Cyble – New Information Stealer Targeting Crypto-wallets
Category

Doenerium Stealer masquerading as Windows Malicious Software Removal Tool

Cyble Research and Intelligence Labs (CRIL) spotted a malicious domain being used in a spear-phishing email campaign targeting Office365 users to steal credentials. The same domain was observed hosting multiple other malware variants, for example, a new stealer called “Doenerium stealer.”

Case 1:

The spear phishing email contains a link masquerading as a PDF attachment targeting Office365 users, as shown below.

Figure 1 Malicious Link Embedded in Email
Figure 1 – Malicious Link Embedded in Email

Once the user clicks on the link masquerading as a PDF attachment, it redirects them to the phishing page hxxps://neon[.]page/doc03565.

The attacker is running a phishing campaign to steal Microsoft Office 365 credentials. The following figure shows the phishing website used by the attacker.

Figure 2 Phishing Websites used by the attacker
Figure 2 – Phishing Websites used by the attacker

During the course of our research, we observed that the domain is malicious and hosting multiple malicious files. One such web page hxxps://neon[.]page/Microsoft-Windows-MSRT hosts a malicious stealer as a Microsoft Windows Malicious Software Removal Tool application.

Case 2:

Figure 3 Website Hosting Stealer
Figure 3 – Website Hosting Stealer

There are two download links for the application, with both 32-bit and 64-bit versions available. However, both links host the same compressed folder with different names to appear genuine. The figure below shows the downloaded files.

Figure 4 Malicious Files Hosted on the Website
Figure 4 – Malicious Files Hosted on the Website

The compressed folder contains a Windows executable and a Readme file. The file is named “Windows-KB890830-x64-V5.104.exe,” and the file’s icon is similar to the icon of Node JavaScript framework.

Figure 5 Stealer File with Node JavaScript Icon
Figure 5 – Stealer File with Node JavaScript Icon

Further, we identified that the malicious file is an open-source stealer available on GitHub. The stealer is actively updating its capabilities and plans to add additional features such as Discord bot building, keylogging, Firefox stealer, etc. The figure below shows the GitHub page of the stealer.

Figure 6 GitHub Page of Doenerium Stealer
Figure 6 – GitHub Page of Doenerium Stealer

The malicious file is unusually large and comes equipped with anti-sandbox and anti-analysis features, as well as the capability to establish persistence on the victim.

Technical Analysis

The file is a 64-bit Microsoft Visual C/C++ console-based Windows executable file with an unusually large file size of 102 MB.

The figure below shows the properties of the malicious”Windows-KB890830-x64-V5.104.exe” file.

Figure 7 Doenerium Stealer Executable File Details
Figure 7 – Doenerium Stealer Executable File Details

Upon investigating additional properties of the executable, we observed that the downloaded file is further masquerading as “Node.exe,” which is a Javascript framework, as shown below.

Figure 8 Additional Properties of Doenerium Stealer
Figure 8 – Additional Properties of Doenerium Stealer

After execution, the malware performs malicious activities such as killing running processes, stealing data, monitoring clipboard data, monitoring system processes, etc. The following image shows the process tree of the Doenerium stealer.

Figure 9 Process Tree of Doenerium Stealer
Figure 9 – Process Tree of Doenerium Stealer

The malware then tries to perform privilege escalation using the RTLAdjustPrivilege() function, as shown below.

Figure 10 Privilege Escalation Using RTLAdjustPrivilege
Figure 10 – Privilege Escalation Using RTLAdjustPrivilege()

After gaining access, the malware drops Node JavaScript Framework-related files in the Temp folder. These files are support files required to run the stealer in the background. The figure below shows the Node JS packages.

Figure 11 Node JS Related files dropped into the Temp Folder
Figure 11 – Node JS-Related files dropped into the Temp Folder

Once the Node packages are dropped into the Temp folder, the malware checks for running processes to obstruct and prevent any analysis.

