Key takeaways
- Cyble Research and Intelligence Labs (CRIL) recently came across a new stealer called “Exela”.
- Exela is a Python-based open-source stealer that steals a wide range of sensitive information from compromised systems.
- It features an extensive array of anti-debugging and anti-virtual machine (VM) techniques, making it a potent tool for Threat Actors (TAs).
- Exela primarily targets Discord users by modifying the Windows Discord client to steal sensitive information, including login credentials, personal data, and potentially even financial information.
- Exela Stealer is also designed to target multiple browsers’ data and credentials.
- It can additionally steal session details from a wide range of applications, including popular social media platforms and gaming platforms.
- The ability to exfiltrate data through Discord channels demonstrates the evolving tactics of Threat Actors (TAs) behind Excela Stealrusing legitimate platforms for malicious purposes.
Overview
The rise of open-source data stealers has been noteworthy in recent times due to their ability to adapt to specific requirements. These versatile tools serve as valuable assets for reconnaissance purposes, empowering TAs with the ability to collect critical information that could potentially fuel a range of malicious activities.
On September 14th, CRIL came across an interesting zip file in VirusTotal named “Exela-V2.0-main.rar”. Upon investigation, we found that it contained the source of a new stealer named “Exela”.
Further, we have also identified that the developer of this stealer hosted the entire source code on GitHub. A security researcher, Yogesh Londhe, initially spotted this stealer on August 17th, 2023.
In May 2023, the developer of Exela Stealer uploaded the initial version to GitHub. Following this, the developer continued to improve its features and went on to create the subsequent version of Exela Stealer Version 2.0.
The figure below shows the Exela Stealer Github page and its Telegram channel.
Exela Stealer is a Python-based tool designed to discreetly extract sensitive data, including credentials, tokens, sessions, cookies, and more. Notably, it accomplishes this covert data exfiltration solely through Discord webhook URLs, making its operation both interesting and worthy of further investigation. In this analysis, we will delve deeper into Exela Stealer, illuminating its functionalities and potential implications.
Exela Builder functionalities
The builder only executes if it detects a compatible Python version installed on the system, specifically either version 3.10.0 or 3.11.0, and initiates the process of creating the stealer executable based on the preferences selected by the TA.
The image below shows all the preferences provided by the builder.
Upon executing the builder batch file located in the Exela setup folder, it prompts the TAs to provide a Discord webhook URL. If the user doesn’t provide the URL, the builder displays an error message (“Please enter your webhook URL!!!”) and terminates the building process. If the user provides a URL, the builder verifies whether the provided URL matches the expected format for a Discord webhook URL.
This webhook essentially acts as a remote server for TAs to receive all pilfered data captured by Exela Stealer from the compromised system. If the supplied webhook URL matches the specified pattern, the builder then proceeds to construct the stealer with the following features.
PumpFile
The PumpFile feature is used to append zero padding to the end of a compiled file, with the user specifying the desired padding size in MegaBytes (MB). The purpose of this technique is to evade detection by security products.
GetIcon
This feature is designed to interact with the TAs to determine whether they want to change the icon of the output file. A convincing icon is often used as a social engineering tactic to trick users into believing a file is legitimate.
AntiVM
This feature is designed with multiple techniques to detect the presence of a Virtual Machine (VM) or sandbox environment on a host system.
Discord Injection
The purpose of this functionality is to modify Discord’s core files to monitor user actions and illicitly acquire sensitive information.
Keylogger
This feature integrates a keylogger function into the stealer. The keylogger captures all keystrokes and sends them to the specified Discord webhook.
Startup
This feature is added to ensure persistence by enabling the automatic execution of the stealer upon the user’s system login. It can either add an entry to the Windows Registry or create scheduled tasks depending on a value provided by the TA.
Fake Error Message
This functionality seems to be employed to generate a fake error message when the stealer runs on the victim’s system, creating the effect that the program was not installed correctly in order to mislead the user.
Other features of this Builder
Obfuscation – The builder adds an additional layer of security to protect the original source code. This is accomplished by performing a sequence of operations to obfuscate the original stealer code while building the executable.
The image below shows the sequence of methods used in the obfuscation process.
This multi-step process makes the resulting Exela Stealer Python installer exceptionally challenging for anyone attempting to reverse engineer or comprehend the underlying code.
