Key takeaways
- Cyble Research and Intelligence Labs (CRIL) recently came across a new stealer named “Rude”. This Java-based malware is specifically crafted to pilfer confidential data from compromised machines discreetly.
- Rude Stealer specializes in extracting data from various browsers, capturing Discord tokens, Steam IDs, and information about installed games, along with the ability to take screenshots.
- Additionally, it leverages the post, we unveiled the discovery of a new Remote Access Trojan (RAT) named “Sayler,” encapsulated within a JAR file. This malicious entity incorporates a range of harmful functionalities, encompassing a Keylogger, Information Stealer, Screen Capture tool, Ransomware, and supplementary features.
On November 6th, CRIL identified a malicious Java Archive (JAR) file named “Stealer.jar” on VirusTotal. Upon further analysis, we were able to determine that the identified JAR file functions as a new information stealer named “Rude” designed to target the Windows Operating System.
Figure 1 – Rude Stealer capturing system information The primary objective of Rude Stealer is to collect sensitive information, such as passwords, cookies, history, and auto-fills, from various browsers. Furthermore, it targets tokens and IDs from installed applications such as Discord and Steam. Additionally, it is equipped with the capability to capture screenshots. An initial look at the decompiled code of this stealer is shown below.
Figure 2 – Rude Stealer’s decompiled code Following the successful completion of the data theft process, Rude Stealer proceeds to transmit the pilfered data to the TAs through a designated Telegram channel.
Initial Infection:
While Rude Stealer’s initial infection vector is unknown, we were able to determine that it functions in a manner requiring the involvement of the TAs to commence data theft activities. To activate the stealer, the TAs need to execute it using command line arguments, specifying their Telegram channel chat ID and Bot Token. This action enables them to collect information from the compromised system.
Technical Analysis
The start function of the Rude Stealer is located in the class file “com.Rude.stealer.main.Start”, which contains a main method. This method takes an array of string arguments. The values of args[1] and args[0] (command line arguments) are assigned to the static fields chat_id and bot_token in the SendFile class.
These arguments will later contribute to the establishment of a communication channel for TAs via Telegram. The image below shows the content of Start.class file.
Figure 3 – Contents of Start.class file Upon receiving input arguments, Rude Stealer proceeds to initialize instances for various other class files. Each class file is responsible for executing operations related to extracting sensitive information from the system, installed applications, and browsers. The respective class file “NodeManager” is shown below.
Figure 4 – Partial content of Nodemanager class file Upon the successful initialization of each method, representing distinct stealing operations, the stealer commences its various pilfering activities within the compromised system.
Stealing Steam user data
To steal a victim’s Steam user data, Rude Stealer scans the victim’s system for the Steam application directory, located at “Program Files (x86)Steamconfig” by default. If the Steam directory is identified, the stealer proceeds to copy all the files into a newly created folder – “C:Users[username]Steam”.
Following that, the stealer generates a log file named “Log_Info.txt” in the same directory “C:Users[username]Steam” to log information related to any associated Steam accounts on the victim’s sys.
Next, Rude Stealer traverses the directory containing the copied Steam files, inspecting each file for a name matching ‘loginusers’. Upon identifying this file, the stealer reads its content and searches for SteamID (typically presented as a 17-character string, for instance, 12345678900000000). If the search pattern identifies the victim’s SteamID, the stealer generates a URL using the SteamID, as shown below, and saves it in the log file:
http[:]//Steamcommunity[.]com/profiles/12345678900000000
The stealer also removes files with names that include either “coplay_” or “DialogConfigOverlay” from the copied files directory. This file deletion may indicate that the TAs are not focused on exfiltrating avatars (profile picture) and configuration files from compromised systems.
The image below shows the code to steal Steam user data.
Figure 5 – Code snippet to steal Steam user data Stealing data related to installed games
Upon acquisition of user account details associated with Steam, Rude Stealer proceeds to target installed games in the compromised system. To gather information about these games, the stealer retrieves a directory path, namely “C:Program Files (x86)SteamSteamapps“—the default location for Steam to store game manifest files on a Windows Operating System.
