New Temp Stealer Spreading Via Free & Cracked Software
While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively.
The Temp Loader is developed for deploying additional malicious files into the victim system. The Temp Stealer is information stealer malware that can exfiltrate crypto wallets, system information, browser data, and other important system & software information and then send it to the attacker’s remote server.
After searching for the impact of the loader and information stealer on the surface web, we identified multiple active instances of the Temp Stealer in the wild.
The stealer is disguised as cracks, keygens and can also be bundled with other software. The malware developer posted about the capabilities of the stealer and loader in the Dark Web. The figure below shows the post for Temp Loader.
English translation of the Temp Loader post is as follows:
Description:
Native stub without dependencies written in C++
Runs even on a clean computer!
Built-in Anti-VM
Ability to add Fake Error (and its customization)
Ability to use RunPE
You can add any number of links
Price
15$ (900 rub) – 1 Month
49$ (3000 rub) – Lifetime
Malware developers also posted about Temp Stealer and its capabilities. The figure below shows the post for Temp Stealer.
The English translation of the post by malware authors is mentioned below:
Description:
Collection of more than 40 types of crypto wallets.
Recursive search for browsers (even finds custom browsers or browsers with a changed folder name). Collecting information about the PC (IP, Country, City, Zipcode, Timezone, Ram, Processor, GPU, Screenshot).
The stub is written in C++ (native).
Log collection in memory.
Quick build through the bot.
Collection of Telegram, Steam, and FTP sessions.
Collection of Cookies, Autofills, and Passes.
Multifunctional Telegram bot.
Price:
7 days – 5$
30 days – 15$
(lolz +7%, qiwi, crypto)
According to the malware, developers post that the stealer can collect more than forty crypto wallets, search for custom browsers to steal data, steal system information, and track the victim’s geolocation. Additionally, the stealer collects information related to Telegram, Steam, FTP Session, Cookies, Autofill, Passwords, and works as a Telegram bot.
Initial Infection and Persistence:
As per our analysis, the stealer is masquerading using the following names, indicating that this stealer targets users who are interested in downloading free and cracked software.
- azclean3_setup.exe
- CheatLoader.exe
- Shadow Fiend Game.exe
- RainbowCrackV4.8.exe
- spoofer.exe
It’s also observed that the stealer is bundled with other software installers. One example shows that Temp Stealer targets Adobe Photoshop users by bundling the malicious stealer into the Topaz Clean stylization tool installer, which installs a plugin for Adobe Photoshop Software.
The TAs usually upload this Malicious bundled software to a site that provides services to users for downloading various free and Cracked software. The user interested in this software will be redirected to these websites using Google SEO and download the file.
The initial infection initiates when user clicks on the installer that has Temp Stealer bundled to it. The below Figure shows the Topaz Clean installer installation wizard.
The installer drops Temp Stealer in the %temp% location, as shown in the below figure.
After dropping the stealer, the installer then creates an autorun registry entry for Temp Stealer; the figure below shows the registry entry created by the installer for stealer persistence.
Technical Details of Temp Stealer
The Malicious Topaz Clean installer file dropped Temp Stealer with file hash: “SHA256:d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c”. The file is a 64-bit GUI executable compiled using Microsoft Visual C/C++. The figure below shows the static file details. The TimeDateStamp indicates that the malware was compiled recently.
After execution, the malware tries to connect to an embedded IP 79[.]137[.]199[.]73. After connecting to the mentioned IP, the stealer then checks for the wallets in the system to steal the file related to the corresponding wallets. The Stealer targets the following crypto wallets in the Victims machine.
| Exodus Web Wallet | BitAppWallet | BinanceChain |
| BraveWallet | EqualWallet | iWallet |
| MathWallet | NiftyWallet | Wombat |
| Coin98Wallet | Phantom | XDCPay |
| BitApp | GuildWallet | ICONex |
| Oxygen | YoroiWallet | GuardaWallet |
| JaxxLiberty | AtomicWallet | SaturnWallet |
| RoninWallet | TerraStation | HarmonyWallet |
| TonCrystal | KardiaChain | PaliWallet |
| LiqualityWallet | XdefiWallet | NamiWallet |
| MaiarDeFiWallet | Authenticator | TempleWallet |
Also, the stealer steals data from the following crypto wallets, which are hard coded in the stealer binary.
