Cyble – New Open-Source ‘Trap Stealer’ Pilfers Data In Just 6 Seconds

Key takeaways

• The blog provides deep insights into a newly identified stealer known as “Trap Stealer” – an open-source Python-based program.
• The developer of this stealer claims that it is designed to extract a wide range of sensitive data from compromised systems in just 6 seconds.
• The stealer attempts to entice potential victims through deceptive gift card generators, fraudulent webhook spamming, and fake webhook deletion, all designed to lure users into downloading this tool.
• This stealer can extract sensitive information, including system details, user data from different web browsers, Discord tokens, files from the WhatsApp desktop application, and more.
• It leverages Discord webhook to send the stolen files to Threat Actors (TAs).
• The stealer has the ability to trigger a specific hard error, causing an intentional system crash.

Overview

As per our recent observations, stealers have continued to evolve with increasingly sophisticated features, and the proliferation of open-source code has played a pivotal role in the introduction of numerous stealers. In our recent blog, we highlighted the capabilities of ‘Exela Stealer,’ an open-source tool proficient at extracting diverse data from compromised systems. TAs are effectively leveraging these open-source stealers to meet their specific requirements.

On October 25th, Cyble Research and Intelligence Labs (CRIL) came across a new open-source stealer named “Trap Stealer” through VirusTotal. Moreover, we have determined that the developer of this stealer has openly shared the complete source code on GitHub. The image below displays the GitHub page of the Trap Stealer developer, where the developer explicitly states that this stealer can capture victims’ data within a mere 6 seconds.

Trap Stealer, a Python-based tool built through an open-source builder, encompasses various functionalities, ranging from bypassing security measures to pilfering user data and transmitting it to TAs. This stealer is designed for covertly extracting a wide range of sensitive information from the compromised system, encompassing cookies, browsing histories from all web browsers, Tokens from Discord applications, clipboard contents, crypto wallet data, WhatsApp files, and more.

Notably, the developer is continually enhancing the stealer’s code by introducing new features and capabilities. The below image displays the features included in Trap Stealer.

The collected data is formatted and sent to the TA’s Discord webhook at specific time intervals. The image below demonstrates the view of collected information shared over Discord.

Furthermore, the stealer includes an optional crasher module, which attempts to initiate a system crash once the exfiltration is completed.

Building the Trap Stealer

The process of building this stealer is triggered when the Python script file “builder.py” is executed within the Trap Stealer setup folder. The image provided below displays the contents of the Trap Stealer setup folder.

The initial action taken by the builder is to create a directory named “Build” in the current working directory, copy a file named “main.py” to the “Build” directory, and rename the copied file to “Trap-Stl-Building.py”. The primary code for the stealer resides within the “main.py” file.

Next, the builder requests users to provide a Discord webhook URL. Subsequently, the builder examines the HTTP response status code for the supplied webhook URL. If the status code is 200 (Success) and the entered webhook URL includes either ‘discord.com’ or ‘discordapp.com,’ it proceeds with the building of the stealer. If the above criteria are not met, it displays an ‘Invalid Webhook’ message and continues to prompt users for a valid webhook URL until one is provided. The image below shows the builder prompting for a valid or functional webhook URL from the user.

This webhook will serve as a remote server for TAs to receive all the stolen data gathered by Trap Stealer from the compromised system.

Once the builder identifies a valid webhook URL, it then proceeds to the other options for constructing the stealer.

The image below shows all the preferences provided by the builder.

Fake Webhook

The builder allows TAs to hide malicious content behind tools like Discord webhook spammer or tools intended to delete Discord webhook for a particular user. With this builder, TAs can host the Stealer executable on third-party websites without the need for additional tools to mask it. The figure below illustrates the compiled Stealer binary, which appears to function as a webhook spam tool by receiving user input. However, in the background, it secretly collects sensitive information from the victim’s computer.

If the user selects the delete option, the stealer requests the user to provide the targeted webhook URL for removal, as shown in the figure below.

Fake Generator

This tool includes another deceptive module that enables TAs to camouflage their malicious code behind gift card code generators. This module simulates generating fake Discord gift card codes. The image below displays the fake generator module output.

Injection

This module is designed to modify Discord’s core file, particularly the “index.js” file, with the aim of enabling unauthorized monitoring of a user’s actions and the stealthy retrieval of sensitive information from the compromised Discord account.

Startup

The objective of this module is to create a copy of the Trap Stealer with a random filename in a user-specific directory. Additionally, it creates a startup entry in the Windows Registry, ensuring that the stealer runs when the system starts up.

Anti-debugging

This module aims to identify the existence of debuggers or any analysis tools running on the system and also assess whether the system is a physical or virtual machine.

