Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The information collected can be used for future attacks
Severity Level: High
FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer. This malware is a Python-based information stealer compressed with cx-Freeze to evade detection. MrAnon Stealer steals its victims’ credentials, system information, browser sessions, and cryptocurrency extensions. Figure 1 illustrates the attack flow.
Figure 1: Attack flow
The downloader URL was mostly queried in Germany, which suggests it was the primary target of the attack. The number of queries for this URL rose significantly in November 2023, implying the campaign was more active and aggressive during that month. In this article, we will detail the behavior of this malware at each stage.
Figure 2: Telemetry
Initial Infection Vector – Booking.pdf
The attacker, masquerading as a company looking to reserve hotel rooms, sends phishing emails with the subject, “December Room Availability Query.” The body contains bogus hotel booking details for the holiday season. The attached malicious PDF file has a downloader link hidden in the stream object. Its data after decoding is shown below:
Figure 3: The phishing email
Figure 4: The malicious PDF file
.NET Executable – adobe.exe
Using the strings in the class “Loader,” we identified that the malware used the PowerShell script editor that converts PowerShell scripts to Microsoft executable files.
Figure 5: The decompiled Exec() function
Upon examination of the .NET executable file shown in Figure 6, we found that it utilizes ScriptRunner.dll to extract “Scripts.zip” to obtain a PowerShell script. The extracted file is deposited at the following location:
“%USERPROFILE%AppDataLocalTempQuest SoftwarePowerGUI”.
This .NET Microsoft Windows executable is solely tasked with unpacking an embedded script named “down2.ps1” and executing it using PowerShell.exe. The packed file and PowerShell configurations are within the resources section of the file, as illustrated in Figure 7.
Figure 6: The ScriptRunner.dll that loads the PowerShell script
Figure 7: The malware’s resource section
PowerShell Script – down2.ps1
The script initiates the loading of a Windows Form and configures its settings, including form, label, and progress bar. Additionally, it defines text within the execution of the subsequent script to mitigate user suspicions.
Figure 8: The Create Windows form
Within the “Form Load event” section, the script retrieves a payload from the identical domain, “anonbin[.]ir,” and decompresses the file in the temporary folder. It then locates the execution file within the zip archive and employs “Start-Process” for execution. A window named “File Not Supported” is displayed in this state, accompanied by a status message indicating “Not Run: python.exe.” This deceptive presentation is designed to mislead users into believing that the malware has not been executed successfully. Figure 10 illustrates the window and progress bar during the execution of the malware.
Figure 9: The Form Load event section
Figure 10: The progress window shown during the python.exe execution
Cx_Freeze Packed File – python.exe
The compressed file “Ads-Pro-V6-Free-Trail (1).zip” includes multiple files. Figure 11 shows the contents of the extracted folder. Within this folder, two DLL files serve as clean components to facilitate the loading of additional Python code by the “python.exe” process. Figure 12 illustrates the WinMain function in “python.exe,” clearly indicating that this is not a legitimate Python executable.
Figure 11: Files in Ads-Pro-V6-Free-Trail (1).zip”
Figure 12: WinMain in python.exe
Tracing the initial call reveals that the execution file originates from cx_Freeze tools. The script then searches for the directory “liblibrary.zip” and uses “PyObject_CallObject” to invoke the malicious Python code.
Figure 13: Check directory liblibrary.zip
Figure 14: Invoking the main Python code
Figure 15 shows the files from “library.zip.” Notably, “cstgversion__main__.pyc” stands out due to its distinct creation time compared to the legitimate files. This particular file encompasses the primary functions responsible for data theft.
Figure 15: Files in library.zip
MrAnon Stealer
First, the malware verifies whether the following processes are currently running on the system and terminates them if they exist:
“ArmoryQt.exe”, “Atomic Wallet.exe”, “brave.exe”, “bytecoin-gui.exe”, “chrome.exe”, “Coinomi.exe”, “Discord.exe”, “DiscordCanary.exe”, “Element.exe”, “Exodus.exe”, “firefox.exe”, “Guarda.exe”, “KeePassXC.exe”, “NordVPN.exe”, “OpenVPNConnect.exe”, “seamonkey.exe”, “Signal.exe”, “Telegram.exe”, “filezilla.exe”, “filezilla-server-gui.exe”, “keepassxc-proxy.exe”, “msedge.exe”, “nordvpn-service.exe”, “opera.exe”, “steam.exe”, “walletd.exe”, “waterfox.exe”, “yandex.exe”
It then uses “ImageGrab” to capture a screenshot, saving it with the filename “Screenshot (Username ).png.” Additionally, it establishes connections with legitimate websites such as “api.ipify.org” and “geolocation-db.com/jsonp” to retrieve the system’s IP address, country name, and country code. It also gathers information from the following sources:
- Browsers Data: 7Star, Amigoz, Bravez, Cent Browser, Chrome Canary, Epic Privacy Browser, Google Chrome, Iridium, Kometa, Microsoft Edge, Opera, Opera GX, Orbitum, Sputnik, Torch, Uran, Vivaldi, Yandex, Firefox, Pale Moon, SeaMonkey, and Waterfox.
