Cyble – New Whitesnake Stealer Offered For Sale Via Maas Model
Category

A Stealer Capable of Targeting Both Windows and Linux Users

Cyble Research and Intelligence Labs (CRIL) came across a new malware strain called “WhiteSnake” Stealer. The stealer was first identified on cybercrime forums at the beginning of this month. It is designed to extract sensitive information from the victim’s computer.

This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data. Once the stolen files have been collected and compressed, the Stealer sends them to a Telegram bot. It is worth noting that the Infostealer binary undergoes frequent updates by Threat Actors (TAs) on a daily basis, as it is still in its development phase.

The below figure displays the TA’s advertisement on a cybercrime forum, which includes the name of the stealer and its functionalities.

Figure 1 Advertisement used by TA
Figure 1 – Advertisement used by TA

WhiteSnake Stealer is priced as shown below:

  • 120$ / 1 month
  • 300$/ 3 months
  • 500$ / 6 months
  • 900$ / 1 year
  • 1500$ / Lifetime

As per the advertisement screenshot shared by the TA, the WhiteSnake Stealer has been released for Linux operating systems, with identical functionalities to the Windows version. The Linux stealer binary, which has a file size of 5KB, can be compiled using extensions such as .py and .sh.

Figure 2 Linux binary advertisement posted by TA
Figure 2 – Linux binary advertisement posted by TA

While CRIL did not find WhiteSnake Stealer samples that were specifically aimed at Linux systems, a few samples that were intended for Windows platforms were identified. This blog covers the technical details of WhiteSnake Stealer with the aim of understanding its behavior and capabilities.

Technical Analysis

Initial Infection

The initial infection begins with a spam email containing an executable file disguised as a PDF document. The executable file is actually a BAT file that has been converted into an executable format using the “Bat2Exe” converter. When the user runs this executable file, it drops a BAT file named “tmp46D2.tmp.bat” in the %temp% folder and executes it.

The BAT file further executes a PowerShell script, which then proceeds to download another BAT file named “build.bat” from a Discord URL, as shown in the figure below.

  • hxxps[:]//cdn[.]discordapp[.]com/attachments/1077715839513526352/1077716714613121074/build[.]bat
Figure 3 PowerShell downloads BAT file
Figure 3 – PowerShell downloads BAT file

The SHA256 hash value of the downloaded “build.bat” file is 2a85f257acd4bb897e5d1c2c571fe7e3f2a76a668106ba5954f6b29a569a1094, and it has been intentionally encoded in UTF-16 format.

The image below depicts a “build.bat” file opened in a text editor displaying traditional Chinese characters, and the decoded BAT file contains a Base64 encoded executable binary inserted between digital certificates.

Figure 4 – Decoded BAT file content
Figure 4 – Decoded BAT file content

After running the “build.bat” file, the script utilizes the “CERTUTIL” executable to decode a Base64-encoded content that is enclosed between two certificate boundaries.

The decoded output is then saved as a binary executable file named “build.exe” in the %temp% folder.

Finally, the BAT file runs the “build.exe” file, as illustrated in the figure below.

Figure 5 Process Tree of WhiteSnake infection
Figure 5 – Process Tree of WhiteSnake infection

WhiteSnake Stealer

The payload “build.exe” is a 32-bit GUI-based .NET executable binary that is identified as a WhiteSnake Stealer with SHA256, b4c9d3abd4fe5b4be84884c933e8d9a6a80ce326e05432a7ecb8a7c28f393941.

The figure below shows the static details of the malicious binary file.

Figure 6 Static file details of WhiteSnake Stealer
Figure 6 – Static file details of WhiteSnake Stealer

When “build.exe” is executed, it first creates a mutex named “kwnmsgyyay”. This is done to ensure that the malware only runs once at a time on the compromised system.

In order to obtain the name of the mutex, the malware decrypts the hardcoded encrypted strings in the binary file using a function called Ibhiyptxjhiacrnxomvqjb(). This function is utilized multiple times throughout the malware to retrieve the necessary strings that the stealer uses.

The below image displays the code snippet of the function responsible for decrypting strings in the malware.

Figure 7 String decryption function
Figure 7 – String decryption function

After creating the mutex, the malware proceeds to run the AntiVM() function, which is designed to prevent the malware from running within a virtual environment.

This function queries the system’s “Manufacturer” and “Model” information using a WMI query “SELECT * FROM Win32_ComputerSystem”. It then compares the obtained details with specific strings related to Virtual Machines (VM), as indicated in Figure 6. If there is a match, the malware terminates without further execution.

Figure 8 Anti VM check
Figure 8 – Anti-VM check

After performing an Anti-VM check, the malware calls the Create() function, which then executes the ProcessCommands() function. This function is specifically designed to obtain sensitive information from multiple sources, including web browsers, messaging apps, FTP clients, and cryptocurrency wallets, among others.

The ProcessCommands() function of the malware is capable of stealing files such as “Cookies”, “Autofills”, “Login Data”, and “Web Data” from various browsers:

  • Mozilla Firefox
  • Google Chrome
  • Brave-Browser
  • Chromium
  • Microsoft Edge

It can also steal important files from various cryptocurrency wallets, such as:

  • Atomic
  • Guarda
  • Coinomi
  • Bitcoin
  • Electrum
  • Exodus

WhiteSnake stealer has the capability to not only access cryptocurrency wallets through specific directories, but it can also retrieve data from crypto wallet browser extensions, as shown below.

