SamsStealer: Unveiling the Information Stealer Targeting Windows Systems – CYFIRMA

Published On : 2024-05-20

EXECUTIVE SUMMARY

At CYFIRMA, we provide timely insights into prevalent threats and malicious tactics affecting organizations and individuals. Our research team recently identified a binary in the wild, identified as an information stealer; “SamsStealer”. It is a 32-bit Windows executable designed to stealthily extract sensitive information from victims’ systems. Written in .NET, this malware targets a wide range of browsers and applications, including Discord, Chrome, and Microsoft Edge, to steal passwords, cookies, and cryptocurrency wallet data. After gathering the desired data, it compresses it into a ZIP archive, uploads it to an online file-sharing service, and sends the download link via Telegram to the attacker. With its stealthy operation and comprehensive data exfiltration capabilities, the stealer poses a significant threat to users’ privacy and security.

INTRODUCTION

“SamsStealer,” represents a new wave of information stealers targeting Windows systems. This malicious executable, written in .NET, has been observed propagating in a Telegram channel named “SamsExploit”. The information stealer exhibits behaviour designed to covertly extract sensitive information from victims’ computers. In this report, we provide an in-depth analysis of the malware, examining its characteristics, execution flow, targeted browsers and applications, stolen information, cleanup and exfiltration methods, and communication channels. By understanding the modus operandi of this malware, we aim to equip users and security professionals with the knowledge needed to detect, mitigate, and protect against this evolving cyber threat.

KEY POINTS

• CYFIRMA research team identified a new information stealer binary propagated as “SamsStealer” in Telegram.
• It collects system information and creates a Temp folder to store the extracted information in the folder as different text files.
• The stealer asynchronously steals information, session data, and wallet information, which constitutes cryptocurrency wallet data including private keys and addresses, IP and system information, Passwords, cookies, and session data from various sources, Discord account details, and Telegram data.
• It uses concurrency for efficiency and removes unnecessary files from stolen data.
• Targeted Browsers and Applications include Discord variants, Telegram, Chrome, Firefox, Opera, Brave, Chromium, EpicPrivacy, Opera, gaming browser OperaGx, Vivaldi, and Yandex.
• Targeted cryptocurrency wallets include Bitcoin, Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, AtomicWallet, Guarda, and Coinomi.
• The malware employs a multi-step process to manage stolen data efficiently. It begins by compressing the gathered information into a ZIP file named “Backup.zip”. Subsequently, it leverages the “gofile.io” online file-sharing platform to upload this compressed file.
• Finally, it utilizes the messaging service Telegram to dispatch the download link of the uploaded file to the attacker for retrieval.

ETLM ATTRIBUTION

The CYFIRMA research team is dedicated to continuously investigating evolving threats, malware, and the Tactics, Techniques, and Procedures (TTPs) employed by malicious actors. We actively monitor current threats, track ongoing campaigns, assess their progression, and stay vigilant for new developments in this dynamic landscape. Building on these efforts, we have recently identified a new information stealer circulating freely in the threat landscape, with its latest version, V2, being distributed via a Telegram channel with the name “SamsExploit”.

Enhanced Capabilities and Regional Origins of SamsStealer:
The latest version, V2, claims to enhance its capabilities by targeting an additional 7 browsers to steal passwords and cookies, as well as Telegram, Discord, and cryptocurrency wallets. Additionally, like many freely available tools, the author asserts that this stealer is intended for educational purposes—a common disclaimer seen on platforms like Telegram and GitHub when distributing such malware, but often customized and exploited for malicious purposes by seasoned cybercriminals and threat actors. The group’s users predominantly speak Hindi, suggesting their origin is likely from South Asia, particularly India.

It is a common practice within the cybercrime community to reuse and rebrand info stealers. Criminals often acquire existing info stealers, customize them for their own purpose and add specific features to target specific victims or suit their particular modus operandi. This approach saves time and resources while leveraging the expertise of other cybercriminals. Info stealers are not only favored by seasoned cybercriminals but are also popular among less sophisticated attackers. These tools provide an accessible entry point for beginners to learn about malware deployment and data exfiltration techniques. The ease of use and availability of pre-configured options make them an attractive choice for those new to cybercrime, allowing even novice hackers to execute effective attacks and such freely available malware always pose a threat to individuals and organizations.

OSINT Investigation Reveals Multiple SamsStealer Samples:
As per OSINT investigation, we have identified many samples of SamsStealer submitted online since April 24.

The Proliferation of Info Stealers in Cybercrime:
In the space of cybercrime, info stealers have become increasingly prevalent. These malicious tools are designed to covertly steal sensitive data from unsuspecting individuals and organizations. They are readily available for purchase on underground online forums and Telegram channels, making them a popular choice among cybercriminals due to their affordability and effectiveness in breaching computer systems.