The malware then runs “cmd.exe” and executes the tasklist command to list currently running programs on the victim’s machine. The following command is used to list programs:

  • C:Windowssystem32cmd.exe /d /s /c “tasklist”

The stealer contains a list of application names related to virtualization software and malware analysis tools. The malware checks and terminates these processes if they are found actively running on the victim’s machine. These applications are:

Httpdebuggerui Wireshark Fiddler
Vboxservice df5serv Processhacker
Vboxtray vmtoolsd Vmwaretray
ida64 ollydbg Pestudio
Vmwareuser vgauthservice Vmacthlp
x96dbg vmsrvc x32dbg
Vmusrvc prl_cc prl_tools
Xenservice qemu-ga joeboxcontrol
ksdumperclient ksdumper joeboxserver

The malware kills these processes using the following command:

  • C:Windowssystem32cmd.exe /d /s /c “taskkill /IM <Application Name> /F”

The figure below shows the malware using tasklist and taskkill commands to terminate any targeted applications.

Figure 12 Stealer terminating applications
Figure 12 – Stealer terminating applications

The stealer also has a list of PC names and hardware IDs to identify whether it is being run in a controlled environment. If the PC name and hardware ID are present in the list, then the stealer will terminate itself. The following are the two tables mentioning the PC names and hardware IDs.

PC Names:

WDAGUtilityAccount Abby Peter Wilson
hmarc patex JOHN-PC
kEecfMwgj Frank RDhJ0CNFevzX
8Nl0ColNQ5bq Lisa John
george PxmdUOpVyx 8VizSM
w0fjuOVmCcP5A lmVwjj9b PqONjHVwexsS
3u2v9m8 Julia HEUeRzl
BEE7370C-8C0C-4 DESKTOP-NAKFFMT WIN-5E07COS9ALR
B30F0242-1C6A-4 DESKTOP-VRSQLAG Q9IATRKPRH
XC64ZB DESKTOP-D019GDM DESKTOP-WI8CLET
SERVER1 LISA-PC JOHN-PC
DESKTOP-B0T93D6 DESKTOP-1PYKP29 DESKTOP-1Y2433R
WILEYPC WORK 6C4E733F-C2D9-4
RALPHS-PC DESKTOP-WG3MYJS DESKTOP-7XC6GEZ
DESKTOP-5OV9S0O QarZhrdBpj ORELEEPC
ARCHIBALDPC JULIA-PC d1bnJkfVlH

Hardware IDs:

7AB5C494-39F5-4941-9163-47F54D6D5016 032E02B4-0499-05C3-0806-3C0700080009
03DE0294-0480-05DE-1A06-350700080009 11111111-2222-3333-4444-555555555555
6F3CA5EC-BEC9-4A4D-8274-11168F640058 ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548
4C4C4544-0050-3710-8058-CAC04F59344A 00000000-0000-0000-0000-AC1F6BD04972
00000000-0000-0000-0000-000000000000 5BD24D56-789F-8468-7CDC-CAA7222CC121
49434D53-0200-9065-2500-65902500E439 49434D53-0200-9036-2500-36902500F022
777D84B3-88D1-451C-93E4-D235177420A7 49434D53-0200-9036-2500-369025000C65
B1112042-52E8-E25B-3655-6A4F54155DBF 00000000-0000-0000-0000-AC1F6BD048FE
EB16924B-FB6D-4FA1-8666-17B91F62FB37 A15A930C-8251-9645-AF63-E45AD728C20C
67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3 C7D23342-A5D4-68A1-59AC-CF40F735B363
63203342-0EB0-AA1A-4DF5-3FB37DBB0670 44B94D56-65AB-DC02-86A0-98143A7423BF
6608003F-ECE4-494E-B07E-1C4615D1D93C D9142042-8F51-5EFF-D5F8-EE9AE3D1602A
49434D53-0200-9036-2500-369025003AF0 8B4E8278-525C-7343-B825-280AEBCD3BCB
4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27 79AF5279-16CF-4094-9758-F88A616D81B4

After terminating the targeted processes, the malware drops itself as “Updater.exe”to the Start-up entry to establish persistence. The figure below shows the malware in the Start-up folder.

