Mini Stealer’s Builder & Panel released for free

During a routine threat hunting exercise, Cyble Research and  Intelligence Labs (CRIL) discovered a post on a cybercrime forum where a Threat Actor (TA) released MiniStealer’s builder and panel for free.

The TA claims that the stealer can target operating systems such as Windows 7, 10, and 11. Using such builders, TAs can easily generate malicious payloads. MiniStealer mainly targets FTP applications and Chromium-based browsers.

Nearly a month after the release of MiniStealer, the same TA made a post selling Parrot Stealer’s builder and panel for USD 50. The TA stated that this stealer is based on MiniStealer. We suspect that the TA might have added the functionalities in Parrot stealer which were missing in MiniStealer.

The figure below shows the Parrot stealer panel.

Builder and Web Panel

The zip file leaked by TA contains two folders, as shown below. These folders contain the following files:

MiniStealerBuilder.exe, Stub

• Panel:
  Web Panel Source code

The builder released by the TA is a .NET-based binary. It has the functionality to add the Command and Control (C&C) details to the payload. The builder loads a file named “stub,” which is the actual payload, and then writes the C&C details to it for generating the final payload.

The test button shown in the figure below sends the Test Logs to the C&C server to check if the connection can be established. These logs contain three connection strings TestUser, TestPass, and TestHost.

The TA has also released the source code of the web panel, which can be used to receive stolen data from a target network. The figure below shows the web panel.

Technical Analysis

(Sample SHA256:e837a0e6b01ca695010ee8bc4df57a6a9c6ef6e2c22e279501e06f61f0354f67)

Mini Stealer is a 64-bit .NET-binary that uses Timestomping. Timestomping is a technique that modifies the timestamps of a file. Adversaries use this technique on their payloads to deflect any unnecessary attention during forensic investigations.

The stealer uses multiple AntiAnalysis checks to prevent debugging of the sample. To detect profiling, the code verifies if the COR_ENABLE_PROFILING environment variable is present and set to 1. Profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET Common Language Runtime.  The figure below showcases the stealer detecting profiling.

This stealer spawns a thread for continuously checking if the stealer payload is being debugged. To check for the presence of debuggers, this thread executes methods such as IsDebuggerPresent, OutputDebugString, and Debugger.IsLogging.

This stealer payload steals data from the following Chromium-based browsers and FTP applications. The stealer appears to be in the development stage as several FTP applications are hardcoded in the stealer, but it does not appear to target all of them.

The TA might have added these functionalities in Parrot Stealer, which is suspected to be an upgraded paid version of MiniStealer. For the FTP application, the stealer steals data from configuration files. For browsers, the stealer copies certain files for exfiltration present in the AppDataBrowser directory, which stores user session and login credentials, as shown in the figure below.

Over 25 Chromium-based browsers:

Chrome, AvastBrowser, AVGBrowser, Browser360, CCleanerBrowser, CentBrowser, Chedot, Citrio, CocCoc, ComodoDragon, CoolNovo, Coowon, ElementsBrowser, EpicPrivacyBrowser, IridiumBrowser, Kometa, LiebaoBrowser, Maxthon, OperaGX, OperaNeon, Orbitum, QIPSurf, Sleipnir, SlimJet, Sputnik, SRWareIron, uCozMedia, Vivaldi, Yandex,

Over 20 FTP Applications:

Filezilla, FlashFXP, AutoFTPManager, AutoFTPPro, BitKinex, BulletproofFTP, ClassicFTP, CoreFTP, CuteFTP, Cyberduck, Dreamweaver, FreeFTP, DirectFTP, ftpcommander, FTPEXPLORER, FTPRush, FTPvoyager, LeapFTP, MultiCommander, SmartFTP, SuperPutty, TotalCommander, TurboFTP, WSFTP, WinSCP

Conclusion

The availability of free malware builders and panels can assist TAs in carrying out attacks, as TAs do not need to invest time and money to get malware payloads for cybercrime purposes. There is always the possibility that TA might have released the builder and panel of MiniStealer for free for marketing purposes and to build a reputation amongst themselves on cybercrime forums.

The TA’s behavior further reinforces this theory as after 1 month; they began selling a paid stealer, which is suspected to be based on MiniStealer. CRIL continuously monitors emerging threats and has observed a surge in the use of stealer malware by TAs.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection?  

• Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.  
• Use strong passwords and enforce multi-factor authentication wherever possible.   
• Turn on the automatic software update feature on your computer, mobile, and other connected devices.  

• Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
• Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
• Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
• Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.  

MITRE ATT&CK® Techniques 

Indicators of Compromise (IOCs) 

Related

Source: https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/