Subsequently, the stealer searches for files within the identified directory containing the substring “appmanifest_”. It then processes the contents of these files, extracts the names of the installed games, and saves this information in the same log file created earlier – “C:Users[username]Steam Log_Info.txt”.
The code snippet in the image below shows the part of the Steam class responsible for extracting information about installed games.
Figure 6 – Code snippet that steals information about installed games Stealing Discord tokens
An additional threat that Rude Stealer poses is its ability to extract Discord tokens from the victim’s system by searching for Discord-related directories, such as:
- C:Users[username]AppdataRoamingdiscordLocal Storageleveldb
- C:Users[username]AppdataRoamingdiscordcanaryLocal Storageleveldb
If any of these directories are identified, the stealer copies all the files to a newly created directory at “C:Users[username]Discord”.
Subsequently, Rude Stealer filters through the files in these directories, employing a regex pattern “dQw4w9WgXcQ:” to identify Discord tokens. Once located, it writes these tokens to a newly created text file at “C:Users[username]DiscordAuth_Keys.txt”. The associated class file for this Discord token theft operation is displayed below.
Figure 7 – Class file to steal Discord Tokens Capturing Running Process Information
After successfully pilfering Discord tokens and Steam IDs, Rude Stealer proceeds to retrieve a list of active processes running on targeted systems. It extracts information such as process name and its corresponding Process ID (PID). Subsequently, this extracted information is logged into a text file named “Process.txt” within the user profile directory “C:Users[username]”. The image below displays the class file responsible for extracting information regarding running processes.
Figure 8 – Class file to steal running process details in the system Stealing System information
In addition to stealing the aforementioned Steam, Discord, and process information, Rude Stealer can also retrieve system specifications from a victim’s machine. This is achieved by executing the DirectX Diagnostic Tool (dxdiag), a Windows utility for diagnosing and troubleshooting DirectX, graphics, and sound-related issues. The image below displays dxdiag’s output.
Figure 9 – Output of the DirectX Diagnostic Tool This collected diagnostic information is then saved to a text file named “Properties.txt” in the “C:Users[username]” directory. The image below displays the content of the Properties class file, which is responsible for retrieving system information.
Figure 10 – Content of the Properties class file Capturing Screenshots
Further supplementing these already formidable information-stealing capabilities, Rude Stealer can also capture screenshots from a victim system by utilizing the Java Robot class, an inbuilt class in the Java AWT (Abstract Window Toolkit) package, to capture the current screen. Captured screenshots are saved as PNG files named “Screenshot.png” in the user profile directory “C:Users[username]”. The image below shows the content of the class file responsible for taking screenshots.
Figure 11 – Contents of the Screenshot class file Stealing data from multiple browsers
Rude Stealer is also designed to collect sensitive information from various web browsers, as outlined in the table below:
Browser name AutoFill Cookies Credit Cards History Passwords Brave Yes Yes Yes Yes Yes Edge Yes Yes Yes Yes Yes Chrome Yes Yes Yes Yes Yes Firefox Yes Opera Yes Yes Yes Yes Yes OperaGX Yes Yes Yes Yes Vivaldi Yes Yes Yes Yes Yandex Yes Yes Yes Yes This decrypted data from various web browser databases is stored in log files, with the extracted content and corresponding log file paths outlined in the table below:
Functions Information extracted Path of log files Autofill() Site name and autofill values C:Users[username]GeneralAutoFills.txt Creditcard() Credit card number, expiration month, and expiration year C:Users[username]GeneralCreditCards.txt Cookies() Path, domain, security attribute, HTTP-only attribute, expiration, decrypted cookie value C:Users[username]General Cookies[Browser-name].txt History() URL of the visited site and Title of the site C:Users[username]GeneralHistory.txt Passwords() URL, Login or username, and password C:Users[username]GeneralPasswords[Browser-name].txt Stealing System information
Rude Stealer also steals a variety of system-related details, which are listed below, and stores them in a respective text file located at “C:Users[username]”.