Figure 13 Start Up Entry for Persistence
Figure 13 – Start-Up Entry to establish persistence

The stealer then starts an information-stealing operation in the infected system. The malware steals clipboard data if the data has cryptocurrency wallet addresses and replaces it with the attacker’s wallet address.

The stealer uses regex to find the wallet addresses in the clipboard. The figure below shows the routine to get clipboard data to carry out clipper operations.

Figure 14 Routine for Clipper Operation
Figure 14 – Routine for Clipper operation

After checking for clipboard data, the stealer looks for crypto wallet data in the system and steals it. The below figure shows the routine to find wallet data in the victim’s system.

Figure 15 Routine to steal wallet data
Figure 15 – Routine to steal wallet data

The stealer looks for Discord tokens in various system locations. Figure 16 shows the routine to find Discord tokens stored across different browsers of the victim’s system.

Figure 16 Routine to Steal Discord Tokens
Figure 16 – Routine to steal Discord Tokens

The malware also collects victims’ sensitive information, such as usernames, passwords, cookies, history, bookmarks, and user profiles from the installed browsers. The stealer targets the following browsers:

  • Google Chrome
  • Opera Stable
  • Brave Browser
  • Yandex
  • Microsoft Edge

The figure below shows the information targeted by the stealer that is present in the victim’s system.

Figure 17 Routine to Steal Browser Data
Figure 17 – Routine to steal browser data

After stealing browser information, the malware steals system information such as CPU, Wi-Fi connections, RAM, Operating System version, host name, PC name, and processors. It then sends this information to the Command and Control (C&C) server. The figure below shows the routine to steal system information.

Figure 18 Routine to Steal System Information
Figure 18 – Routine to steal System Information

Finally, the stolen artifacts are stored at the C:Users<Users>AppDataLocal folder location so that the malware can send it to the C&C server. The figure below shows the information collected by the stealer.

Figure 19 Doenerium Stealer Collecting Information for
Figure 19 – Doenerium Stealer Collecting Information for exfiltration

After all the data is collected and stored in a specific “Local” folder, the malware compresses the data in a zip file and sends the zip file to the Discord webhook. The figure below shows the routine to send data to the C&C server.

Figure Routine to Create Zip File and Discord communication. 1
Figure 20 – Routine to Create Zip File and Discord communication.

Conclusion

As a consequence of the rise in digital transactions and cryptocurrency usage, malware authors are continuously creating new stealers. The increasing use of digital currency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to commit financial fraud and stage other attacks.

There is a recent trend wherein the malware authors create GitHub pages, hosting malware builders. These open-source malware builders are upgraded with new features by TAs and are sold in cybercrime forums and markets.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Execution T1204.002 User Execution: Malicious File
Persistence T1547.001 Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder
Privilege Escalation T1055 Process Injection
Defense Evasion T1036 Masquerading
Defense Evasion T1497 Virtualization/Sandbox Evasion
Discovery T1057 Process Discovery
Command and Control T1071 Application Layer Protocol

 Indicators Of Compromise (IOCs)

Indicators Indicator Type Description
9b4864d3de5fd251843d09bec1252bef MD5 Malicious node.exe
afaffc4c8c314249a0ce8017fcf9a549b2ac8337 SHA1 Malicious node.exe
609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249e SHA256 Malicious node.exe
f8ea2163d80aca793eefd7b2797f01e4 MD5 Malicious Zip
83ffbd5f4f4c2d1b681741d9f751105c4177fafd SHA1 Malicious Zip
1b005dd76abc86ada724297b6698d3cbbe77f0bceb8fee41d9303114d689f609 SHA256 Malicious Zip
hxxps://neon[.]page/Microsoft-Windows-MSRT URL Malicious Domain
hxxps://neon[.]page/doc0365 URL Malicious Link
Jaye8059.myportfolio[.]com Domain Phishing Webpage

Source: https://blog.cyble.com/2022/09/28/new-information-stealer-targeting-crypto-wallets/