Doenerium Stealer masquerading as Windows Malicious Software Removal Tool
Cyble Research and Intelligence Labs (CRIL) spotted a malicious domain being used in a spear-phishing email campaign targeting Office365 users to steal credentials. The same domain was observed hosting multiple other malware variants, for example, a new stealer called “Doenerium stealer.”
Case 1:
The spear phishing email contains a link masquerading as a PDF attachment targeting Office365 users, as shown below.
Once the user clicks on the link masquerading as a PDF attachment, it redirects them to the phishing page hxxps://neon[.]page/doc03565.
The attacker is running a phishing campaign to steal Microsoft Office 365 credentials. The following figure shows the phishing website used by the attacker.
During the course of our research, we observed that the domain is malicious and hosting multiple malicious files. One such web page hxxps://neon[.]page/Microsoft-Windows-MSRT hosts a malicious stealer as a Microsoft Windows Malicious Software Removal Tool application.
Case 2:
There are two download links for the application, with both 32-bit and 64-bit versions available. However, both links host the same compressed folder with different names to appear genuine. The figure below shows the downloaded files.
The compressed folder contains a Windows executable and a Readme file. The file is named “Windows-KB890830-x64-V5.104.exe,” and the file’s icon is similar to the icon of Node JavaScript framework.
Further, we identified that the malicious file is an open-source stealer available on GitHub. The stealer is actively updating its capabilities and plans to add additional features such as Discord bot building, keylogging, Firefox stealer, etc. The figure below shows the GitHub page of the stealer.
The malicious file is unusually large and comes equipped with anti-sandbox and anti-analysis features, as well as the capability to establish persistence on the victim.
Technical Analysis
The file is a 64-bit Microsoft Visual C/C++ console-based Windows executable file with an unusually large file size of 102 MB.
The figure below shows the properties of the malicious”Windows-KB890830-x64-V5.104.exe” file.
Upon investigating additional properties of the executable, we observed that the downloaded file is further masquerading as “Node.exe,” which is a Javascript framework, as shown below.
After execution, the malware performs malicious activities such as killing running processes, stealing data, monitoring clipboard data, monitoring system processes, etc. The following image shows the process tree of the Doenerium stealer.
The malware then tries to perform privilege escalation using the RTLAdjustPrivilege() function, as shown below.
After gaining access, the malware drops Node JavaScript Framework-related files in the Temp folder. These files are support files required to run the stealer in the background. The figure below shows the Node JS packages.
Once the Node packages are dropped into the Temp folder, the malware checks for running processes to obstruct and prevent any analysis.
The malware then runs “cmd.exe” and executes the tasklist command to list currently running programs on the victim’s machine. The following command is used to list programs:
- C:Windowssystem32cmd.exe /d /s /c “tasklist”
The stealer contains a list of application names related to virtualization software and malware analysis tools. The malware checks and terminates these processes if they are found actively running on the victim’s machine. These applications are:
| Httpdebuggerui | Wireshark | Fiddler |
| Vboxservice | df5serv | Processhacker |
| Vboxtray | vmtoolsd | Vmwaretray |
| ida64 | ollydbg | Pestudio |
| Vmwareuser | vgauthservice | Vmacthlp |
| x96dbg | vmsrvc | x32dbg |
| Vmusrvc | prl_cc | prl_tools |
| Xenservice | qemu-ga | joeboxcontrol |
| ksdumperclient | ksdumper | joeboxserver |
The malware kills these processes using the following command:
- C:Windowssystem32cmd.exe /d /s /c “taskkill /IM <Application Name> /F”
The figure below shows the malware using tasklist and taskkill commands to terminate any targeted applications.
The stealer also has a list of PC names and hardware IDs to identify whether it is being run in a controlled environment. If the PC name and hardware ID are present in the list, then the stealer will terminate itself. The following are the two tables mentioning the PC names and hardware IDs.