Given the growing demand for info stealers, it is crucial for organizations to implement robust cybersecurity measures to safeguard their systems and data. Regular updates, strong passwords, multi-factor authentication, and comprehensive endpoint security solutions are essential tools in combating these cyber threats.

ANALYSIS:

Basic Details:
MD5: 83f94302ae92909bc3b2834a5342d4a5
SHA256: 766b8294e401d9c457d53e45e15e26591b3c5c86315d81d9d17e5696cc0f13e1
File Type: Win32 EXE

Basic Info:
The information stealer binary is a 32-bit Windows executable, written in .NET, and the name in the description given as “amsiwala”. However, the malware is propagated as “SamsStealer” in a Telegram channel.

Upon execution, the stealer creates a temporary folder “MyTempFolder” in the system’s temporary directory “C:UsersUsernameAppDataLocalTemp”.

If the folder is created successfully, it notifies the console. It later hides the console window before executing the rest of the code.

Information Gathering:
The malware makes asynchronous calls to methods to steal passwords and cookies from these respective browsers. It gathers IP and general system information, steals session information from messaging applications like Telegram, it retrieves Discord account information, steals wallet information, and saves it in the temporary folder created earlier and later exfiltrates the data.

The malware steals passwords from Chrome, formatting it, and storing it in a text file within the previously created temporary folder. It retrieves an array of Passwords along with their associated URLs and usernames. Further, it prints a success message to the hidden console indicating that passwords have been stolen and saved successfully.

The stealer further operates similarly to the password-stealing operation but focuses on stealing and saving cookies from the Chrome browser. These cookies may contain sensitive session information, potentially allowing unauthorized access to various online accounts.

Similar to the above operations, the stealer targets the Microsoft Edge browser for password and cookie theft. The stolen passwords and cookies are saved to a text file within the temporary folder. Further, the stealer retrieves passwords and cookies from other browsers including Brave, Chromium, EpicPrivacy, Opera, gaming browser OperaGx, Vivaldi, and Yandex.

Geolocation and IP Identification:
It makes an HTTP GET request to the URL “http[:]//ip-api[.]com/json/?fields=225545” to fetch information about the current IP address

The response is deserialized into an object. The stealer then extracts various pieces of information from the deserialized object, such as country, region name, timezone, reverse DNS, mobile status, proxy status, and the queried IP address. It does this by accessing specific fields in the deserialized object. This functionality is used for purposes such as geolocation and IP identification.

Storing Files in the “MyTempFolder” Directory:
The following are the files with different names stored in the earlier created folder in the Temp directory with the name “MyTempFolder”. It contains extracted information from various browsers, cookies, passwords wallets, and system information.

Targeting Telegram:
The stealer is designed to steal session data from the Telegram Desktop application. To steal session data from the Telegram Desktop application running on the victim’s system, it first identifies relevant files and directories associated with Telegram sessions, copies them to a temporary folder created earlier, and compresses them into a zip file. The operation aims to gain unauthorized access to Telegram accounts and extract sensitive information, such as messages and contact lists, for malicious purposes.

Targeting Discord and Browser Tokens:
The stealer facilitates the stealthy extraction of account tokens from multiple applications and browsers installed on the victim’s system. By targeting a diverse range of software, including messaging platforms like Discord, and browsers like Chrome, Firefox, and Opera, among others, the malware aims to gather sensitive information that could be exploited for unauthorized access or further malicious activities. It leverages concurrency to enhance efficiency.

Applications and browsers targeted are Discord, Discord Canary, Lightcord, Discord PTB, Opera, Opera GX, Amigo, Torch, Kometa, Orbitum, CentBrowse, 7Sta, Sputnik, Vivaldi, Chrome SxS (Canary), Chrome, FireFox, Epic Privacy Browser, Microsoft Edge, Uran, Yandex, Brave, and Iridium.

The stealer collects and saves Discord account information to the text file. This includes various details such as username, user ID, authentication status, contact information, subscription status, billing details, and account token.

Stealing Crypto Wallet Data:
The stealer also aims at stealing cryptocurrency wallet data. By systematically locating and copying wallet contents from predefined paths, it enables the malware to acquire valuable information necessary for unauthorized access to cryptocurrency holdings.

It identifies various types of cryptocurrency wallets such as Bitcoin, Ethereum, Zcash, etc., by their known default paths. By copying the contents of these wallets to the designated location, the malware gains access to private keys, wallet addresses, and other sensitive information crucial for accessing and controlling cryptocurrency assets.

Finally, it returns the count of successfully copied wallets. Following cryptocurrency wallets are targeted by the stealer.