Anti-Spammer

This module enforces a limitation on the frequency of the stealer’s actions, including sensitive file retrieval and data extraction, ensuring that they cannot occur more frequently than every 30 minutes. This approach is designed to reduce the risk of detection or disruption by security systems and monitoring tools.

Melter

This module is designed to remove the Trap Stealer executable from the system after it has completed its data theft operation.

Crasher

This code is designed to modify system privileges and trigger a specific hard error intentionally, leading to a deliberate system crash.

Technical Analysis

Security Evasion Mechanisms

Upon executing the Trap Stealer, the initial action involves verifying whether the stealer is being monitored through a series of anti-debug checks. The table below outlines the various checks employed by the Trap Stealer, and if any of the below-mentioned checks are identified, the stealer will self-terminate.

Data Gathering Functionality

Following a series of checks to confirm the system environment, the stealer gathers a diverse range of information, including details about the system information, global information, and clipboard data. The image below shows the function responsible for acquiring these data from the victim’s system.

The table below shows the various information captured from the above function.

Subsequently, the Stealer sends the gathered information to the TA’s webhook URL specified during the building of the stealer executable. The image below displays the transmitted data in the Discord channel.

Persistence

To establish persistence, the stealer creates a copy of itself in a randomly selected directory path, such as “APPDATA” and “LOCALAPPDATA.” This copied file is given a random filename consisting of 8 lowercase letters, followed by a randomly chosen file extension. These extensions encompass a variety of types, including .dll, .png, .jpg, .ink, .url, .jar, .tmp, .db, .cfg, and .jpeg.

After copying the file to one of the previously mentioned locations, the stealer adds a Run entry to the Windows Registry, allowing the stealer file to run automatically when the user logs in. The image below shows the newly created Run entry within the Windows Registry.

Passwords, Cookies, and Autofills

After establishing persistence in the system, the Trap Stealer collects stored passwords, cookies, and autofill items from the victim’s web browser’s profile folder and writes the extracted data to a separate file in “AppDataLocalTemp”.

The filenames for these files typically start with “wp,” such as “wpautofill.txt,” “wpcook.txt,” and “wppassw.txt.” Subsequently, the stealer sends this captured data along with the “.txt” files to the configured webhook URL. The image below shows the captured data being sent to a Discord channel, allowing the TAs to access the stolen information.

Stealing Discord tokens from Browser paths

Next, the stealer proceeds to extract and send the user’s Discord Token. To accomplish this, it scans for files ending in “.ldb” or “.log” within the browser directories listed in the table below:

It then uses two regular expressions (regex) to search for potential Discord tokens from the identified “.ldb” or “.log” files.

• The first regex (r”[w-]{24}.[w-]{6}.[w-]{25,110}”) is designed to identify Discord user tokens.
• The second regex (r”mfa.[w-]{80,95}”) matches strings corresponding to Discord multi-factor authentication (MFA) tokens.

The stolen tokens allow the stealer to access more details about the Discord user.

Stealing tokens from the Discord application folder

In addition to extracting Discord tokens from the web browsers, the stealer also retrieves tokens from the Discord desktop application folder. Initially, the stealer verifies the presence of a file named “Local State” within the directories mentioned below.

• AppDataRoamingdiscord
• AppDataRoamingLightcord
• AppDataRoamingDiscordptb
• AppDataRoamingDiscordcanary

If the “Local State” file is not found, it skips this module and moves on to other stealing modules. When the “Local State” file is found, it reads and extracts the master_key. This master_key will be used for further decryption.

Subsequently, the script attempts to locate files with file extensions “.log” or “.ldb” in the predefined locations mentioned below:

• AppDataRoamingDiscordLocal Storageleveldb
• AppDataRoamingLightcordLocal Storageleveldb
• AppDataRoamingDiscordptbLocal Storageleveldb
• AppDataRoamingDiscordcanaryLocal Storageleveldb

Upon identification, the stealer proceeds to search within these files for a specific regex pattern. This regex pattern is designed to locate strings that contain “dQw4w9WgXcQ:”, resembling a Discord token. If a matching string is located, the stealer proceeds to decode it using the master_key obtained from the “Local State” file.

Once valid Discord tokens are successfully retrieved both from browsers and the Discord application, the stealer sends a GET request to the Discord API with the stolen token to retrieve additional user information. The below image shows the partial function code for retrieving user information using the stolen Discord token.

Subsequently, the stealer creates a JSON payload (data) that encompasses user information such as username, bio, profile picture URL, badges, and additional data. This payload is then sent through the webhook URL, facilitating the attacker’s ability to access and examine user data.