| Exodus | Aholpfdialjgjfhomihkjbmgjidlcdno |
| BitApp Wallet | Fihkakfobkmkjojpchpfgcmhfjnmnfpi |
| BinanceChain | Fhbohimaelbohpjbbldcngcnapndodjp |
| Brave wallet | Odbfpeeihdkbihmopkbjmoonfanlbfcl |
| Coinbase Wallet | Hnfanknocfeofbddgcijnmhnfnkdnaad |
| EQUAL Wallet | blnieiiffboillknjnepogjhkgnoapac |
| iWallet | kncchdigobghenbbaddojjnnaogfppfj |
| Math Wallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
| MetaMask | Nkbihfbeogaeaoehlefnkodbefgpgknn |
| Nifty Wallet | Jbdaocneiiinmjbjlgalhcelgbejmnid |
| TronLink | Ibnejdfjmmkpcnlpebklmnkoeoihofec |
| Wombat | amkmjjmmflddogmhpjloimipbofnfjih |
| Coin98 | aeachknmefphepccionboohckonoeemg |
| Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
| MOBOX Wallet | fcckkdbjnoikooededlapcalpionmalo |
| XDCPay | bocpokimicclpaiekenaeelehdjllofo |
| GuildWallet | nanjmdknhkinifnkgdcggcfnhdaammmj |
| ICONex | flpiciilemghbmfalicajoolhkkenfel |
| Copay | cnidaodnidkbaplmghlelgikaiejfhja |
| Oxygen | fhilaheimglignddkjgofkcbgekhenbh |
| Yori | ffnbelfdoeiohenkjibnmadjiehjhajb |
| Guarda | hpglfhgfnhbgpjdenjgmdgoeiappafln |
| Jaxx Liberty | cjelfplplebdjjenllpjcblmjkfcffne |
| MEW CX | nlbmnnijcnlegkjjpcfjclmcfggfefdm |
| Saturn Wallet | nkddgncdjgjfcddamfgcmfnlhccnimig |
| Ronin Wallet | fnjhmkhhmkbjkkabndcnnogagogbneec |
| Terra Station | aiifbnbfobpmeekipheeijimdpnlpgpp |
| Harmony ONE | fnnegphlobjdpkhecapkijjdkgcjhkib |
| EVER Wallet | cgeeodpfagjceefieflmdfphplkenlfk |
| KardiaChain Wallet | pdadjkfkgcafgbceimcpbkalnfnepbnk |
| Pali Wallet | mgffkfbidihjpoaomajlbgchddlicgpn |
| BOLT X | aodkkagnadcbobfpggfnjeongemjbjca |
| Liquality Wallet | kpfopkelmapcoipemfendmdcghnegimn |
| XDEFI Wallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf |
| Nami | lpfcbjknijpeeillifnkikgncikgfhdo |
| Maiar DeFi Wallet | dngmlblcodfobpdpecaadgfbcggfjfnm |
| Authenticator | bhghoamapcdpbohphigoooaddinpkbai |
The stealer also steals cookies, usernames, passwords, autofills, history from the Chromium and Firefox-based browsers. The Temp Stealer recursively searches for all installed browsers and steals sensitive information from them. The below image shows the code that steals browser data.
The stealer then checks for steam application in the system by checking registry entry HKLMSoftwareClassessteamShellOpenCommand. If the registry entry exists, then the stealer looks for Steam Sentry File (SNF) and Config file to steal data which includes player profiles, passwords, etc. The figure below shows the pseudocode of the stealer checking for steam registry key.
After collecting steam data, the stealer checks for the Telegram application and steals Telegram’s data from the victim’s system. First, the stealer checks If Telegram is installed in the machine by checking the registry- HKUSoftwareClassestdesktop.tgshellopencommand. If the registry entry is present, then the stealer identifies the installation folder of Telegram and then checks for tdata and working folder, which contains Telegram session data, messages, images, etc. The figure below shows that Stealer is looking for Telegram artifacts.
The stealer takes a screenshot of the current Windows and saves it for exfiltration. The Code snippet in the figure below shows the routine to capture the screenshot.
After taking a screenshot, the stealer gets the geolocation details by calling the URL hxxp://ip-api.com/xml/, which response with details in XML format. The stealer then parses the XML and gets the geolocation details of the victim. The figure below shows the routine to get the geolocation details.
The stealer then extracts the IP address, Country, City, Zip code, and Timezone details, as shown in the figure below.
The Stealer also collects details of RAM, Processor, and GPU from the victim’s system, as shown in the figure below.
The stealer steals the FileZillarecentservers.xml file from the victim system, which contains session information of the FileZilla FTP client. The figure below shows the routine to get the FileZilla session file.
Stealer then looks for discord token files and steals them; the figure below shows the location of the discord token files.
After getting all the above information, the stealer then sends the data to the attacker’s remote server. The figure below shows the routine to send stolen information to a remote server.