Digital Signature – The builderadds a Windows digital signature from an existing certified file to the compiled file to make it appear more legitimate. To achieve this, the builder utilizes a separate Python script – “digital-sign.py” – to sign the compiled binary. The image below shows the command line parameters used by the builder to add the digital signature.
The image below shows the builder utilizing Microsoft’s digital certificate to sign the compiled binary of Exela’s stealer. Upon inspection of the compiled binary, however, this signature appears invalid, as shown below.
Upon the successful inclusion of all the user-selected features, the builder proceeds to compile the executable. The image below displays the successful creation of Exela Stealer by the builder without any errors.
Technical Analysis
Upon execution, the stealer attempts to create a mutex with the name “Exela | Stealer | on | Top”. If a mutex with this name already exists, indicating that another instance of the program is running, it doesn’t create a new one. Then, it prints a message to the console stating “mutex already exists” and terminates itself.
If no other instance is running on the system, the stealer proceeds with its data-stealing activities. To divert the user’s attention away from its malicious actions, the stealer employs a deceptive tactic by generating a fake error message, as shown below.
Anti Debug Check
The stealer executes a set of commands aimed at detecting processes and system settings related to debugging or virtualization. It gathers the system’s Universally Unique Identifier (UUID) using “wmic csproduct get uuid” and the computer’s name through “os.getenv(“computername”)” Then, it compares the fetched system data with the hardcoded lists of computer names and UUIDs. If a match is found, the stealer terminates its operation.
The image below shows the code for the anti-debug check.
Furthermore, the stealer scans through the names of all currently running processes and verifies whether any of these process names correspond to entries in a predefined list. This list usually contains processes commonly linked to security tools, as shown in the table below. If a match is identified, the stealer proceeds to terminate the identified process.
| httpdebuggerui | node | wireshark | fiddler |
| regedit | taskmgr | vboxservice | df5serv |
| processhacker | vboxtray | vmtoolsd | vmwaretray |
| ida64 | ollydbg | pestudio | vmwareuser |
| vgauthservice | vmacthlp | x96dbg | vmsrvc |
| x32dbg | vmusrvc | prl_cc | prl_tools |
| xenservice | qemu-ga | joeboxcontrol | ksdumperclient |
| ksdumper |
AntiVM
The stealer utilizes various techniques to check whether the stealer is being run in a virtual environment by checking for the existence of specific files, strings, and process names and even loading the modules associated with common virtualization platforms.
The table below summarizes the Anti VM functions implemented, their descriptions, the predefined search strings, process names, paths, and modules used in the stealer code to identify the virtual environment.
| Function name | Description | Identify elements |
| Vmcik | Examines the disk drive containing description matching to virtualization software | ‘vbox’ or ‘virtual’ |
| check_hostname | Checks the hostname of the target system containing any strings related to virtualization | ‘sandbox’, ‘cuckoo’, ‘vm’, ‘virtual’, ‘qemu’, ‘vbox’, ‘xen’ |
| check_processes | Checks for virtualization platforms related process names | ‘vmtoolsd.exe’, ‘vboxtray.exe’, ‘prl_tools.exe’, and ‘xenservice.exe’ |
| CheckFiles | check for the presence of specific device paths | “DeviceHarddisk0DR0”, “DeviceHarddisk0DR1”, “DeviceHarddisk0DR2”, “DeviceHarddisk0DR3” |
| check_gdb | Detects the presence of the GNU Debugger (GDB) | ‘GDB’ |
| CheckHypervisor | Checks for the presence of a hypervisor or VMware | ‘Hypervisor’ or ‘VMware’ |
| Sandboxie() | Attempts to load the dynamic link library (DLL) associated with Sandboxie | ‘SbieDll.dll’ |
Persistence
To establish persistence on a victim system, Exela Stealer copies itself into a newly created directory located at “appdatalocalExelaUpdateService” with the name “Exela.exe” and marks both the directory and the copied file as hidden and system attributes, as shown in the figure below.
After successfully copying the file, the stealer checks the startup value provided while building the binary. The stealer adds a startup entry based on the user’s choice. It can utilize either the Windows Registry (regedit) or Task Scheduler (schtasks) to achieve persistence.
The script below shows both these startup features provided in the builder.
Discord Injection
After successfully creating startup entries, the stealer proceeds to modify the Windows Discord client files. Initially, it seeks the path to the Discord application within the local `%AppData%Discord` directory. If this directory isn’t found, it bypasses the Discord injection step and continues with other functionalities. However, if the directory is present, it continues searching through directories until it locates the specific path: `%AppData%Discord[app-version]modulesdiscord_desktop_core`.
