Over the past year, the malware family known as risk information stealers has become more common in the wild, according to IBM’s Advanced Threat Detection and Response Team (ATDR). Malware known as “info stealers” has the ability to search for and steal data and login credentials from your device. When they are run, they start searching and copying files from different directories for sensitive information or login credentials, including web and login information from Chrome, Firefox, and Microsoft Edge. Other times, they have been observed stealing data from messaging apps like Telegram and Discord. Redline, Raccoon, and Vidar are a few of the most well-known information hackers in the wild.
Users’ credentials provide the most obvious threat because they are usually reused across different websites and, when compromised, can be used to either blackmail the victim or be sold on the dark web for other uses. However, their capacity to avoid anti-virus (AV) programs and even endpoint detection and response (EDR) systems pose a greater threat. This is problematic because, unless it is explicitly looked out, this false negative can go unnoticed.
The IBM ATDR team has been at the forefront of detecting these and has recorded behaviors and indications for the community that may be utilized to look for and/or create unique detections to close any gaps that security products may have in this area.
However these risk in information hackers have been found by IBM to change over time, and there are some unique tactics, methods, and procedures (TTPs) to look out for.
These data thieves typically take the shape of a Trojan. In an effort to get a trustworthy piece of software, users download a compressed file (.zip or.rar) from either a file-sharing website like Discord, Telegram and MediaFire or through a phishing email. As an alternative, it is well known that users download these files while looking for “cracked” software of some kind.
A malicious program is usually visible when the user decompresses and opens the folder. This process usually has the word “setup” in the filename. The theory is that because these executables are larger files and AV does not usually scan larger files because it would require too many resources and slow down the system. Attackers increase the file’s size by padding it, keeping it from being scanned.
After being carried out, different things will happen. This program is first seen reaching out and creating a C2 connection. Then, we notice it drop a number of DLLs. Most usually, at least six are dropped:
These Dlls are legal and natural to Windows on their own, but in this situation, the risk in information thief is using them to carry out its operations. From this point on, we can see the malware accessing private directory locations that house web data. Listed here are a few of the directories visited:
Microsoft Edge
*\AppData\Local\Microsoft\Edge\User Data
Firefox
*\AppData\Roaming\Mozilla\Firefox\Profiles
Chrome
*\AppData\Local\Google\Chrome\User Data
This malware would exhibit more overt symptoms of infection earlier in 2022, and we would observe it carry out commands like:
Command: /c copy /Y “FilePath of web info” “FilePath where to copy the information to”
Users may sometimes notice a blatant indication of data exfiltration. All necessary data would be copied into a new file created in the Temp directory, which would then be quickly compressed and exfiltrated using the pre-existing C2 connection. Depending on the EDR telemetry that is readily available, this is not always clear.
Once the attack is over, they sometimes observe malware deleting itself. If the hash is known, the malware will not be found by AV programs on a typically scheduled scan since it has been deleted, which is a defense evasion strategy.
How can we identify or stop this from a safety perspective, aside from following recommended practices when browsing the internet? As previously indicated, info thieves have been known to avoid detection by AV and EDR, but there are various techniques to spot and stop this. Your company can attempt to identify these at various stages of the attack, though some of these will be more accurate than others.
Analyze whether your company needs different file-sharing websites. Do users need to be able to view and download files via Discord, Mediafire, and Telegram to conduct business? If not, stopping downloads or limiting access to certain websites will help to reduce the attack vectors. Searching for the filenames and/or download histories from these sites would be one way to identify this if it were not so simple to accomplish. Search for compressed file downloads that have two or more of the following and have strange file names.
These files usually have password protection, which is indicated by the filename extension “1234.” Search for these downloads coming from strange or file-sharing websites. Since you’re detecting the initial download and not the point of breach, this strategy could not be as effective over the long run, especially if no user activity is made to access these files.
Finding the first execution of this file could be difficult and incorrect. One option is to search for an executable with the word “setup” in its name that is started by a compression program like 7zip or WinRAR. When these compressed files are executed, one of the usually used executables that are launched is setup.exe.
The most reliable way to identify a compromise is by analyzing the behavior of files. One approach is to search for an executable that generates six or more of the specified Dlls in a short time frame, or for an unsigned executable that establishes a network connection and then creates these Dlls. Since the malware checks many fixed file paths, abnormal processes accessing those locations can be detected. Recent malware has been using Telegram as its C2 method, so it is worth examining non-browser executables that establish multiple connections to the Telegram site (t[.]me).
To increase the reliability of detection, one can examine the activity of data exfiltration or the establishment of C2. This can involve identifying network connections made by processes that are not typically associated with this behavior. Understanding what is considered normal in your organization can be helpful in identifying such unexpected behavior. It’s important to search for native executables or downloaded executables that should not be engaging in these activities.
To provide some concrete instances, you can search for instances of ‘instalutill.exe,’ ‘Applaunch.exe,’ or ‘vbc.exe’ that are establishing remote connections. Since this is not standard behavior for these programs, it’s important to determine what triggered the launch of these applications before the network connection was established. Doing so can provide valuable insight.
It is possible to detect the deletion command used by the malware by looking for patterns in its execution. However, this method may not be very effective because it would only alert you after the malware has completed its execution. Nevertheless, it can still be useful in identifying the presence of this malware in your environment. Typically, they observe cmd.exe being launched and a command is executed with similar parameters.
Command: “cmd.exe” /c timeout /t 6 & del /f /q “FilePathToMalware” & exit
Flag explanations:
/c – Carry out the command then terminate
Timeout – pause command execution
/t 6 – (timeout parameter for 6 seconds)
Del – Delete
/q – Quiet mode
/f – Force deletes
While info stealers are not a new category of malware, they have been increasingly employed by attackers of late. As a result, attackers are constantly changing their tactics, techniques, and procedures (TTPs) to avoid detection. Some of these malware variants are designed to evade EDR and AV solutions, which makes it all the more important to search for false negatives. Many attackers use well-known and effective credential stealers like Redline, Raccoon, and Vidar.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com