• Bitcoin: Located in `%appdata%Bitcoinwallets`
• Zcash: Located in `%appdata%Zcash`
• Armory: Located in `%appdata%Armory`
• Bytecoin: Located in `%appdata%Bytecoin`
• Jaxx: Located in `%appdata%com.liberty.jaxxIndexedDBfile_0.indexeddb.leveldb`
• Exodus: Located in `%appdata%Exodusexodus.wallet`
• Ethereum: Located in `%appdata%Ethereumkeystore`
• Electrum: Located in `%appdata%Electrumwallets`
• AtomicWallet: Located in `%appdata%atomicLocal Storageleveldb`
• Guarda: Located in `%appdata%GuardaLocal Storageleveldb`
• Coinomi: Located in `%localappdata%CoinomiCoinomiwallets`

Cleanup Operation:
After stealing and retrieving all information from the victim machine, the stealer stores the data in a text file in the “MyTempFolder” and later performs cleanup operations by removing empty text files (0KB size). This functionality is useful not only for preventing clutter caused by empty or unnecessary files but also to optimize the data exfiltration efforts by reducing the volume of unnecessary files.

Data Compression and Exfiltration Process:
The stealer then compresses the “MyTempFolder” folder which contains all the extracted data from the victim’s machine into a ZIP archive, saves the zip file with the name “Backup.zip” at path “C:UsersUsernameAppDataLocalTemp” and then deletes the original folder “MyTempFolder”. Finally, it logs a message confirming the successful zipping and deletion of the folder.

The stealer then uploads the “Backup.zip” file to the free online file-sharing service “gofile.io” and sends the download link via the messaging service “Telegram” to the attacker. It initializes an instance of HttpClient for HTTP requests and sets the bot token and chat ID required for sending messages via Telegram.

It checks if the backup ZIP file exists in the temporary folder. If the file exists, it uploads it to “gofile.io” and obtains the download link (highlighted in the below screenshot).

As shown below, the zip file “Backup.zip” is uploaded to the free online file-sharing service gofile.

Upon successful upload, it sends the message:
New goat Detected
Join Now: @SamsExploit
Download Link: https[:]//gofile[.]io/xxxxx

to the specified Telegram chat ID with the zip file download link of the gofile service.

CONCLUSION

At Cyfirma, our commitment is to provide timely insights into prevalent threats and malicious tactics. Our recent identification of this new information stealer “SamsStealer” presents a significant threat to user privacy and security by stealthily extracting sensitive data from victim systems. Through its comprehensive approach, it targets a wide range of browsers, applications, and cryptocurrency wallets to gather passwords, cookies, session data, and cryptocurrency wallet information. Leveraging a combination of asynchronous operations, concurrency, and cleanup mechanisms, the malware efficiently collects and exfiltrates stolen data. By utilizing online file-sharing services like gofile.io and messaging platforms like Telegram for data transmission, the malware ensures seamless communication with its operators. As cyber threats continue to evolve, understanding the tactics and techniques employed by malware like SamsStealer is crucial for effective threat detection, mitigation, and prevention strategies.

As organizations and individuals navigate the increasingly complex threat landscape, it is imperative to remain vigilant and adopt proactive defense strategies informed by technical insights and analysis. Our ongoing research aims to provide timely intelligence and technical expertise to empower defenders in their efforts to safeguard against evolving cyber threats.

LIST OF IOCS

Sr No.	Indicator	Type	Remarks
	83f94302ae92909bc3b2834a5342d4a5	MD5 File Hash	SamsStealer
	824e149b9c2bdd5dbe37f472533230af	MD5 File Hash	Other Sample
	1f913f8d71f0f4d65858b5ba0ea94a9c	MD5 File Hash	Other Sample
	56acc1496d8e5bbc0e412c683971b809	MD5 File Hash	Other Sample
	631eacb4519fd49048491c9b5ec6bda5	MD5 File Hash	Other Sample
	64410e06f80e75b6503e5525c323243b	MD5 File Hash	Other Sample
	7d63047a48fa8984f11544149c2f0e70	MD5 File Hash	Other Sample
	da493648ca3b8fd9dbad7bbca659b796	MD5 File Hash	Other Sample
	02fe599ed41cc4bd54a1d6a3cc2d830a	MD5 File Hash	Other Sample
	cb95c77750732c0a4dd29c1d4feb6f69	MD5 File Hash	Other Sample
	11751f8d847764936b7bf014302da87f	MD5 File Hash	Other Sample
	31c73ad35b23e4d98ed974e604b85e00	MD5 File Hash	Other Sample

