{40}$) |
| Stellar Lumens (XLM) | (?:^G[0-9a-zA-Z]{55}$) |
| Monero (XMR) | (?:^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$) |
| Solana (SOL) | (^[1-9A-HJ-NP-Za-km-z]{44}$) |
| Tezos (XTZ) | T[A-Za-z1-9]{33}Q |
| Ripple (XRP) | (?:^r[0-9a-zA-Z]{24,34}$) |
| Bitcoin Cash (BCH) | ^((bitcoincash:)?(q|p)[a-z0-9]{41}) |
| Dash (DASH) | (?:^X[1-9A-HJ-NP-Za-km-z]{33}$) |
| Ontology (ONT) | (?:^A[0-9a-zA-Z]{33}$) |
| Dogecoin (DOGE) | D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32} |
If a match with the regex pattern is found, it utilizes PowerShell’s “Set-Clipboard” command to substitute the TA’s wallet address accordingly. The figure below illustrates the commands executed by the malware for performing the clipper operation.
The following figure displays the occurrence of the stealer’s name within the memory strings of the TotalVPN.exe process.
Command-and-Control (C&C) Server
Finally, the stealer processes the gathered sensitive data and establishes a connection with the below specified C&C server, sending the collected data to it.
- rufflesrefined[.]com
Cookies Parser
The BbyStealer developer also provides a service for parsing cookies through the upload of a text file, as shown in the figure below. After uploading the file, it proceeds to process the text file and split the cookies according to the respective web browsers.
Conclusion
The growing global popularity of VPN applications is primarily attributed to their ability to provide users with increased control over online privacy, security, and content accessibility. However, this widespread adoption of VPNs has also caught the attention of the TAs, who take advantage of this increased demand by impersonating reputable VPN services, thereby disseminating various forms of malware.
CRIL uncovered a malware campaign that involved several phishing websites designed to mimic VPN services. These malicious sites aim to distribute an information-stealing malware known as “BbyStealer.” BbyStealer malware is created with the express purpose of gathering sensitive data from multiple web browsers and crypto wallet extensions and transmitting this information to a C&C server. Additionally, it carries out a clipper operation within the victim’s system.
Cyble Research and Intelligence Labs will continue monitoring the latest phishing campaigns or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.
Our Recommendations
- The initial infiltration is taking place via phishing websites. It is crucial to only download and install software applications from well-known and trusted sources.
- Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
- Prior to executing any cryptocurrency transactions, users should diligently review their wallet addresses to confirm the absence of any alterations when copying and pasting the genuine wallet addresses.
- Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
- Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
- Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via VPN phishing sites. |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell (T1059.003) |
cmd.exe is used to run commands like tasklist, taskkill, etc. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) |
PowerShell commands are used to get & modify the clipboard content. |
| Execution (TA0002) | Windows Management Instrumentation (T1047) |
Queries various information from victim’s system |
| Persistence (TA0003) | Registry Run Keys / Startup Folder (T1547.001) |