Once this path is identified, the stealer attempts to retrieve the `index.js` file from the aforementioned location. It then checks for any previous injections in the file. If no prior injections are found, it proceeds to download custom injection code directly from the GitHub repository provided by the author.
After obtaining the downloaded file, the stealer replaces the default webhook URL with the URL specified during the code compilation by the attacker. Following this replacement, it writes the custom code into the core file of Discord, specifically into the “index.js” file. The script below shows the function to modify the core file in the Discord application.
Ultimately, the Discord application is launched with modified TA code, enabling unauthorized access and collection of user data such as User’s email, password, Nitro subscriptions and any payment information etc. The collected data is then sent to the attacker’s Webhook URL
The below image shows the format (embed) of collected data before sending it to the TA.
Exela Targeting Chromium-based browsers
Exela Stealer proceeds to search through directories related to several Chromium-based web browsers, including Google Chrome, Opera, Vivaldi, Microsoft Edge, and Brave, on the victim’s computer. Upon identifying these browsers, it extracts various data from their respective database files located at the following paths:
- “AppDataLocalBrowser-NameUser DataDefaultLogin Data”
- “AppDataLocalBrowser-NameUser DataDefaultWeb Data”
- “AppDataLocalBrowser-NameUser DataDefaultNetworkCookies”
- “AppDataLocalBrowser-NameUser DataDefaultHistory”
The following table provides a summary of the queried and retrieved values from the respective database files.
| Data collected | Files |
| Login credentials (username and password) | Login Data |
| Credit card information (card number, expiration year, expiration month, name on card) | Web Data |
| Cookies data (host_key, name, path, encrypted value) | Cookies |
| URL, target_path from downloads | History |
| url, title, visit_count, last_visit_time from urls | History |
Once all the data is collected, the stealer adds the content to the respective lists – which function as temporary storage – for further processing.
Exela Targeting Firefox Browser
Next, Exela Stealer prioritizes Mozilla Firefox browser profiles present on the targeted system to gather cookie and browsing history information. User data in Firefox-based browsers is typically stored in a “Profiles” folder within the “AppDataBrowser_name” directory. The stealer scans each Mozilla Firefox profile directory to retrieve the following details from the database files utilized by the Firefox web browser.
| Database file | Purpose | Extracted data from moz_cookies and moz_places table |
| cookies.sqlite | stores cookie data | host, name, path, value, and expiry |
| places.sqlite | contains browsing history | ID, URL, title, visit count, and last visit date |
Stealing session-related data from multiple applications
Using the cookie data obtained from the browsers, Exela Stealer filters cookies associated with specific websites such as Instagram, Twitter, TikTok, Reddit, Steam, and Roblox. It does so by examining the “host” and “name” attributes.
If the “host” attribute contains the name of the targeted website (in a case-insensitive manner) and the “name” attribute includes “sessionid,” the stealer proceeds to extract values from the “moz_cookies” table.
After obtaining these values, the stealer attempts unauthorized access to the victim’s user accounts on the platforms mentioned above. It does this by sending HTTP GET requests to unique API URLs for each platform and retrieving specific session information. The provided image illustrates the code snippet for making an Instagram request.
After a successful request, the API responses from each platform usually contain session information in JSON format. The following table summarizes the session information extracted by the Exela Stealer from the responses of all these platforms.
| Platforms | Extracted data from JSON |
| Profile URL – Username – Nickname – Verification Status – Email – Followers – Following – Biography | |
| Profile URL – Username – Screen Name – Biography – Follower Count – Following Count – Total Tweets – Created At – Verification Status | |
| TikTok | User Identifier – Profile URL – Username – Email – Phone – Coins |
| Profile URL – Username – Email – Comment Karma – Total Karma – Coins – Moderator Status – Gold Status – Suspended Status | |
| Steam | Steam ID – Profile URL – Profile Name – Time Created – Player Level |
| Roblox | Profile URL – Total Robux – Name – Email – Email Verification Status |
Finally, the stealer creates an embed, which is a specific formatting method for presenting information in Discord. It populates this embed with the acquired session data and dispatches it to a Discord webhook URL associated with the attacker. This enables the attacker to receive the captured session data in an organized manner through a Discord channel or chat.
