BbyStealer Malware Resurfaces, Sets Sights On VPN Users – Cyble

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has uncovered a malware campaign that utilizes multiple phishing domains to target users who are downloading Virtual Private Network (VPN) Windows applications.
  • In this campaign, the downloaded VPN application is utilized to disseminate an information-stealing malware known as “BbyStealer.”
  • BbyStealer malware was first reported in early 2022. Currently, it has resurfaced with a different developer, as the previous developer has been ousted from the project.
  • BbyStealer is designed to collect sensitive details from various web browsers and crypto wallet extensions, sending the stolen information to a remote server. Furthermore, it performs a clipper operation on the victim’s system.

Overview

Threat Actors (TAs) employ phishing websites as their primary means of disseminating malware. These TAs often incorporate brand impersonation into their phishing campaigns, skillfully deceiving users by creating a facade of trustworthiness and legitimacy, ultimately luring unsuspecting individuals.

CRIL recently discovered a phishing website with the name “totalvpn[.]tech” that distributes a RAR archive file named “TotalVPN.rar.” After decompressing the downloaded archive file, it contains an executable file named “TotalVPN.exe” – an NSIS installer file. Upon investigation, it was determined that the identified file is actually an information-stealing malware known as “BbyStealer.”

BbyStealer malware was initially reported at the beginning of 2022. BbyStealer was previously associated with the “Try my game” scam and was reported by a Reddit user ‘Beautiful_Ad_4680″. Currently, BbyStealer has made a return with a new developer, as stated in their Telegram channel, shown below.

BbyStealer, Telegram
Figure 1 – BbyStealer Telegram channel

CRIL has encountered numerous RAR files bearing the names of VPN applications uploaded to VirusTotal since the beginning of October. These files are being used to distribute BbyStealer malware to the users’ systems.

This malware campaign targets VPN applications and employs the following file names:

  • TotalVPN.rar
  • WolferVPN.rar
  • CyberFortressVPN.rar
  • FortresVPN.rar
  • FlazerVPN.rar
  • FlazerVPN-v18.16.0-x64.rar
  • ProxtyVPN-v18.16.0-x64.rar
  • iTropperVPN.rar

Initial Infection

The initial infection commences with a phishing website that specifically targets individuals seeking a Windows VPN application such as FlazerVPN, TotalVPN, and more.

CRIL has recently identified several VPN phishing websites, and the following figures illustrate the findings. These websites serve as a means to disseminate a malware payload as part of this malware campaign.

Figure 2 TotalVPN phishing domain
Figure 2 – TotalVPN phishing domain
WolferVPN, Phishing
Figure 3 – WolferVPN phishing domain
FortresVPN, Phishing
Figure 4 –  FortresVPN phishing domain
ITropperVPN, Phishing
Figure 5 – iTropperVPN phishing domain
CyberFortressVPN, Phishing
Figure 6 – CyberFortressVPN phishing domain

The following URLs are employed to download the RAR archive file from the phishing websites mentioned above, which include an executable responsible for distributing the BbyStealer malware payload.

  • hxxps://totalvpn[.]tech/download/TotalVPN[.]rar
  • hxxps://wolfervpn[.]com/download/WolferVPN[.]rar
  • hxxps://vpnfortres[.]online/download/FortresVPN[.]rar
  • hxxps://itroppervpn[.]online/download/iTropperVPN[.]rar
  • hxxps://cdn.discordapp[.]com/attachments/1160770898966622230/1161087215963738174/CyberFortressVPN.rar?ex=653705bc&is=652490bc&hm=b9417ffe67ed173e46c662f30bd7f0d642770438b07040b99d4bd217c44c7942&

The figure below displays some of the executable files associated with VPN applications in this campaign responsible for disseminating BbyStealer.

BbyStealer, Phishing
Figure 7 – Malicious VPN application executables

During our analysis, we found that none of the Anti-Virus vendors detected the malware executable files extracted from the downloaded RAR archives, as shown below.

VirusTotal, BbyStealer
Figure 8 – VirusTotal detection

Technical Details

BbyStealer

We have taken the “TotalVPN.rar” file for the purpose of this analysis. After extracting the archive, we found an executable file named “TotalVPN.exe” within it, as shown below.