- Desktop Wallets: Bytecoin Wallet, Guarda, Atomic Wallet, Coinomi Wallet, Bitcoin Armory, and Exodus.
- Browser Extensions:
- Messengers: Discord, Discord Canary, Element, Signal, Telegram Desktop
- VPN Clients: NordVPN, ProtonVPN, and OpenVPN Connect
- Browser Wallets:
- Others: FileZilla and FileZilla Server
- Gaming: Steam
- Files: It scans these directories: Desktop, Documents, Downloads, Pictures, and grabs specific files with following extensions: “.7z,” “.bmp,” “.conf,” “.csv,” “.dat,” “.db,” “.doc,” “.jpeg,” “.jpg,” “.kdbx,” “.key,” “.odt,” “.ovpn,” “.pdf,” “.png,” “.rar,” “.rdp,” “.rtf,” “.sql,” “.tar,” “.txt,” “.wallet,” “.xls,” “.xlsx,” “.xml,” and “.zip.”
Next, it compresses the stolen data, secures it with a password, and designates the filename as “Log (Username).zip.” The compressed file is then uploaded to a public file-sharing website using the URL “hxxps://store1[.]gofile[.]io/uploadFile.” Finally, it appends the download link and system information to a message that is sent to the attacker’s Telegram channel using the bot token “6799784870:AAHEU6EUdnAjRcH8Qq0TCokNtVJSL06VmbU.”
Figure 16: Stolen data in Telegram message
Figure 17: The zip file
The support channel for MrAnon Stealer is shown in Figure 18. This support channel promotes its product, provides enhanced capabilities, and includes a purchase page at “hxxp[:]//anoncrypter[.]com” for all associated tools (Figure 19).
Figure 18: MrAnon Stealer’s telegram channel
Figure 19: The website for MrAnon Tools
The malicious actor established the website “anonbin[.]ir” earlier this year, as shown in Figure 20, and downloaded all associated files. Upon investigation, we discovered analogous packed files utilizing cx_Freeze from July. These files consistently feature Python-based stealers, identified by the shared “HYDRA” banner within the code, as illustrated in Figure 21.
The campaign initially disseminated Cstealer in July and August but transitioned to distributing MrAnon Stealer in October and November. This pattern suggests a strategic approach involving the continued use of phishing emails to propagate a variety of Python-based stealers.
Figure 20: Homepage for hxxps[:]//anonbin[.]ir
Figure 21: The banner from malware in July
Conclusion
In this attack, the threat attacker sends phishing emails with fake room booking details, aiming at specific regions. The malware uses PowerGUI and cx-Freeze tools to create a complex process that involves .NET executable files and PowerShell scripts. The attacker also uses tricks like false error messages to hide successful infection. The malware downloads and extracts files from a specific domain to run a harmful Python script. The script extracts clean DLL files and malware named “python.exe.” These are used to cover up the loading of the malicious payload—MrAnon Stealer. It steals data and sensitive information from several applications and then compresses and uploads the stolen data to a public file-sharing website and the threat actor’s Telegram channel. Users should be careful of phishing emails and unclear PDF files.
Fortinet Protections
The malware described in this report are detected and blocked by FortiGuard Antivirus as:
PDF/Agent.AZN!tr.dldr
MSIL/Agent.FT!tr
POWERSHELL/Agent.F6C9!tr
Python/Stealer.AZN!tr
W64/Agent.7E0B!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.
The URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.
The FortiGuard CDR (content disarm and reconstruction) service can detect and disarm the malicious macros embedded in this email.
We also suggest that organizations go through Fortinet’s free NSE training: Fortinet Certified Fundamentals (FCF). The FCF training helps end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.
IOCs
Hostnames
anonbin[.]ir
anoncrypter[.]com
Files:
075e40be20b4bc5826aa0b031c0ba8355711c66c947bbbaf926b92edb2844cb0
48e09b8043c0d5dfc2047b573112ead889b112108507d400d2ce3db18987f6c9
0efba3964f4b760965e94b4d1a597e6cd16241b8c8bf77a664d6216d1420b312
8a8c9acf09c84ab5ea4c098eace93888a88b82a1485255073c93ce6080d05ec7
96ec8ef2338d36b7122a76b0398d97e8d0ed55c85e31649ea00e57d6b1f53628
8b71525ca378463784ce2d81a8371714580c58f0d305a2aa4630dc964c8c0ee0
45ee224e571d0fd3a72af1d7a7718e61a1aad03b449cf85377411d51c135bb22