Discord Token Stealer
This stealer targets multiple application folders, including Discord, Discord Canary, Discord PTB, Opera GX, Opera, Chrome, Brave, Edge, and Vivaldi, in search of files with either the “.log” or “.ldb” extensions. Here are the directory paths where it conducts its searches:
- C:UsersUser Profile AppDataRoaming discordLocal Storageleveldb
- C:UsersUser ProfileAppDataRoaming discordcanaryLocal Storageleveldb
- C:UsersUser ProfileAppDataRoaming discordptbLocal Storageleveldb
- C:UsersUser ProfileAppDataLocalOpera SoftwareOpera GX Stable
- C:UsersUser ProfileAppDataLocalOpera SoftwareOpera Stable
- C:UsersUser ProfileAppDataLocalGoogleChrome User Data
- C:UsersUser ProfileAppDataLocalBraveSoftwareBrave-BrowserUser Data
- C:UsersUser ProfileAppDataLocalMicrosoftEdgeUser Data
- C:UsersUser ProfileAppDataLocalVivaldiUser Data
Upon locating these files, Exela Stealer proceeds to read the content and applies a regular expression pattern to filter Discord tokens. The image below showcases the specific regular expressions used to identify tokens, both within the Discord application folder and the browser folder.
These identified tokens are then decrypted using the decryption key found in a “Local State” file, which by default is located in “C:Users{user Profile]AppDataRoamingdiscord”.
Once the identified tokens are successfully decrypted, the stealer sends a GET request to the Discord API with the stolen token in the Authorization Header, as shown in the figure below.
If the response status code is 200 (indicating success), it retrieves additional user information such as user ID, username, email, phone number (if available), MFA (Multi-Factor Authentication) status, Nitro subscription status, billing/payment information (if available), biography from the Discord API. These are then sent to the TA’s Webhook URL.
Keylogging
If this feature is enabled, the stealer records all keystrokes in a text file named “key_logs.txt” located within the “appdatalocaltemp” directory and keeps track of the number of keys pressed. Once the total count of keys pressed reaches or exceeds 300, the stealer begins sending this captured keystroke data to the Discord webhook URL, which was configured during the stealer’s setup.
Upon successfully transmitting the logs, the stealer resets the key press count and wipes the log file clean, preparing itself for future keystroke monitoring.
Screenshots:
The stealer takes screenshots of all connected monitors and stores them as separate PNG image files in the %temp%{UUID} directory. This is achieved by executing a PowerShell script containing obfuscated code. This script results in the execution of a C# code.
The C# code shown above is compiled and executed when the PowerShell script uses the ‘Add-Type’ cmdlet. By executing this command, the C# compiler(csc.exe) is invoked by PowerShell to compile the C# code on the fly. The image below shows the process chain for compiling and executing the C# code.
In recent observations, we’ve noticed several malware families, including Blank Grabber and AgentTesla, utilizing this method to load their components and avoid detection.
Additional Data captured
In addition to capturing screens, Exela Stealer gathers various other data points from the compromised system. The table below provides an overview of these additional functionalities of Exela Stealer.
- Active_window_title: Retrieves the title of the currently active window on the system.
- clipboard_text: Retrieves and stores the last text data copied to the clipboard.
- last_clipboard_image: Retrieves and saves the last image data copied to the clipboard as a file.
- System Information: Gathers various system information, including system details, environment variables, logical disk information, user details, startup information, and firewall status.
- WifiPasswords: Collects Wi-Fi network profiles and their associated passwords saved on the system and stores them in a file.
The below image shows the process and commands used to achieve the stealing activities mentioned above.
Collection and Exfiltration
All the harvested data from the respective lists is then stored in text files within a newly generated directory identified by a Universally Unique Identifier (UUID). This folder is located within the system’s “%temp%” directory.
The image below shows the location of these newly generated files.
Prior to forwarding the gathered data in a ZIP file to the TAs, the stealer assembles an embedded message resembling a report. This message comprises numerous sections containing developer details, session records, statistics, and more.
It is customized with a title, description, color, URL, and a thumbnail image. Subsequently, the code dispatches the embed message to a Discord webhook along with an accompanying ZIP file. After the message has been sent, the code ensures the removal of both the ZIP file and the temporary directory created earlier.
Future enhancements
We have also noticed a few defined functions in the code: `setSpotify`, `setYoutube`, and `setTwitch`. While they currently don’t contain any functionalities, it appears that the author has left room for future enhancements in upcoming versions of Exela Stealer.
The below image shows the empty function definitions.
