IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they have been known to steal information from chatting programs including Telegram and Discord. Some of the more popular info stealers in the wild include Redline, Raccoon, and Vidar.

The obvious threat is users’ credentials, which are often reused on different sites and, when compromised, can be utilized to either blackmail the victim or become sold on the dark web for other purposes. But the bigger threat is their ability to evade anti-virus (AV) solutions and even endpoint detection and response (EDR) platforms. This is an issue as this false negative may not be detected unless it’s specifically hunted for.

IBM’s ATDR team has been on the leading edge of identifying these and has documented, for the community, behaviors, and indicators that can be used to hunt for and/or develop custom detections to fill the gap security tools may have for this.

How do info stealers work?

IBM has observed these info stealers evolve over time but there are some specific tactics, techniques, and procedures (TTPs) to hunt for.

Initial download

These info stealers usually come in the form of a Trojan. Users download a compressed file (.zip or .rar) from either a filesharing site such as Discord, Telegram, and MediaFire or from a phishing email, in hopes of downloading a legitimate piece of software. Alternatively, it’s known these files are downloaded while users are trying to get some form of “cracked” software.

User execution

When the user decompresses and opens the folder, we often see some sort of executable that is the malicious payload. Many times, this process contains “setup” in the filename. The thought is that these executables bypass AV because they are larger files, which do not often get scanned by AV as it would take too many resources and slow down the system. Attackers pad the file, to increase its size so that it will not be scanned (more on obfuscated files here).

File behavior

Once executed, multiple things will occur. We initially see this executable reach out and establish a C2 connection. From there, we see it drop multiple Dlls. In most cases at least 6 get dropped:

  • sqlite3.dll
  • freebl3.dll
  • mozglue.dll
  • msvcp140.dll
  • nss3.dll
  • softokn3.dll
  • vcruntime140.dll

These Dlls by themselves are legitimate and native to windows, but in this case the info stealer is utilizing them for its execution. From here we see the malware access sensitive directory locations that store web information. Here are some of the directories accessed:

Microsoft Edge

*\AppData\Local\Microsoft\Edge\User Data

Firefox

*\AppData\Roaming\Mozilla\Firefox\Profiles

Chrome

*\AppData\Local\Google\Chrome\User Data

Earlier in 2022, this malware would show more obvious signs of infection and we would see the malware execute commands such as:

          Command: /c copy /Y “FilePath of web info” “FilePath where to copy the information to” (usually in the temp folder)

Data exfiltration

In some cases, we will see an obvious sign of data exfiltration. A file would be created in the Temp directory, and all the information needed is then copied into said file, immediately compressed, and then exfiltrated via the pre-existing C2 connection. In some cases, this is not as obvious based on available EDR telemetry.

Malware deletion

In many cases, we’re seeing the malware delete itself once the attack is complete. As a defense evasion technique, if the hash is known, AV solutions will not detect this malware during a regularly scheduled scan since it’s deleted.

Detections and prevention techniques

Other than following best practices while surfing the internet, from a security perspective, how can we detect or stop this? As mentioned, info stealers have been known to evade AV and EDR, but there are some ways that we can detect and prevent this. Some of these will be higher fidelity than others but your organization can try and detect these from different stages of the attack.

Initial download

Review your organization’s need for different filesharing sites. Is there a business need to allow users to access and download files from Discord, Mediafire, and Telegram? If not, blocking access to these sites or preventing downloads will help to reduce the vectors of attack. If not so easy to do, one way to help detect this would be to hunt for the filenames and/or history of the downloads from these sites. Look for compressed file downloads with unusual file names that contain two or more of the following:

  • Setup
  • Latest
  • Pass
  • Password
  • Passw0rd
  • Main
  • Full
  • Download
  • Open

Many of these files are password protected, which is usually found in the filename ‘1234’. Look for these downloads from a filesharing site or abnormal sites. This approach may not be as fruitful long-term since you’re detecting on the initial download, not the point of compromise, especially if no user action is taken to open these files.

User execution

Detecting the initial execution of this file may be tricky and not as reliable. One possibility is to look for an executable that contains the name “setup” being initiated by one of the compression tools like 7zip or WinRAR. Setup.exe is one of the common executables that gets launched from these compressed files upon execution.

File behavior

Detecting on file behavior will be the highest fidelity to detect compromise. Looking for an executable that creates 6 or more of the Dlls shown above within a second or so. Alternatively, detecting an unsigned executable that’s establishing a network connection followed by the creation of these Dlls. Many of these file paths that the malware inspects are static, one can hunt for abnormal processes accessing those file locations. In more recent observations, we’ve seen malware utilizing Telegram as their C2 method. Look for non-browser executables establishing multiple connections to telegram (t[.]me).

Data exfiltration

A higher confidence method of detection is by the data exfiltration activity or establishment of the C2. For example, checking for network connections by processes that we wouldn’t expect this behavior from. Of course, knowing the ‘normal’ in your organization will help with understanding what shouldn’t be doing this. Look for native executables or downloaded executables that should not be doing this.

To give some specific examples, hunt for ‘instalutill.exe’ or ‘Applaunch.exe’ or ‘vbc.exe’ establishing a remote connection. This is not normal for these programs; determine what launched these applications before the network connection to get some insight.

Malware deletion

We can detect the deletion command as we have seen some consistency in the command utilized. This may not be as effective since we would alert after the malware has fully executed but helps to identify this malware in your environment. We see cmd.exe get launched and a command run with similar parameters:

Command: “cmd.exe” /c timeout /t 6 & del /f /q “FilePathToMalware” & exit

                    Flag explanations:

/c – Carry out the command then terminate

Timeout – pause command execution

/t 6 – (timeout parameter for 6 seconds)

Del – Delete

/q – Quiet mode

/f – Force deletes

Summary

Info stealers in general are not a new type of malware, but recently there has been an uptick in how often they are being utilized. Because of this, we see attacker TTPs changing rapidly to keep from being detected. Some of these have the capability of evading EDR and AV solutions, which makes these false negatives ever more important to hunt for. Many of the more common, yet effective credential stealers are being utilized including Redline, Raccoon, and Vidar.

Infection chain

IOCs (The compressed files)

7024a53fd9f7d3b6504a5eca3abf8195de16aa061d9bdcdd6fe47a22359a6962

563278d93e30a0729fc525083065058cf7bd344edf32f28f96d10a40fe250a87

590d51fe904120e8f67a8929a7c412282348e62eaf6f6cf0160f50731b1779c6

6863a66ab15594fa6452e9d3cdcd3275eaeac2fe41dba93d3e8078ecc14e7ce5

324bd84e32d9a898b76ea03a1e7dcc584888948bb3da24866d9c7d846f699e6f

2c58e76e62ed1ff013ada051ba4b92aff4fc62ac2eb9044bfcc5cf847f1939a2

cb6102ffb74d6d4a08c9b251ef4ef23907d6229df6e8c7a912579f31e12b5ac7

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - Quick recapThis blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this additional content. As a reminder, PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device,…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today