- System Time
- IP Address
- Country
- Drives
- Current Username
- Computer Name
- Language
- CPU Architecture
- Number of CPU Kernels
- GPU Name
- RAM (Random Access Memory)
- Screen Resolution
- Working Path
Data Compression, Transmission and Termination
Once it successfully gathers all required information from the victim’s system, Rude Stealer creates a ZIP archive labeled with the computer name. This archive is located at “C:Users[username]”. This archive includes all the TXT files containing stolen information, as well as subdirectories (such as Discord and Steam) found within the user profile directory created by the stealer.
Following the creation of the ZIP file, the stealer proceeds to transmit this data to the TA’s Telegram chat ID utilizing the Telegram bot API. The image below shows the content of the sendFile.class responsible for exfiltrating this stolen data.
Figure 12 – Code for exfiltrating stolen data As a final step, Rude Stealer engages in a cleanup procedure, deleting specific files and directories generated during its operation. This cleanup includes removing both the folder and any ZIP files associated with the computer’s name, after which the program terminates.
Attribution
Upon analysis of the discovered evidence, we can assume that Rude Stealer is likely operated by a TA associated with or operating from Turkey. This assessment is supported by the stealer’s action of retrieving the compromised system’s time and then converting it to Turkey’s time zone. The accompanying image shows the function responsible for this time conversion process.
Figure 13 – Function to convert victim’s system time to Turkey time zone Conclusion
Being a relatively straightforward stealer developed using Java, Rude Stealer may not have gained a lot of traction and relevance in the infosec community, unlike some other stealers in the wild that we have observed and analyzed.
However, as per our findings in this analysis, we believe Rude Stealer still poses a noteworthy threat to both individual users and organizations. Its use of Dxdiag to obtain sensitive information adds yet another layer of significance to its capabilities.
Rude Stealer’s adeptness in targeting various categories of highly sensitive information from diverse applications and browsers raises concerns in the current cybersecurity threat landscape. This compromised information, once in the hands of attackers, creates potential risks for financial exploitation and can be leveraged to launch additional attacks on individuals or organizations.
Recommendations
- To enhance security, we advise that users disable the automatic saving and storage of passwords by web browsers and opt for password managers instead.
- Establish stringent access controls or policies to regulate the execution of system tools such as dxdiag.
- Enforce strict rules to block the creation of text files within the user profile folder, particularly in sensitive paths like “C:Users[username]”.
- Use reputed anti-virus and internet security software packages on your connected devices, including PC, laptop, and mobile.
MITRE ATT&CK® Techniques
Tactic Technique Procedure Execution (TA0002) User Execution (T1204) Manual execution required Credential Access (TA0006) OS Credential Dumping (T1003) Tries to harvest and steal browser information Credential Access (TA0006) Steal Application Access Token (T1528) Steal Application Access Token Credential Access (TA0006) Credentials from Web Browsers (T1555) Steals credentials from Web Browsers Discovery (TA0007) System Information Discovery (T1082) The stealer gathers system information through various methods Collection (TA0009) Screen capture (T1113) Takes a screenshot of the victim’s screen Collection (TA0009) Data from the Local System
(T1005)The malware collects sensitive data from
victim’s system.Exfiltration(TA0010) Exfiltration Over Web Service (T1567) Uses Telegram channel to exfiltrate data Indicators Of Compromise
Indicators Indicator
TypeDescription 05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94 7fd1fea4f939b5350a5699a69866e7714767a68f 92aa4673f7885c6f6b4ea39cb2f1b643 SHA256 SHA1 MD5 Rude Stealer YARA Rules
rule Rude_Stealer
{
meta:
author = “Cyble”
description = “Detects Rude Stealer”
date = “2023-11-20”
os = “Windows”
threat_name = “Rude Stealer”
scan_type = “file”
severity = 90
reference_sample = “05b932d3306fb06ee961fd533d2faab92ed01f7f0ee2b7bea5a6a1f521154a94”
strings:
$a = “com/Rude/stealer/” ascii wide
$b = “/decrypt/password/Password.class” ascii wide
$c = “/nodes/impl/Screenshot.class” ascii wide
condition:
uint16(0) == 0x504B and all of them
}
Related
Source: https://cyble.com/blog/new-java-based-rude-stealer-abuses-directx-diagnostic-tool/
