Exploring The Will of D: An In-Depth Analysis of Divulge Stealer, Dedsec Stealer, and Duck Stealer – CYFIRMA

Short Summary:

This report by CYFIRMA provides insights into the current landscape of malware, specifically focusing on various stealers such as Divulge, DedSec, and Duck. These stealers are primarily promoted on platforms like GitHub, Discord, and Telegram, often targeting sensitive information from browsers and cryptocurrency wallets. The report highlights the techniques used by these malware variants to evade detection and their operational methods.

Key Points:

• Emergence of new stealer variants daily, often developed using Electron, C, or C++.
• Stealers are promoted on platforms like GitHub, Discord, and Telegram.
• Divulge Stealer claims to be a successor to Umbral Stealer, targeting browser and cookie credentials.
• DedSec Stealer is a copy of Doenerium, featuring dual-hook capabilities and avoiding detection by adding itself to Windows Defender exclusions.
• Duck Stealer, identified as AZStealer, captures a wide range of sensitive information including cookies, credentials, and cryptocurrency wallet addresses.
• All three stealers utilize anti-VM features to evade detection in virtual environments.
• Developers often promote free versions to attract users, but these can be dual-hook variants.

MITRE ATT&CK TTPs – created by AI

• T1047: Windows Management Instrumentation
  • Used for executing commands and scripts on target systems.
• T1059: Command and Scripting Interpreter
  • Utilized for executing scripts and commands to perform malicious actions.
• T1547.001: Registry Run Keys / Startup Folder
  • Ensures persistence by adding entries to the registry or startup folder.
• T1574.002: DLL Side-Loading
  • Involves loading malicious DLLs to execute payloads stealthily.
• T1055: Process Injection
  • Allows malware to inject code into other processes to evade detection.
• T1036: Masquerading
  • Involves disguising malicious files or processes as legitimate ones.
• T1003: OS Credential Dumping
  • Technique used to extract credentials from the operating system.
• T1012: Query Registry
  • Used to gather information from the Windows registry.
• T1057: Process Discovery
  • Technique to identify running processes on a system.
• T1018: Remote System Discovery
  • Used to identify systems on a network.
• T1082: System Information Discovery
  • Technique to gather system information such as OS version and architecture.
• T1005: Data from Local System
  • Technique for collecting data from local systems.
• T1573: Encrypted Channel
  • Used to establish secure communications for command and control.
• T1071: Application Layer Protocol
  • Utilizes common application protocols for command and control communications.

Published On : 2024-10-17

EXECUTIVE SUMMARY

At CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics employed by malicious actors, targeting both organizations and individuals. This report explores the current landscape of malware, focusing on various stealers such as Divulge, DedSec, (also known as Doenerium), and Duck (associated with AZStealer). Many of these stealers are promoted on the surface web like GitHub with developers either rebuilding existing open-source versions or creating new variants that target browser, game data, and other sensitive information.

INTRODUCTION

New stealer variants are emerging daily, with many developed using the Electron framework, while others are coded in C or C++. GitHub, Discord, and Telegram serve as the primary platforms – or “marketplaces” – for developers of these stealers to promote their malware. Typically, developers create a Telegram channel first, then promote it in other stealer groups or collaborate with similar channels to build an audience. Once they’ve gathered a solid user base, they begin offering their stealer alongside pricing plans ranging from weekly to yearly subscriptions. While Discord remains the preferred platform for many, some still use Telegram, though recent policy changes have caused a shift away from it. Developers sometimes promote free versions on their GitHub repositories or underground forums to attract more users.

DIVULGE STEALER

The Divulge Stealer is being promoted on underground forums like HackForums, Cracked, LeakX, and GitHub. In their posts, threat actors claim that Divulge is a successor to Umbral Stealer, which is also available on GitHub and was developed using C#. Its primary function is to steal data from browsers and other sensitive information. Users can integrate their Discord webhook, which serves as a command-and-control server to transmit the stolen data. Upon examining its features, we found that many of Divulge’s functions closely resemble those of Umbral. Both stealers share similar capabilities; however, the developer of Divulge is associated with 15 additional cryptocurrency wallets.

During our analysis of the Divulge Stealer’s source code, the first aspect we examined was its Anti-VM features. The Divulge Stealer performs the following checks:

• It verifies against a list of blacklisted UUIDs that are hardcoded within the code.
• It checks for blacklisted computer names; if a match is found, the stealer identifies the environment as a virtual machine and will not execute.
• It scans for blacklisted usernames, such as “john-pc”, “frank”, “wdgutilityaccount”, and several others.
• Additionally, it includes anti-analysis features that check for the presence of running tasks associated with analysis tools, including “fakenet”, “VBoxService”, “VBoxTray”, and other tools commonly used by malware analysts.

The Divulge Stealer is designed to target browser and cookie credentials. Below is the list of browsers that Divulge Stealer checks. However, following the v129 update of Google Chrome, the stealer is no longer able to extract cookies. This capability is now limited to other stealers, including Lumma, StealC, Rhadamanthys, Vidar, WhiteSnake, and Lummar, which was announced in their chat channels.

Divulge Stealer has incorporated support for 15 cryptocurrency wallets, as highlighted in the red box in the screenshot.

The stealer collects system information and IP address details to ascertain the target’s country, region, time zone, and other relevant data. It also checks the system name, the operating system in use, and total memory, and provides information about the CPU and GPU.

In the code below, there is a function that checks against websites, such as VirusTotal, Avast, Bitdefender, and others. The stealer blocks infected machines from accessing any of these specified websites by modifying the host’s file.

