Anonymity The Stealer Epidemic.


Fixxx

Fixxx

Moder
Joined
20.08.24
Messages
348
Reaction score
783
Points
93
1734787888680.png

Stealers are malware designed to collect credentials for subsequent sale on the dark web or for future cyberattacks. Malicious actors actively distribute this type of malware, with some being available via subscription, attracting newcomers. In 2023, nearly 10 million personal and corporate devices were attacked using stealers. However, the actual number of attacked devices may be even higher, as not all stealer operators publish data immediately after a breach. In the course of the year, a significant number of both known and new stealers were analyzed, which were detailed in closed reports. Below are excerpts from them.


Kral

In mid-2023, the Kral loader was discovered, which was then used to distribute the Aurora stealer. However, in February of this year, a new Kral stealer was encountered, which was attributed to the same family of malware as the loader due to certain code similarities. The Kral stealer is delivered exclusively by the Kral loader. The loader infiltrates the user's device when they visit an adult website hosting malicious ads. The ad redirects the victim to a phishing page where they are prompted to download a file, which is the Kral loader. Initially, in 2023, the loader's code was written in a combination of C++ and Delphi, resulting in relatively large sample sizes. Now, however, the loader is written solely in C++, reducing the payload size by tenfold.

The Kral stealer is somewhat similar to the loader. Both files are signed and use the same function to verify the integrity of binary files (WinVerifyTrust()). Additionally, they use the same key for string encryption. Importantly, the name Kral appears in the PDB file paths of both binaries.

The stealer shows particular interest in cryptocurrency wallets and browser data. A folder with a random name is created along the path C:\ProgramData, where stolen data and system information (local time, time zone, processor details, etc.) are stored. The folder is then archived and sent to the command server using the COM interface Background Intelligent Transfer Service (BITS). The stealer collects data only once. However, if the user runs it again, data collection will occur again.


AMOS

The AMOS stealer, targeting macOS, was first spotted in early 2023. In June 2024, a new domain was discovered distributing this malware disguised as the Homebrew package manager. Upon further investigation, it was found that users are directed to this site through malicious ads.

1734788720297.png
*Fake Homebrew Site.

As seen in the image above, there are two installation options for the malware. Users can either download the infected DMG image directly or use an installation script. The script is quite simple. It downloads the malicious image and installs it, after which it downloads and installs the legitimate Homebrew package. If the user downloads the DMG file, the following screen appears:

1734788807348.png
*DMG file with attached files.

As can be seen, the user is misled into thinking they are launching the Homebrew application, while in reality, it's the AMOS stealer. Upon launch, several terminal instances and bash scripts are initiated. They begin to collect system information and create new hidden session history files. The stealer also employs a non-standard trick to obtain the macOS user's login and password. Instead of logging keystrokes, the malware displays fake dialog boxes asking for credentials.


Vidar / ACR

The Vidar stealer is distributed through comments on YouTube, where links to ZIP or RAR archives hosted on one of the file-sharing platforms are posted, which changes weekly. The archive is password-protected, but the password is stored at the same address as the archive. Inside the archive is another password-protected archive containing the following files:

1734788885417.png
*Cloud storage content.
  • converter.exe — a legitimate ImageMagick application;
  • vcomp100.dll — a malicious DLL used for DLL hijacking;
  • bake.docx — an encrypted first-stage loader;
  • blindworm.avi — an IDAT loader, the second-stage payload.
The legitimate converter.exe application contains a vulnerability that allows for DLL hijacking. When this application is launched, it loads vcomp100.dll. The malicious library then reads the encrypted bake.docx file, retrieves the payload and key at a specified offset and decrypts this payload.

The resulting file is a variant of the Penguish loader, containing a sample packed as an IDAT chunk. This means an extractor for the IDAT loader can be used to extract the final payload, which is the Vidar stealer. Notably, instead of stealing data, Vidar simply downloads the ACR stealer. Like many other stealers today, it targets browser data and wallets. Vidar typically hunts for the same types of data; however, in this case, it uses ACR for exfiltration. According to telemetry, most victims are located in Brazil.


Conclusion

Stealers are ubiquitous and highly popular among malicious actors. Stolen data can be used for further attacks or sold on the dark web. Although stealers primarily target cryptocurrency data, the leakage of credentials can cause significant (or even greater) harm, especially if those credentials are used to access corporate networks. It's possible that they may later be used in ransomware attacks. It's worth noting that relatively simple measures, such as two-factor authentication, using unique passwords, downloading software only from official sites and carefully checking the website address before starting a download, can significantly hinder such attacks.
 
You must log in or register to reply here.
Top Bottom