RAR, BbyStealer
Figure 9 – Downloaded RAR archive contains an executable file

Upon execution of the “TotalVPN.exe” file, it only displays the installation window (shown below) to deceive users. It does not proceed to display any other wizard for continuing and completing the installation.

TotalVPN, Phishing
Figure 10 – TotalVPN installation

After that, it drops the installation files within the “%localappdata%ProgramsTotalVPN” directory, as shown below, and initiates the execution of “TotalVPN.exe,” which is actually a BbyStealer executable.

TotalVPN, Phishing, Installation
Figure 11 – TotalVPN installation folder

The figure below illustrates the process tree of the malware infection that occurs after the successful execution of the “TotalVPN.exe.”

Figure 12 Process Tree
Figure 12 – Process Tree

Persistence

Upon execution, the malware creates a copy of itself and drops it into the startup folder, using the name “Updater.exe” to ensure persistence, as shown in the figure below.

Figure 13 Persistence
Figure 13 – Persistence

After establishing persistence, the stealer terminates the process of web browsers such as Google Chrome, Microsoft Edge, Opera GX, and BraveSoftware by using the following commands:

  • “taskkill /IM chrome.exe /F”
  • “taskkill /IM msedge.exe /F”
  • “taskkill /IM brave.exe /F”

Typically, Threat Actors (TAs) aim to pilfer valuable information like login credentials, personal details, or financial data from the web browser installed locations. Terminating the browsers facilitates easier access to this data for the malware.

Following the termination of running browser processes, the stealer proceeds to gather sensitive information, including login data, web data, autofill, and cookies from the user data folder of the browser. This is accomplished by making duplicates of these files, created with the “.bby” extension, as shown below.

BbyStealer, Stealer
Figure 14 – Collecting sensitive Information from browser’s directory

Subsequently, the malware performs a scan to identify specific browser extensions associated with cryptocurrency wallets, as outlined in the table below.

TAs target cryptocurrency wallet extensions to gain access to sensitive data such as private keys, which are essential for accessing the wallet’s funds, as well as public addresses, transaction histories, wallet balances, and user-specific information.

Crypto Wallet Name Crypto Wallet Extension
Bitget Wallet jiidiaalihmmhddjgbnbgdfflelocpak
Tippin knhkeligkfmclgkeedceenpopaleokfh
Exodus Web3 aholpfdialjgjfhomihkjbmgjidlcdno
GeroWallet bgpipimickeadkjlklgciifhnalhdjhe
Enkrypt kkpllkodjeloidieedojogacfhpaihoh
MultiversX DeFi dngmlblcodfobpdpecaadgfbcggfjfnm
OKX Wallet mcohilncbfahbmgdjkbpemcciiolgcge
Core | Crypto Wallet agoakfejjabomempkjlepdflaleeobhb
Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc
MetaMask ejbalbakoplchlghecdalmeeeajnimhm
SafePal lgmpcpglpngdoalbgeoldeajfclnhafa
Sui Wallet opcgpfmipidbgpenhmajoajpbobppdil
Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
Trust Wallet egjidjbpglichdcondbcbdnbeeppgdph
Temple – Tezos Wallet ookjlbkiijinhpmnjffcofjonbfbgaoc
TON Wallet nphplpgoakhhjchkkhmiggakijnkhfnd
MetaWallet bkklifkecemccedpkhcebagjpehhabfb
Taho eajafomhmkipbjmfmhebemolkcicgfmd
XDEFI Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf
Fewcha Move Wallet ebfidpplhabeedpnhjnobghokpiioolj
Vigvam lccbohhgfkdikahanoclbdmaolidjdfl

Clipper Functionality

Additionally, the malware performs clipper operation, which actively observes the clipboard activity of the victim system. Whenever it detects an attempt to copy a cryptocurrency wallet address for conducting a transaction, it intervenes by substituting the threat actor’s wallet address obtained from the Command-and-Control (C&C) server. As a result, the transaction is rerouted to the TA’s wallet address.

The malware carries out the clipper activity, where it employs PowerShell’s “Get-Clipboard” command to retrieve the clipboard’s content. It subsequently checks it with the regular expression patterns shown in the table below.