DEDSEC STEALER

The DedSec Stealer is being promoted on Telegram and GitHub, where users can download and build the malware. However, it’s worth noting that DedSec Stealer is essentially a copy of another stealer known as Doeneirum, which is a dual-hook stealer. Doenerium is an open-source JavaScript info stealer that possesses capabilities for stealing cryptocurrency wallets, passwords, and cookies, and modifying Discord clients.

Dedsec stealer adds itself to the Windows Defender exclusion list to avoid detection.

The malware checks for blacklisted computer names, GPU identifiers, usernames, and running processes. If any matches are found, the malware will not execute.

The malware includes Anti-VM features that prevent it from running if a virtualBox is detected.

All data stolen by the DedSec Stealer, including autofill information, card data, passwords, screenshots, and wallet addresses, are stored in a random folder located at C:/ProgramData/Steam/Launcher/**

The stealer contains Base32 encoded code that functions as a clipper. After utilizing CyberChef to decode the encoded string, we found that the resolved code features a regex pattern specifically designed to target and steal information related to various cryptocurrencies, including Bitcoin, Ethereum, Dogecoin, and others.

The code below is utilized by the stealer to extract backup codes from games and other applications.

The stealer collects Instagram data and saves it to Instagram.txt, retrieving follower counts and stealing session data.

DUCK STEALER

The Duck Stealer is essentially AZStealer. Upon decompiling the stealer, we discovered the term “AZStealer” embedded in the code, indicating that it is promoted by the same developer.

The Duck Stealer shares similar functionalities with other stealers discussed in this report. Key features include:

• Anti-VM capabilities to avoid detection in virtual environments.
• Collection of the hostname, IP address, and other information related to the target PC.
• Capture of cookies, credentials, credit card details, browsing history, and bookmarks from browsers like Yandex, Chrome, Brave, Torch, Mozilla, and others.
• A clipper function to steal cryptocurrency wallet addresses.
• Theft of Discord tokens.
• Support for stealing from over 30 cryptocurrency wallets, including Metamask, Yoroi, Coinbase, Bitapp, Binance, Jaxx, and many more.

During our investigation into AZStealer, we found an old channel left by the developer. By pivoting through the username mentioned in the channel’s bio, we identified another name referenced in the channel posts. This final username is currently used by the developer to promote Duck Stealer.

Additionally, after decompiling the Duck Stealer, we examined the JSON package file, which contained a description identifying it as AZStealer, with a target platform of the Windows 64-bit version.

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)

Currently, the above malware are being promoted on Clearnet platforms such as GitHub, forums, and developer-owned websites. These developers either rebuild existing open-source stealers or create basic Discord stealers that target browser and game data. They often showcase scan results to demonstrate the effectiveness of their stealers. However, it has been observed that the Divulge Stealer is a copy of Umbral, DedSec Stealer is based on Doenerium, and Duck Stealer is a derivative of AZStealer, all developed by the same individual.

Divulge Stealer is primarily promoted on hacker forums and GitHub, while the other two are mainly advertised on GitHub or Telegram. It’s important to note that many of these free offerings are not as straightforward as they seem. Most of them are dual-hook variants, which can infect the users trying to infect other systems. Additionally, any data collected by the users of these stealers is also accessible to the stealer’s developer.

CONCLUSION

As we delve deeper into these stealers and their variants, it becomes clear that many of them predominantly target Discord data and browser information. Equipped with anti-analysis techniques, these malware variants are designed to evade detection and effectively operate in the background. Furthermore, they often maintain a strong user base through active promotion in their Telegram or Discord channels, fostering a community that facilitates the distribution and use of these malicious tools.

LIST OF IOCS

MITRE ATT&CK COMMON TTPs

RECOMMENDATIONS

Strategic Recommendations:

• Implement Defense-in-Depth Strategy: Develop a comprehensive defense strategy that combines network segmentation, robust perimeter defenses, and endpoint security to create multiple layers of protection against such threats.
• Invest in Threat Intelligence: Engage with threat intelligence services to stay informed about the evolving tactics, techniques, and procedures employed by malware operators. Regularly update defenses based on the latest threat intelligence to enhance proactive detection capabilities.
• Enhance Employee Training: Conduct regular cybersecurity training programs to educate employees about phishing threats, social engineering, and safe browsing practices. Building a security-aware culture can significantly reduce the likelihood of successful infostealer infections.

Management Recommendations:

• Develop an Incident Response Plan: Establish a robust incident response plan that outlines clear procedures for identifying, containing, eradicating, and recovering from a stealer infection. Regularly test and update the plan to ensure effectiveness.
• Conduct Regular Security Audits: Perform periodic security audits to assess the effectiveness of existing security controls, identify potential weaknesses, and validate the organization’s overall security posture. Use the findings to make informed adjustments and improvements.
• Collaborate with Industry Peers: Engage in information sharing and collaboration with industry peers, cybersecurity communities, and relevant authorities. Sharing threat intelligence and best practices can enhance collective resilience against emerging threats like info stealer.

Tactical Recommendations:

• Update and Patch Systems: Regularly update and patch operating systems, software, and applications to address vulnerabilities that malware like stealer exploits. Automated patch management tools can streamline this process and minimize the attack surface.
• Utilize Advanced Endpoint Protection: Deploy advanced endpoint protection solutions that incorporate behavioural analysis, heuristic detection, and threat intelligence to identify and mitigate the specific techniques employed by the following stealers. Ensure these solutions are regularly updated with the latest detection rules, such as the ones given in the report.
• Implement Application Whitelisting: Restrict the execution of unauthorized applications by implementing application whitelisting, this helps prevent the execution of unknown or malicious binaries, hindering the stealer’s ability to run on endpoints.

Source: Original Post