MITRE ATT&CK TTPs

No.	Tactic	Technique
1	Initial Access (TA0001)	T1566: Phishing
		T1566.001: Spear phishing Attachment
2	Execution (TA0002)	T1204: User Execution
		T1204.002: Malicious File
3	Discovery (TA0007)	T1082: System Information Discovery
4	Collection (TA0009)	T1005: Data from Local System
5	Exfiltration (TA0010)	T1041: Exfiltration Over Command-and-Control Channel
		T1567.003: Exfiltration to Text Storage Sites

YARA Rules

rule SamsStealer
{
meta:
description = “SamsStealer”
author = “CRT”
date = “18-05-2024”
strings:
$amsiwala = “amsiwala”
$guid = “f835a9e7-2542-45c2-9d85-ec0c9fdffb16”
$tempFolder = “MyTempFolder”
$backupPasswords = “BackuperPasswords”
$backupCookies = “BackuperCookies”
$shortPasswords = “ShorPasswoods”
$shortCookies = “ShorKoockies”
$stealSessions = “SteopalSessions”
$tokenStealer = “TokenSteopaler”
$walletStealer = “WalletSteopaler”
$stealWallets = “SteopalWallets”
$removeZeroKbTxtFiles = “RemoveZeroKbTxtFiles”
$telegramBotToken = “7194596589:AAEAkHG1h-0k_Ul5n4knbW3aoNNBgiWGy_o”
$stolenPasswords = “stolen_passwords.txt”
$stolenCookies = “stolen_cookies.txt”
$passwordsFromEdge = “passwords_from_edge.txt”
$cookiesFromEdge = “cookies_from_edge.txt”
$passwordsFromBrave = “passwords_from_Brave.txt”
$cookiesFromBrave = “cookies_from_Brave.txt”
$passwordsFromChromium = “passwords_from_Chromium.txt”
$cookiesFromChromium = “cookies_from_Chromium.txt”
$passwordsFromEpicPrivacy = “passwords_from_EpicPrivacy.txt”
$cookiesFromEpicPrivacy = “cookies_from_EpicPrivacy.txt”
$passwordsFromOpera = “passwords_from_Opera.txt”
$cookiesFromOpera = “cookies_from_Opera.txt”
$passwordsFromOperaGx = “passwords_from_OperaGx.txt”
$cookiesFromOperaGx = “cookies_from_OperaGx.txt”
$passwordsFromVivaldi = “passwords_from_Vivaldi.txt”
$cookiesFromVivaldi = “cookies_from_Vivaldi.txt”
$passwordsFromYandex = “passwords_from_Yandex.txt”
$cookiesFromYandex = “cookies_from_Yandex.txt”
$sourceTxt = “Source.txt”
$removedZeroKbTxtFile = “Removed 0KB text file”
$ipApiUrl = “http://ip-api.com/json/?fields=225545”
$backupZip = “Backup.zip”
$newGoatDetected = “New goat Detected!”
$samsExploitChannel = “@SamsExploit”
condition:
any of them
}

RECOMMENDATIONS

• Deploy robust endpoint security solutions with advanced threat detection and prevention mechanisms to effectively identify and neutralize malicious activities.
• Employ reputable antivirus and anti-malware software capable of promptly detecting and removing malicious payloads to enhance overall system security.
• Ensure regular updates for operating systems, applications, and security software to address known vulnerabilities frequently exploited by threat actors.
• Implement network segmentation to limit lateral movement, preventing malware from accessing critical assets and containing potential threats.
• Conduct thorough employee training on phishing threats, emphasizing the dangers of opening attachments or clicking on links in unsolicited emails.
• Educate employees to recognize social engineering tactics, empowering them to avoid falling victim to deceptive tricks that could lead to the execution of malicious files.
• Configure firewalls to block outbound communication with known malicious IP addresses and domains linked to command-and-control servers.
• Implement behaviour-based monitoring to detect unusual activity patterns, including suspicious processes attempting unauthorized network connections.
• Enforce application whitelisting policies to permit only approved applications, preventing the execution of unauthorized or malicious executables.
• Monitor network traffic for anomalous patterns, such as large data transfers to unfamiliar or suspicious IP addresses, indicates potential threats.
• Create a comprehensive incident response plan outlining necessary steps in case of malware infection, including isolating affected systems and promptly notifying relevant stakeholders.
• Stay informed with the latest threat intelligence reports and indicators of compromise related to malware to proactively identify and mitigate potential threats.
• Implement regular backups of critical data and systems to minimize the impact of ransomware attacks or data loss due to malware infections.
• Follow the principle of least privilege (PoLP) by restricting user permissions to those required for specific roles, limiting the impact of malware relying on elevated privileges.
• Build and implement safeguarding measures by monitoring/blocking Indicators of Compromise (IOCs) and enhancing defense based on tactical intelligence and provided rules.

Source: Original Post