Summary:
Hexon Stealer is a sophisticated malware that extracts sensitive information from compromised systems, including browser credentials and cryptocurrency data. Utilizing the Electron framework, it allows attackers to maintain remote access and control over infected devices. The malware has evolved from previous variants and is actively promoted through various online channels.
#HexonStealer #MalwareAnalysis #CyberThreats
Hexon Stealer is a sophisticated malware that extracts sensitive information from compromised systems, including browser credentials and cryptocurrency data. Utilizing the Electron framework, it allows attackers to maintain remote access and control over infected devices. The malware has evolved from previous variants and is actively promoted through various online channels.
#HexonStealer #MalwareAnalysis #CyberThreats
Keypoints:
Hexon Stealer is capable of extracting browser credentials, autofill data, and other sensitive information.
It operates through a Telegram channel and has been rebranded from Hexon Stealer to Hexon Grabber.
The malware provides full remote access to compromised systems, allowing attackers to monitor and control user activities.
Hexon Stealer uses the Electron framework and NSIS installer format for distribution.
It targets various sensitive data, including Discord tokens, 2FA codes, and cryptocurrency wallet information.
The malware has a secondary executable that gathers stolen data and saves it in the Temp folder.
Hexon Stealer employs advanced obfuscation techniques to conceal its malicious code.
The developer has introduced subscription plans for users, indicating a growing user base.
Evidence suggests that the developers are likely Turkish and previously involved with the Stealit Stealer group.
Recommendations include implementing a defense-in-depth strategy and enhancing employee training on cybersecurity.
MITRE Techniques:
Execution (TA0002):
Persistence (TA0003):
Privilege Escalation (TA0004):
Defense Evasion (TA0005):
Credential Access (TA0006):
Discovery (TA0007):
Collection (TA0009):
Command and Control (TA0011):
- Windows Management Instrumentation (T1047): Uses WMI for execution of commands.
- Command and Scripting Interpreter (T1059): Executes commands through scripting languages.
- Registry Run Keys / Startup Folder (T1547.001): Adds entries to the registry to maintain persistence.
- DLL Side-Loading (T1574.002): Loads malicious DLLs to maintain persistence.
- Process Injection (T1055): Injects code into other processes to escalate privileges.
- Registry Run Keys / Startup Folder (T1547.001): Uses registry keys for persistence.
- Masquerading (T1036): Disguises malicious files to evade detection.
- Process Injection (T1055): Evades detection by injecting into legitimate processes.
- Virtualization/Sandbox Evasion (T1497): Avoids detection in virtualized environments.
- OS Credential Dumping (T1003): Extracts credentials from the operating system.
- Query Registry (T1012): Queries the registry for information.
- Process Discovery (T1057): Identifies running processes on the system.
- Remote System Discovery (T1018): Discovers remote systems in the network.
- System Information Discovery (T1082): Gathers system information for reconnaissance.
- Data from Local System (T1005): Collects data from the local system.
- Encrypted Channel (T1573): Uses encrypted channels for communication.
- Application Layer Protocol (T1071): Communicates using application layer protocols.
IoC:
[domain] Hexon[.]fun
[domain] hexoncopy[.]vercel[.]app
[domain] stealit[.]vercel[.]app
[ip address] 72[.]145[.]3[.]21
[ip address] 20[.]19[.]32[.]198
[ip address] 20[.]151[.]152[.]98
[ip address] 20[.]199[.]91[.]177
[ip address] 4[.]233[.]148[.]165
[file hash] MD5: e173d1216236bccdc15c56bf27859a1d
[file hash] SHA256: 326c21e845863ea6ebe7d09ec3915d99e18f95e575e97aac2f71ae41160327e1
[file name] saa+Setup+1.0.0.exe
[file hash] 9a5aa40a67378d078046c2d22e23fa110881f722067a3a413c99cfbfd0402d1f
Full Research: https://www.cyfirma.com/research/hexon-stealer-the-long-journey-of-copying-hiding-and-rebranding/