Crypto Currencies Regular Expression
Bitcoin (BTC) ^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$
Litecoin (LTC) (?:^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$)
Ethereum (ETH) (?:^0x[a-fA-F0-9]{40}$)
Stellar Lumens (XLM) (?:^G[0-9a-zA-Z]{55}$)
Monero (XMR) (?:^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$)
Solana (SOL) (^[1-9A-HJ-NP-Za-km-z]{44}$)
Tezos (XTZ) T[A-Za-z1-9]{33}Q
Ripple (XRP) (?:^r[0-9a-zA-Z]{24,34}$)
Bitcoin Cash (BCH) ^((bitcoincash:)?(q|p)[a-z0-9]{41})
Dash (DASH) (?:^X[1-9A-HJ-NP-Za-km-z]{33}$)
Ontology (ONT) (?:^A[0-9a-zA-Z]{33}$)
Dogecoin (DOGE) D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}

If a match with the regex pattern is found, it utilizes PowerShell’s “Set-Clipboard” command to substitute the TA’s wallet address accordingly. The figure below illustrates the commands executed by the malware for performing the clipper operation.

Clipper, BbyStealer
Figure 15 – Clipper operation

The following figure displays the occurrence of the stealer’s name within the memory strings of the TotalVPN.exe process.

Figure 16 Memory strings
Figure 16 – Memory strings

Command-and-Control (C&C) Server

Finally, the stealer processes the gathered sensitive data and establishes a connection with the below specified C&C server, sending the collected data to it.

  • rufflesrefined[.]com

Cookies Parser

The BbyStealer developer also provides a service for parsing cookies through the upload of a text file, as shown in the figure below. After uploading the file, it proceeds to process the text file and split the cookies according to the respective web browsers.

BbyStealer, Cookies
Figure 17 – Online cookie parser of BbyStealer

Conclusion

The growing global popularity of VPN applications is primarily attributed to their ability to provide users with increased control over online privacy, security, and content accessibility. However, this widespread adoption of VPNs has also caught the attention of the TAs, who take advantage of this increased demand by impersonating reputable VPN services, thereby disseminating various forms of malware.

CRIL uncovered a malware campaign that involved several phishing websites designed to mimic VPN services. These malicious sites aim to distribute an information-stealing malware known as “BbyStealer.” BbyStealer malware is created with the express purpose of gathering sensitive data from multiple web browsers and crypto wallet extensions and transmitting this information to a C&C server. Additionally, it carries out a clipper operation within the victim’s system.

Cyble Research and Intelligence Labs will continue monitoring the latest phishing campaigns or malware strains in the wild and update blogs with actionable intelligence to protect users from such notorious attacks.

Our Recommendations

  • The initial infiltration is taking place via phishing websites. It is crucial to only download and install software applications from well-known and trusted sources.
  • Users should confirm the legitimacy of websites by verifying the presence of a secure connection (https://) and ensuring the accurate spelling of domain names.
  • Prior to executing any cryptocurrency transactions, users should diligently review their wallet addresses to confirm the absence of any alterations when copying and pasting the genuine wallet addresses.
  • Deploy strong antivirus and anti-malware solutions to detect and remove malicious executables and scripts.
  • Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication.
  • Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals.

MITRE ATT&CK® Techniques

Tactic  Technique Procedure
Initial Access (TA0001) Phishing (T1566) This malware reaches users via VPN phishing sites.
Execution  (TA0002) Command and Scripting
Interpreter: Windows
Command Shell
(T1059.003)
cmd.exe is used to run commands like tasklist,
taskkill, etc.
Execution  (TA0002) Command and Scripting
Interpreter: PowerShell
(T1059.001)
PowerShell commands are used to get & modify
the clipboard content.
Execution  (TA0002) Windows Management Instrumentation
(T1047)
Queries various information from victim’s
system
Persistence (TA0003) Registry Run Keys / Startup
Folder
(T1547.001)
Drops malware file to the startup folder.
Credential
Access (TA0006)
OS Credential Dumping
(T1003)
Tries to harvest and steal browser information.
Discovery (TA0007) Process Discovery (T1057) Queries a list of all running processes using the
tasklist command.
Discovery (TA0007) Query Registry (T1012) The malware is examining the registry to
extract system details.
Collection
(TA0009)
Data from Local System
(T1005)
Tries to harvest and steal browser information.
Collection
(TA0009)
Clipboard Data (T1115) Open/Modify clipboard.
C&C
(TA0011)
Application Layer Protocol
(T1071)
Performs DNS lookups.