Discord Injection

An alternative method to precisely harvest user data from Discord involves replacing the core component of the Discord application. To replace the core component of the Discord desktop application, the stealer scans the “appdatalocaldiscord” directory for specific conditions:

• The presence of a file named “index.js”
• A folder name containing a “discord_desktop_core-“.

If both criteria are met, the stealer replaces the “index.js” file with custom code downloaded from the developer’s GitHub page. The image below displays a portion of the altered “index.js” file.

After replacing Discord’s core component, TAs gain access to a range of sensitive information from compromised user accounts. This information encompasses details such as passwords, email addresses, phone numbers, Nitro subscriptions, billing information, badges, hostnames, tokens, credit card numbers, credit card CVC, credit card expiration dates, and additional data. The acquired information is then sent to the attacker’s webhook URL.

Stealing files related to Crypto Wallets, Gaming applications, and Browser Extensions

Trap Stealer is designed to focus on various applications in order to gather sensitive data from the system. This process involves the creation of a directory path with predefined values and a subsequent check to verify its existence on the compromised system. If the directory path is not found, the module is skipped; however, if it exists, the stealer proceeds with the following operations.

• Get the associated process name from the constructed directory path and terminate it.
• Copies all the files, excluding any existing ZIP files from the identified directory.
• The stealer then compresses these copied files into a ZIP archive.
• This ZIP file is sent to the specified webhook URL.
• Finally, the ZIP file is deleted from the original directory.

The table below provides information on the directory path, process name, and zip file name used to collect and transmit files to TAs.

Stealing sensitive files from the compromised system

Once the stealer completes the transmission of application-related files to the attacker, it proceeds to steal files from the system based on keywords. 

The stealer searches for directories such as “Desktop,” “Downloads,” and “Documents” to locate text files containing predefined keywords (as listed below) in their filenames. When these files are identified, they are uploaded to a Discord channel via a webhook.

Stealing Browser History

The stealer collects browsing history data from different web browsers (listed below), constructs it into a “browser.zip” file, stores this file in the user’s temporary directory (%temp%), uploads it to Discord, and shares a formatted message containing a link to access this uploaded data.

The image below showcases the transferred ZIP file as it appears in TA’s Discord channel.

Stealing WhatsApp files

The act of stealing WhatsApp files from compromised systems isn’t a novel occurrence. However, it has recently become increasingly prevalent.

WhatsApp Desktop saves cached files and logs at the directory path `AppDataLocalPackages5319275A.WhatsAppDesktop_cv1g1gvanyjgm`. This location allows users to access various data, including images and profile pictures, through the WhatsApp desktop application, even when the phone isn’t connected.

To obtain WhatsApp-related files, the stealer performs a recursive scan within a designated directory mentioned above. It seeks non-empty files, compiles them into a ZIP archive, and stores this ZIP file in the %temp% directory. Additionally, it provides a list of the collected files, up to a maximum of 10, which is sent to a webhook. If the number of files exceeds 100, the stealer indicates that there are too many to display.

Self-delete

Trap Stealer possesses the capability to perform a self-deletion process upon successfully exfiltrating the victim’s data, ensuring that no residual traces are left behind.

Crasher

If the system crasher module is enabled during the building of the stealer, the stealer uses the Windows ntdll library function “NtRaiseHardError” to trigger a hard error. In this scenario, the error code 0xC0000006 corresponds to an invalid instruction error, and it is raised with a severity level of 6, often leading to a system crash.

Conclusion

As the landscape of digital theft evolves with new techniques and patterns, we are witnessing the unceasing innovation of stealers. They adapt and expand in parallel with the continuous creation of new applications and tools. A prominent exemplar of this evolution is the “Trap Stealer,” a Python-based tool showcasing an array of sophisticated features, particularly adept at extracting private information from platforms like Discord, WhatsApp, and other applications.

Considering that this stealer appears to be in the development phase, it’s highly likely that a forthcoming version will emerge, equipped with additional features designed to enhance stealth and target a wider range of applications. This highlights the dynamic and ever-evolving nature of cybersecurity threats, emphasizing the ongoing need for proactive measures to safeguard against them.

Recommendations

• It’s strongly recommended to avoid acquiring software from online sources that lack credibility or proper verification.
• Be cautious of potential traps set by TAs offering enticing tools like fake generators and spamming tools, as these can often lead to data theft.
• To enhance security, it’s advisable to disable the automatic saving and storage of passwords by web browsers and opt for password managers.
• Monitor the network communication, especially Discord API channels, to effectively block data exfiltration by this stealer.
• Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

MITRE ATT&CK® Techniques

Indicators Of Compromise

Related

Source: https://cyble.com/blog/new-open-source-trap-stealer-pilfers-data-in-just-6-seconds/

Views: 0