Open Source Stealers (OSS) – Python – K7 Labs

Python has dominated over other programming languages over the decade and it keeps growing with the support of its open source community. There are many open source python projects and applications that are popular and used by millions of users; but have you heard of open source malware? In recent times, many open source repositories publish working python code to execute data theft operations. With a little knowledge of the Python language, anybody can build the malware and deploy it to the victim’s machine. 

Recently we received a sample from the Third Party antivirus tester, which on the outset looked like a python based binary but was not classified as a pyinstaller packer when we scan with the “Detect it easy” tool as shown below. We found this sample to be the BlankGrabber malware and we will analyse it in this blog.

Figure 1: File type Scan

But when we looked at the strings of the executable, they were found to be related to Python as seen in Figure 2, which kindled us to investigate further.

Figure 2: Strings found in the sample

Let’s quickly analyse the sample and we will look at the building process

Sample Analysis

Executable looks legitimate with bare eyes and it also got a certificate, although fake, and uses the version information from the “On-Screen Keyboard” which is a benign software of Microsoft as shown in Figure 3 and 4.

Figure 3: Version details
Figure 4: Sign details

As this is a pyinstaller executable, pyinstxtractor (https://github.com/extremecoders-re/pyinstxtractor) can extract the archive’s content. Compiled file “loader-o.pyc” can be decompiled using pycdc (https://github.com/zrax/pycdc). 

Figure 5: Decompiled file – loader-o.py (Entry point)

When we run the script (Figure 5), the decrypted “stub-o.pyc” file will be archived inside the blank.aes. Further decompiling the “stub-o.pyc” file will give obfuscated code as shown below.

Figure 6: Obfuscated code

Had to write a small decompile script based on the source code and used the python “dis” module to get the disassembled code. 

Pre-execution check

Before collecting the data from the victim’s machine, stealer creates mutex entry to avoid multiple instance, it also does some preliminary preparation by getting admin rights, excludes the executable from defender detection and disable the defender as depicted in Figure 7 and 8.

Figure 7: Some of the preliminary  functions
Figure 8: Decoded powershell command to disable defender

If any executable packed while building the malware will be extracted from the data folder and triggered as a separate process then it continues the stealing activity.

Figure 9: Bound file execution

VM Protection

It checks the environment where the sample is being executed by using a list of Blacklisted UUID, computernames, usernames and tasks as mentioned in the Figure 10 . Also, it does check the registry keys to see the traces of VM as shown in Figure 11.

Figure 10: Blacklist tuple
Figure 11: VM traces on registry key

Stealer Functions

Once it confirms that it is not running under a controlled environment, it will trigger all the stealer functions in multithreading to collect the data and send them to the threat actor quickly as highlighted in Figure 12.

Figure 12: Different stealer functions

We will see some of the stealer functions used in this malware as part of the data exfiltration.

Browser Data

It collects data from chromium based browsers as depicted in Figure 13.

Figure 13: Browser data exfiltration

As highlighted in Figure 14, it fetches the password, history, cookie and autofill details by querying the sqlite DB which stores the browser activity on the user’s system.

Figure 14: Querying sqlite DB

Discord Data

Especially malware like BlankGabber mainly used to collect the discord information from the victim’s machine. As shown in the Figure 15, it collects the data from various places and get the discord profile information.

Figure 15: Discord user information stealer

Telegram data

It checks the telegram desktop application on the victim’s machine by traversing through the shortcuts and copies the key data file to temp location as shown in Figure 16.

Figure 16: Telegram data stealer

Crypto Wallet data

It captures the some of the famous crypto wallets stored data from the appdata location and the browser extension settings as depicted in Figure 17.

Figure 17: Wallet detail stealer

Wifi password data

Wifi profile and password is being captured by “netsh” tool as shown in Figure 18.

Figure 18: wifi password stealer

Screenshots

Stealer takes the screenshot when its being executed and stores them as Display (n).png where n starts with 1 and goes on by incrementing by 1, refer Figure 19 and 20.

Figure 19: Encoded powershell command to take screenshot
Figure 20: Decoded Powershell command

Webcam capture

It takes pictures of the user by calling webcam drivers using python “ctypes.windll” and store them .bmp image in the temp location as shown in Figure 21.

Figure 21: Snapshots using Webcam

System Info & File stealer

It gets some basic information and MAC address of the victim’s machine as shown in Figure 22.

Figure 22: System Information

Malware steals the files which are having some specific extensions that too from the specific folders at the victim’s machine.

Figure 23: File extensions and specific folders

Build the Malware

This malware has been live from late 2022 and became more active in the mid of 2023. Though the developer of this repo has mentioned in the disclaimer that as its for educational purposes but it has been used in malicious activities. 

A person with a little knowledge on Python can customise this stealer, even without a knowledge of Python anybody can build the malware because it comes with a Graphical User Interface (GUI) as shown in Figure 24 to ease the building process.

Figure 24: Builder GUI

Build process initiated by Builder batch file which will trigger gui.py to show the Builder GUI to get input from threat actor.

Figure 25: Build files

The malicious code resides in a components folder named stub.py which replaces “Settings” class variables with the received inputs as shown in Figure 26.

Figure 26: Variable mapping

Obfuscation

Code has been obfuscated at multiple levels using the BlankOBF.py which compiles the malware code and splits into 4 parts. Code in the 0th index is further encoded with codecs and code in the 2nd index gets reversed, then all the splitted parts are shuffled and joined as shown in Figure 27.

Figure 27: Main Obfuscation Technique

Later obfuscated code added with some junk codes, which are no effect in running the malware which makes the analysis harder.

Figure 28: Adding junk code

Finally, after the junk code addition, it gets compiled and archived, then encrypted with AESModeOfOperationGCM which is again the developer of this repo, published with typo-squatting pyaes module in PyPi as shown in Figure 29.

Figure 29: “pyaes” package

Hide the packer

Once the executable is created, packer and entry point information will be modified as shown in Figure 30, so that when someone scans this will not be detected as “Pyinstaller” sample(refer Figure 1).

Figure 30: Hiding packer details

Sample output

Malware will send all the grabbed information as archived file (refer Figure 32) along with summary to C2 as shown in Figure 32.

Figure 31: File received with Grabbed details
Figure 32: Archive file structure with various grabbed information

Indicators of Compromise (IoCs)

Hash Detection Name
b1c222dc81a4c1bfe401c1c90d592ad8 Suspicious Program ( ID700026 )
bf552178396e2c988549aed62e1e3221 Suspicious Program ( ID700026 )

URLs

hxxp[://oniwtfxxx.ct8.pl/svhost.exe

hxxp[://kreedcssg3.temp.swtest.ru/vsc.exe

C2 Address

hxxps[://discord.com/api/webhooks/1132809798509940777/vMplDDwRyx_6_5uYKAXG7bHS-mDzPgPXAJPMkjW0mOGRCJHraAdTsRBlguXlivb1DOef

hxxps[://discord.com/api/webhooks/1175476732808155136/yWG3KpQSZDr3w_4pauQKwyHUcFjDeip0NNMvypVQ-rLtb-6Olf6bJH3ZSNvGqPPOGdoA

Source: Original Post


“An interesting youtube video that may be related to the article above”