Figure 9 Targeted Crypto wallets with the extension ID
Figure 9 – Targeted Crypto wallets with the extension ID

Additionally, the malware gathers sensitive session data from messaging applications like Discord, Pidgin, Steam, and Telegram. Moreover, it can extract files from mail clients such as Thunderbird, FTP clients like FileZilla, and various other applications, including Snowflake.

The code snippet below collects all the sensitive details from various applications.

Figure 10 Code snippet used to collect all the sensitive details from various applications
Figure 10 – Code snippet used to collect all the sensitive details from various applications

Once the malware has gathered the targeted confidential files from various applications, it converts the data into Base64Encode format and stores them in an XmlArray structure named ‘Files’.

Additionally, it captures the victim’s system information, including a screenshot, and saves it in another XmlArray structure called ‘Information’, as illustrated in the figure below.

Figure 11 Collecting system information
Figure 11 – Collecting system information

After that, the malware uses the XmlSerializer class to convert the data into XML format. The image below displays the sensitive data that has been collected by the malware, which has been converted into XML format.

Figure 12 Stolen data converted to XML format
Figure 12 – Stolen data converted to XML format

The XML data is then compressed and encrypted using the RC4 encryption algorithm to protect it using the code snippet shown in the figure below.

Figure 13 Compress Encrypt Stolen data
Figure 13 – Compress & Encrypt Stolen data

Exfiltration

Once the stolen data has been processed, the malware will attach tags such as the filename (e.g., Username@Computername_report.wsr) and the content type (e.g., application/octet-stream) and then send the data to the below Telegram bot URL.

  • hxxps[:]//api.telegram[.]org/bot56[Redacted]47CR9V3wq4ss/sendDocument?chat_id=61xxxx924&caption=win

The figure below shows the code snippet of the function used by the malware to send the stolen data to the Telegram bot.

Figure 14 Code snippet used for data exfiltration
Figure 14 – Code snippet used for data exfiltration

The image below displays the exfiltrated information of the victim, as viewed on the attacker’s panel.

Figure 15 Exfiltrated information displayed in TAs panel
Figure 15 – Exfiltrated information displayed in TAs panel

Conclusion

WhiteSnake Stealer is a recently emerged type of Infostealer. Despite the availability of established and widely-used InfoStealers in the cybercrime market, TAs prefer to use new toolkits to update their tactics, techniques, and procedures to evade antivirus detections. In this case, the Stealer has expanded its reach by developing a Linux-based malware version in addition to its Windows version in order to target a broader range of users.

Cyble Research and Intelligence Labs will maintain its surveillance on the latest phishing or malware strains in circulation, providing up-to-date blogs containing actionable intelligence to safeguard users against these infamous attacks.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:   

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees in terms of protecting themselves from threats like phishing/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Technique Name 
Execution  T1204 
T1064
User Execution 
Scripting
Defense Evasion  T1497
T1027
Virtualization/Sandbox Evasion
Obfuscated Files or Information
Credential Access    T1528
T1003
Steal Application Access Token   
OS Credential Dumping
Discovery    T1010
T1518
T1083
Application Window Discovery
Security Software Discovery
File and Directory Discovery
Collection T1005 Data from Local System
Command and Control    T1071
T1105
T1573
Application Layer Protocol   
Ingress Tool Transfer
Encrypted Channel
Indicators  Indicator type  Description 
77d7369f704afac82a5b9dc53e9736bc
ef63ffa8c293a81a1492cb8f11c01c0fd07fc297
609ef046dbfe0b6a6bf42abfa7c0e9371c370a2f00f71e185ef2a6e1184aa817
MD5 SHA1 SHA256  Initial WhiteSnake Stealer Loader
d490e588da438247a57f6e424ab5b753
b915a0c7f36e41f3696602b2580c8cd5acecffa7 89a32ed550874525400268772dac746682ba6dbb8c06206b2ad7861db893b834
MD5 SHA1 SHA256  BAT Downloader
hxxps[:]//cdn[.]discordapp[.]com/attachments/1077715839513526352/1077716714613121074/build[.]bat URL Stealer Download Link
8cf2faaf885a8057601149d78a4a12ca
8b4c1cb8a417fe7651c243f3b0843d063058ac02 2a85f257acd4bb897e5d1c2c571fe7e3f2a76a668106ba5954f6b29a569a1094
MD5 SHA1 SHA256  BAT Dropper
dd42fe39cf54bc3b95f427dff59c99ce
d077e75315f5027b18a89a2260509c2eaaa30d43 b4c9d3abd4fe5b4be84884c933e8d9a6a80ce326e05432a7ecb8a7c28f393941
MD5 SHA1 SHA256  WhiteSnake
Stealer
Executable
716d01d18140ec5e18b1a15c17fb213f
b4f2063ade43a0c6ddd15f3f34dbfde348e3eecc a4191e00cd9dfeda78901ef9dae317e23c73408e7b4c1eeef8de6a8c70fe9db7
MD5 SHA1 SHA256  WhiteSnake
Stealer
Executable
251f6f352d7a0a13c63abf103daaeb89
495b40959859ee46b583a867008e26dc4097d2a9 df78f7993dc9aaee7666a06a6dae52ba0fc6e63e01376474fa96af360cf566de
MD5 SHA1 SHA256  WhiteSnake
Stealer
Executable
0597f91bd8cd1a9ea5d183b6b61dc750
80ee81b99a62592ddfa871b4be87c662856b446a 0c6705665e94b4d7184fe34185d0ea2706c745ddb71bb45bb194c96ebe2d7869
MD5 SHA1 SHA256  WhiteSnake
Stealer
Executable

Source: https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/