Drops malware file to the startup folder. |
| Credential Access (TA0006) |
OS Credential Dumping (T1003) |
Tries to harvest and steal browser information. |
| Discovery (TA0007) | Process Discovery (T1057) | Queries a list of all running processes using the tasklist command. |
| Discovery (TA0007) | Query Registry (T1012) | The malware is examining the registry to extract system details. |
| Collection (TA0009) |
Data from Local System (T1005) |
Tries to harvest and steal browser information. |
| Collection (TA0009) |
Clipboard Data (T1115) | Open/Modify clipboard. |
| C&C (TA0011) |
Application Layer Protocol (T1071) |
Performs DNS lookups. |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type |
Description |
| totalvpn[.]tech wolfervpn[.]com vpncyberfortress[.]com vpnfortres[.]online itroppervpn[.]online | Domains | Phishing domains |
| hxxps://totalvpn[.]tech/download/TotalVPN[.]rar | URL | Phishing site download URL |
| hxxps://wolf-ervpn[.]com/download/WolferVPN[.]rar | URL | Phishing site download URL |
| hxxps://vpnfortres[.]online/download/FortresVPN[.]rar | URL | Phishing site download URL |
| hxxps://itroppervpn[.]online/download/iTropperVPN[.]rar | URL | Phishing site download URL |
| hxxps://cdn.discordapp[.]com/attachments/1160770898966622230/1161087215963738174/CyberFortressVPN.rar?ex=653705bc&is=652490bc&hm=b9417ffe67ed173e46c662f30bd7f0d642770438b07040b99d4bd217c44c7942& | URL | Phishing site download URL |
| 2cf6efb8104b5d4606fb1698ae97e4f5 effb88250fcb89bbab77f46c1022f3c9c0aad37e 55a6a784d4acb7e9761a99fb38eb441519cdcd2943bfdf1a1558fe8513690c97 |
MD5 SHA1 SHA256 |
TotalVPN.exe |
| 3cf9c1d65d59b63d479ec26e9fd98b57 eab9cf1e969b5d9a3fda7714c6ae2796aaf44fd0 e97b03c98056d7c88bad83b7422767d51ac75fe959e7d1582cc645d6a2bae84b |
MD5 SHA1 SHA256 |
CyberFortressVPN.exe |
| f1da9126a48197897644a62135c0df46 8fcbf76cccb573d3007032a2148da458f81ffbb1 7a27aca062c7b4b180190452afbc6ba4026a13ca8c9503372459a5b214b68ff9 |
MD5 SHA1 SHA256 |
FlazerVPN.exe |
| 352ba438532e9a7a9941875f3824c1cd d72c3e3b1fdaa271629676d7d0215cc396a106c4 50ab07bd922546f90d2d62565a3618ba7251459c8aaf007945feb3e7c9f29458 |
MD5 SHA1 SHA256 |
ProxtyVPN-v18.16.0-x64.exe |
| 71e0b2a2372398776297cee13c8efa55 c9fd398ed07a2daeeaf526ab094634adbd851934 f46017c2c5c98d89a1d35510ed8eeae263a3f8f60092df2bb13db6918d691a32 |
MD5 SHA1 SHA256 |
WolferVPN. exe |
| bbc3364d8040296b910cf61280cd6ad7 bdd5dec13109f9cfe992ce325f746c0d3bad6c72 833ba04dfe7c93f397117690bf656bdf1cf2768b216f40f525bb0c7527897b9a | MD5 SHA1 SHA256 |
ProxtyVPN-v18.16.0-x64.exe |
| 0d2071be3f76d4b25f19b54d56ff6cb7 8a7fab41932aa2dbe8da17697926d69b15dc6c63 8b93ed446668642a0d3b8dc45b794d76ce71ebd7552de8437975da2b228df9c7 |
MD5 SHA1 SHA256 |
FlazerVPN.exe |
| 1f8eda53714be873e2280d494c9eacbf aae16faf79be993b27791fb7a6a3663320067876 a26a2a95b6ad1449bf4fe5814533b408cdcc67ad5c234c900b6e0b31300018b0 |
MD5 SHA1 SHA256 |
ProxtyVPN-v18.16.0-x64.exe |
| bcd419817ebb4d2ec7e21fbdaf61dd3b 61fd361edcfaecb87dbf3711ecb1dd448d6a2ab2 ae4ea904741b95f044edf0e16ce244dc5a4015050dd9ecf23f2f831435e1ccbc |
MD5 SHA1 SHA256 |
ProxtyVPN-v18.16.0-x64.exe |
| 4ee5a9ffd40f8c0970e53e832bfb9acd 0ee35e1992b93dbeb7adcd2ccdfcafcb3a1dfdae 058caf0c1750391e8a625ee3310c804e1a0034ce890aef4773ef6cfff3ccced5 |
MD5 SHA1 SHA256 |
FortresVPN.exe |
| rufflesrefined[.]com taffylollipop[.]com |
Domain | C&C server |
Related
Source: https://cyble.com/blog/bbystealer-malware-resurfaces-sets-sights-on-vpn-users/