The Temp stealer identified to be sending the stolen information to IPs 79[.]137[.]199[.]73, 157[.]90[.]126[.]84, which are hosted in Europe. The below figure shows the information of the IPs.
Conclusion
Bundling malware in the software tools is quite common among attackers. Now we are observing the rise of the stealers bundled into the software and utility tools to target potential victims globally. The temp stealer not only targets Crypto wallets but also steals data from Discord, Steam, and Telegram applications. The malware authors are continuously creating new stealers as there is a rise in digital transactions and cryptocurrency usage. The increasing use of digital currency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to commit financial fraud and other attacks.
Our Recommendations
- Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Credential Access | T1555 T1528 T1539 |
Credentials from Password Stores Steal Application Access Token Steal Web Session Cookie |
| Discovery | T1087 T1083 |
Account Discovery File and Directory Discovery |
| Collection | T1213 T1005 T1113 |
Data from Information Repositories Data from Local System Screen Capture |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise
| Indicators | Indicator Type |
Description |
| 49aefb24f729dbd71cef9cb382692ca6 f025735b2dfffe4ae43c5154881a3f7fcd9f32ea d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| bc6bb3430654d410bd9e40292bf32d77 8b54d67c889e9f13f232cd9b4d72253f9e5af99a 38b387b09dee7eefddcf164239be0bda1fb15285aea27e3f5b1008c7c727929a | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 47dbbc7793152a8cb36cde2da0529684 16dc7205c3931c0f873c8b2e236742720d1e3a55 8619435c6dc202f45919fafdc7538d46220f42cadefccdba2cf094eccb09e436 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 9335349810042820689b6d558dff50c1 e98cd5d2e3351d20f348fc983f9e679450c33181 54d6c6372fd8bfb52431986be148d41b021376770ef13a3baf70912488dd3863 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| ad14fb5c857053d9bdebc4c63ba0a57d 2322090e024942fad77e0250e8cbc7e691663993 3c0856becfc32d59dc0503adb58d111ae56a1625ee99bdef4bcc5907f91dc69f | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 3c9df1d7f4835810fad268435699f1a7 05e0fc8c5cd5da82e94316afe82e8408fab03974 7b9830bfdd87e47b4e6995b3e88640eb690bdef7642c74775e1f3ab89e71d5ce | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| c84a51c0e598563ff4c5b2e494da0152 9f345c4e7f192380f7b2d098436a392ecf97ff73 f7cd47dc867e19dfdc37a0e6c59f6993155d4ad03f9b06292f6cd21515a8c234 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| dfbb9e4a30a266ea453637ddfe370e14 ddb20679f08d94e84c5e64d5f2fa00f105ad8204 f642d7450c597b067ad47ee5220c8c028f0c28b4473093028e3371b450fad9e0 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 4da571eb595d83a4f3ffe3e0047efd8a 063d687a6a88804000162deeb00244d22cfe3228 6330b32586d7b1f4c09193cff1118aa6e33fbe2fcbf174264fe5793e45f20748 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 51a4b9154b05dde9c7e14831fc54c6b3 8db134b83a65293dd675c52de2996e1c618b07ef 55d86d705daefee9c692cd742d83ec670b976261d0c2e28ccb4933d4f6483182 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 42febc30a814484455ee8f31ee2f2d88 b71332d1aacc1907cdaeaad0cc987621c893f8e7 30a62745d4c135ee3bec73a1d4903cb42add1b2d846c16e65e73ffca41386cf2 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 72f5de4a2f52c098ba5520ebaa022290 196b144cd138ab958ea0c2b5eb1a641d9936abce 3dcaa05c859118dc53752f74df59f74c05e7919bd0df635584c74dc8077d11c1 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 18a5458b38dc20ecc4f9c9e50d369563 7187a067b664692344a61eadaf1cd47f580add61 bd95a70300f8cc5bcc0f8d7bdcd269234eff52fa79ecd97c150e58b923b4c51a | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 2996f780af9b3fdb28971e887ff8436a 294dd0574cc6b953c0bebc1c15b725321073aa82 54f4df7424b205b9931b87bf4b5e5635374165e1ed298642034f2fcc44a7ff70 | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 1f7a139d3c23ded0904a845b7a2db053 39431e960dae6140e4603bddb890de58370b920e b8ad6a975cec6279208fd7b5073107eefbbfd7ebdb2f674e7bd0578b18484eee | MD5 SHA1 Sha256 |
Temp Stealer Executable |
| 79[.]137[.]199[.]73 | IP | Communicating IP |
| 157[.]90[.]126[.]84 | IP | Communicating IP |
Related
Source: https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/