PC Names:
| WDAGUtilityAccount | Abby | Peter Wilson |
| hmarc | patex | JOHN-PC |
| kEecfMwgj | Frank | RDhJ0CNFevzX |
| 8Nl0ColNQ5bq | Lisa | John |
| george | PxmdUOpVyx | 8VizSM |
| w0fjuOVmCcP5A | lmVwjj9b | PqONjHVwexsS |
| 3u2v9m8 | Julia | HEUeRzl |
| BEE7370C-8C0C-4 | DESKTOP-NAKFFMT | WIN-5E07COS9ALR |
| B30F0242-1C6A-4 | DESKTOP-VRSQLAG | Q9IATRKPRH |
| XC64ZB | DESKTOP-D019GDM | DESKTOP-WI8CLET |
| SERVER1 | LISA-PC | JOHN-PC |
| DESKTOP-B0T93D6 | DESKTOP-1PYKP29 | DESKTOP-1Y2433R |
| WILEYPC | WORK | 6C4E733F-C2D9-4 |
| RALPHS-PC | DESKTOP-WG3MYJS | DESKTOP-7XC6GEZ |
| DESKTOP-5OV9S0O | QarZhrdBpj | ORELEEPC |
| ARCHIBALDPC | JULIA-PC | d1bnJkfVlH |
Hardware IDs:
| 7AB5C494-39F5-4941-9163-47F54D6D5016 | 032E02B4-0499-05C3-0806-3C0700080009 |
| 03DE0294-0480-05DE-1A06-350700080009 | 11111111-2222-3333-4444-555555555555 |
| 6F3CA5EC-BEC9-4A4D-8274-11168F640058 | ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548 |
| 4C4C4544-0050-3710-8058-CAC04F59344A | 00000000-0000-0000-0000-AC1F6BD04972 |
| 00000000-0000-0000-0000-000000000000 | 5BD24D56-789F-8468-7CDC-CAA7222CC121 |
| 49434D53-0200-9065-2500-65902500E439 | 49434D53-0200-9036-2500-36902500F022 |
| 777D84B3-88D1-451C-93E4-D235177420A7 | 49434D53-0200-9036-2500-369025000C65 |
| B1112042-52E8-E25B-3655-6A4F54155DBF | 00000000-0000-0000-0000-AC1F6BD048FE |
| EB16924B-FB6D-4FA1-8666-17B91F62FB37 | A15A930C-8251-9645-AF63-E45AD728C20C |
| 67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3 | C7D23342-A5D4-68A1-59AC-CF40F735B363 |
| 63203342-0EB0-AA1A-4DF5-3FB37DBB0670 | 44B94D56-65AB-DC02-86A0-98143A7423BF |
| 6608003F-ECE4-494E-B07E-1C4615D1D93C | D9142042-8F51-5EFF-D5F8-EE9AE3D1602A |
| 49434D53-0200-9036-2500-369025003AF0 | 8B4E8278-525C-7343-B825-280AEBCD3BCB |
| 4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27 | 79AF5279-16CF-4094-9758-F88A616D81B4 |
After terminating the targeted processes, the malware drops itself as “Updater.exe”to the Start-up entry to establish persistence. The figure below shows the malware in the Start-up folder.
The stealer then starts an information-stealing operation in the infected system. The malware steals clipboard data if the data has cryptocurrency wallet addresses and replaces it with the attacker’s wallet address.
The stealer uses regex to find the wallet addresses in the clipboard. The figure below shows the routine to get clipboard data to carry out clipper operations.
After checking for clipboard data, the stealer looks for crypto wallet data in the system and steals it. The below figure shows the routine to find wallet data in the victim’s system.
The stealer looks for Discord tokens in various system locations. Figure 16 shows the routine to find Discord tokens stored across different browsers of the victim’s system.
The malware also collects victims’ sensitive information, such as usernames, passwords, cookies, history, bookmarks, and user profiles from the installed browsers. The stealer targets the following browsers:
- Google Chrome
- Opera Stable
- Brave Browser
- Yandex
- Microsoft Edge
The figure below shows the information targeted by the stealer that is present in the victim’s system.
After stealing browser information, the malware steals system information such as CPU, Wi-Fi connections, RAM, Operating System version, host name, PC name, and processors. It then sends this information to the Command and Control (C&C) server. The figure below shows the routine to steal system information.
Finally, the stolen artifacts are stored at the C:Users<Users>AppDataLocal folder location so that the malware can send it to the C&C server. The figure below shows the information collected by the stealer.
After all the data is collected and stored in a specific “Local” folder, the malware compresses the data in a zip file and sends the zip file to the Discord webhook. The figure below shows the routine to send data to the C&C server.
Conclusion
As a consequence of the rise in digital transactions and cryptocurrency usage, malware authors are continuously creating new stealers. The increasing use of digital currency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to commit financial fraud and stage other attacks.
There is a recent trend wherein the malware authors create GitHub pages, hosting malware builders. These open-source malware builders are upgraded with new features by TAs and are sold in cybercrime forums and markets.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204.002 | User Execution: Malicious File |
| Persistence | T1547.001 | Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1057 | Process Discovery |
| Command and Control | T1071 | Application Layer Protocol |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 9b4864d3de5fd251843d09bec1252bef | MD5 | Malicious node.exe |
| afaffc4c8c314249a0ce8017fcf9a549b2ac8337 | SHA1 | Malicious node.exe |
| 609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249e | SHA256 | Malicious node.exe |
| f8ea2163d80aca793eefd7b2797f01e4 | MD5 | Malicious Zip |
| 83ffbd5f4f4c2d1b681741d9f751105c4177fafd | SHA1 | Malicious Zip |
| 1b005dd76abc86ada724297b6698d3cbbe77f0bceb8fee41d9303114d689f609 | SHA256 | Malicious Zip |
| hxxps://neon[.]page/Microsoft-Windows-MSRT | URL | Malicious Domain |
| hxxps://neon[.]page/doc0365 | URL | Malicious Link |
| Jaye8059.myportfolio[.]com | Domain | Phishing Webpage |
Related
Source: https://blog.cyble.com/2022/09/28/new-information-stealer-targeting-crypto-wallets/