Conclusion
Open-source repositories have become a double-edged sword in the fields of software development and cybersecurity. On the positive side, these platforms have democratized access to valuable code, fostering collaboration, innovation, and transparency within the software development community. However, this accessibility has also exposed vulnerabilities, inviting malicious actors to exploit these resources for their own purposes.
Exela Stealer is a pertinent example of an open-source project that, through Discord webhooks, showcases how individuals can effortlessly gather sensitive information from compromised systems. This underscores the inherent risks associated with open-source repositories, particularly when misused by a Threat Actor.
Our Recommendations
- Given that this stealer is available as open source, there is a higher likelihood that it could be distributed through various channels, such as phishing websites or free software download platforms. It’s essential to emphasize the importance of downloading and installing software exclusively from reputable and well-established sources. It’s strongly recommended to avoid acquiring software from online sources that lack credibility or proper verification.
- Monitor the network communication to block data exfiltration by this stealer.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
MITRE ATT&CK® Techniques
| Tactic | Technique | Procedure |
| Initial Access (TA0001) | Phishing (T1566) | This malware could reach users via phishing sites. |
| Execution (TA0002) | User Execution (T1204) | The user needs to manually execute the malicious file downloaded from the phishing site. |
| Execution (TA0002) | Command and Scripting Interpreter (T1059) |
cmd.exe is used to collect system information. |
| Execution (TA0002) | Command and Scripting Interpreter (T1059.001) |
PowerShell commands are used to compile C# code. |
| Execution (TA0002) | Windows Management Instrumentation (T1047) | WMIC command used to get system information. |
| Persistence (TA0003) | Registry Run Keys / Startup Folder (T1547.001) |
The malware adds run entry/Startup for persistence. |
| Defense Evasion (TA0005) | Virtualization/Sandbox Evasion (T1497) | Performing Anti-VM/Anti-Debug technique for evasion |
| Defense Evasion (TA0005) | Disable or Modify Tools (T1562.001) |
The malware scans for VM and Debugger- related processes and terminates them. |
| Credential Access (TA0006) | Input Capture (T1056.001) | The malware possesses the capability to engage in keylogging activities. |
| Discovery (TA0007) | Process Discovery (T1057) | The malware captures all the running process |
| Discovery (TA0007) | System Information Discovery (T1082) |
The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC. |
| Discovery (TA0007) | Security Software Discovery (T1518.001) |
The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate. |
| Collection (TA0009) | Data from the Local System (T1005) |
The malware collects sensitive data from victim’s system. |
Indicators Of Compromise
| Indicators | Indicator Type |
Description |
| b9bc445af6729a95599f1a39e37f559f3ca18dbbc8ae4e60263af565ef4f4db3 | SHA256 | Exela-V2.0-main.rar |
| 882484b56ad4418786852f401b1b81f31030bec8566b6b07c9798d4ea3033516 | SHA256 | Exela Stealer |
| ccb1337383351bb6889eb8478c18c0142cb99cbb523acc85d0d626d323f5d7ad | SHA256 | Exela Stealer |
| d8488f93b8c096838b3d9b335091216667ce4ffc7ae2cf3c8925271f0f190c11 | SHA256 | Exela Stealer |
| b6ca47065e68aebb007657ff0e6b0dfa0fc4e19823f336ab73f42b25dd5cfc22 | SHA256 | Exela Stealer |
| 206278545b897a7e2ebb1ec4687e6ec31d7ca8f1828792a34f4fca745db8e3d4 | SHA256 | Exela Stealer |
| 53b1b3c6f73312cdae7be69d16a42d298fae0cb3721c7fc11252f65b10f5a323 | SHA256 | Exela Stealer |
| 2db54628a877ab40463a128496cb94523ccae6186d1648c6f372c719f6ed8152 | SHA256 | Exela Stealer |
YARA Rule
rule Exela_Stealer
{
meta:
author = “Cyble”
description = “Detects Exela Stealer”
date = “2023-09-25”
os = “Windows”
threat_name = “Exela Stealer”
scan_type = “file”
severity = 90
reference_sample = “ccb1337383351bb6889eb8478c18c0142cb99cbb523acc85d0d626d323f5d7ad”
strings:
$a = “Exela Corporation” ascii wide
$b = “Exela Update Service” ascii wide
$c = “Exela.exe” ascii wide
condition:
uint16(0) == 0x5a4d and all of them
}
Related
Source: https://cyble.com/blog/exela-stealer-spotted-targeting-social-media-giants/