Indicators of Compromise (IOCs)

Indicators Indicator
Type
Description
totalvpn[.]tech wolfervpn[.]com vpncyberfortress[.]com vpnfortres[.]online itroppervpn[.]online Domains Phishing domains
hxxps://totalvpn[.]tech/download/TotalVPN[.]rar URL Phishing site
download URL
hxxps://wolf-ervpn[.]com/download/WolferVPN[.]rar URL Phishing site
download URL
hxxps://vpnfortres[.]online/download/FortresVPN[.]rar URL Phishing site
download URL
hxxps://itroppervpn[.]online/download/iTropperVPN[.]rar URL Phishing site
download URL
hxxps://cdn.discordapp[.]com/attachments/1160770898966622230/1161087215963738174/CyberFortressVPN.rar?ex=653705bc&is=652490bc&hm=b9417ffe67ed173e46c662f30bd7f0d642770438b07040b99d4bd217c44c7942& URL Phishing site
download URL
2cf6efb8104b5d4606fb1698ae97e4f5
effb88250fcb89bbab77f46c1022f3c9c0aad37e 55a6a784d4acb7e9761a99fb38eb441519cdcd2943bfdf1a1558fe8513690c97
MD5
SHA1
SHA256
TotalVPN.exe
3cf9c1d65d59b63d479ec26e9fd98b57
eab9cf1e969b5d9a3fda7714c6ae2796aaf44fd0
e97b03c98056d7c88bad83b7422767d51ac75fe959e7d1582cc645d6a2bae84b
MD5
SHA1
SHA256
CyberFortressVPN.exe
f1da9126a48197897644a62135c0df46
8fcbf76cccb573d3007032a2148da458f81ffbb1
7a27aca062c7b4b180190452afbc6ba4026a13ca8c9503372459a5b214b68ff9
MD5
SHA1
SHA256
FlazerVPN.exe
352ba438532e9a7a9941875f3824c1cd
d72c3e3b1fdaa271629676d7d0215cc396a106c4
50ab07bd922546f90d2d62565a3618ba7251459c8aaf007945feb3e7c9f29458
MD5
SHA1
SHA256
ProxtyVPN-v18.16.0-x64.exe
71e0b2a2372398776297cee13c8efa55
c9fd398ed07a2daeeaf526ab094634adbd851934
f46017c2c5c98d89a1d35510ed8eeae263a3f8f60092df2bb13db6918d691a32
MD5
SHA1
SHA256
WolferVPN.
exe
bbc3364d8040296b910cf61280cd6ad7 bdd5dec13109f9cfe992ce325f746c0d3bad6c72 833ba04dfe7c93f397117690bf656bdf1cf2768b216f40f525bb0c7527897b9a MD5
SHA1
SHA256
ProxtyVPN-v18.16.0-x64.exe
0d2071be3f76d4b25f19b54d56ff6cb7
8a7fab41932aa2dbe8da17697926d69b15dc6c63
8b93ed446668642a0d3b8dc45b794d76ce71ebd7552de8437975da2b228df9c7
MD5
SHA1
SHA256
FlazerVPN.exe
1f8eda53714be873e2280d494c9eacbf
aae16faf79be993b27791fb7a6a3663320067876
a26a2a95b6ad1449bf4fe5814533b408cdcc67ad5c234c900b6e0b31300018b0
MD5
SHA1
SHA256
ProxtyVPN-v18.16.0-x64.exe
bcd419817ebb4d2ec7e21fbdaf61dd3b
61fd361edcfaecb87dbf3711ecb1dd448d6a2ab2
ae4ea904741b95f044edf0e16ce244dc5a4015050dd9ecf23f2f831435e1ccbc
MD5
SHA1
SHA256
ProxtyVPN-v18.16.0-x64.exe
4ee5a9ffd40f8c0970e53e832bfb9acd
0ee35e1992b93dbeb7adcd2ccdfcafcb3a1dfdae
058caf0c1750391e8a625ee3310c804e1a0034ce890aef4773ef6cfff3ccced5
MD5
SHA1
SHA256
FortresVPN.exe
rufflesrefined[.]com
taffylollipop[.]com
Domain C&C server

Source: https://cyble.com/blog/bbystealer-malware-resurfaces-sets-sights-on-vpn-users/