IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they have been known to steal information from chatting programs including Telegram and Discord. Some of the more popular info stealers in the wild include Redline, Raccoon, and Vidar.
The obvious threat is users’ credentials, which are often reused on different sites and, when compromised, can be utilized to either blackmail the victim or become sold on the dark web for other purposes. But the bigger threat is their ability to evade anti-virus (AV) solutions and even endpoint detection and response (EDR) platforms. This is an issue as this false negative may not be detected unless it’s specifically hunted for.
IBM’s ATDR team has been on the leading edge of identifying these and has documented, for the community, behaviors, and indicators that can be used to hunt for and/or develop custom detections to fill the gap security tools may have for this.
How do info stealers work?
IBM has observed these info stealers evolve over time but there are some specific tactics, techniques, and procedures (TTPs) to hunt for.
These info stealers usually come in the form of a Trojan. Users download a compressed file (.zip or .rar) from either a filesharing site such as Discord, Telegram, and MediaFire or from a phishing email, in hopes of downloading a legitimate piece of software. Alternatively, it’s known these files are downloaded while users are trying to get some form of “cracked” software.
When the user decompresses and opens the folder, we often see some sort of executable that is the malicious payload. Many times, this process contains “setup” in the filename. The thought is that these executables bypass AV because they are larger files, which do not often get scanned by AV as it would take too many resources and slow down the system. Attackers pad the file, to increase its size so that it will not be scanned (more on obfuscated files here).
Once executed, multiple things will occur. We initially see this executable reach out and establish a C2 connection. From there, we see it drop multiple Dlls. In most cases at least 6 get dropped:
These Dlls by themselves are legitimate and native to windows, but in this case the info stealer is utilizing them for its execution. From here we see the malware access sensitive directory locations that store web information. Here are some of the directories accessed:
Earlier in 2022, this malware would show more obvious signs of infection and we would see the malware execute commands such as:
Command: /c copy /Y “FilePath of web info” “FilePath where to copy the information to” (usually in the temp folder)
In some cases, we will see an obvious sign of data exfiltration. A file would be created in the Temp directory, and all the information needed is then copied into said file, immediately compressed, and then exfiltrated via the pre-existing C2 connection. In some cases, this is not as obvious based on available EDR telemetry.
In many cases, we’re seeing the malware delete itself once the attack is complete. As a defense evasion technique, if the hash is known, AV solutions will not detect this malware during a regularly scheduled scan since it’s deleted.
Detections and prevention techniques
Other than following best practices while surfing the internet, from a security perspective, how can we detect or stop this? As mentioned, info stealers have been known to evade AV and EDR, but there are some ways that we can detect and prevent this. Some of these will be higher fidelity than others but your organization can try and detect these from different stages of the attack.
Review your organization’s need for different filesharing sites. Is there a business need to allow users to access and download files from Discord, Mediafire, and Telegram? If not, blocking access to these sites or preventing downloads will help to reduce the vectors of attack. If not so easy to do, one way to help detect this would be to hunt for the filenames and/or history of the downloads from these sites. Look for compressed file downloads with unusual file names that contain two or more of the following:
Many of these files are password protected, which is usually found in the filename ‘1234’. Look for these downloads from a filesharing site or abnormal sites. This approach may not be as fruitful long-term since you’re detecting on the initial download, not the point of compromise, especially if no user action is taken to open these files.
Detecting the initial execution of this file may be tricky and not as reliable. One possibility is to look for an executable that contains the name “setup” being initiated by one of the compression tools like 7zip or WinRAR. Setup.exe is one of the common executables that gets launched from these compressed files upon execution.
Detecting on file behavior will be the highest fidelity to detect compromise. Looking for an executable that creates 6 or more of the Dlls shown above within a second or so. Alternatively, detecting an unsigned executable that’s establishing a network connection followed by the creation of these Dlls. Many of these file paths that the malware inspects are static, one can hunt for abnormal processes accessing those file locations. In more recent observations, we’ve seen malware utilizing Telegram as their C2 method. Look for non-browser executables establishing multiple connections to telegram (t[.]me).
A higher confidence method of detection is by the data exfiltration activity or establishment of the C2. For example, checking for network connections by processes that we wouldn’t expect this behavior from. Of course, knowing the ‘normal’ in your organization will help with understanding what shouldn’t be doing this. Look for native executables or downloaded executables that should not be doing this.
To give some specific examples, hunt for ‘instalutill.exe’ or ‘Applaunch.exe’ or ‘vbc.exe’ establishing a remote connection. This is not normal for these programs; determine what launched these applications before the network connection to get some insight.
We can detect the deletion command as we have seen some consistency in the command utilized. This may not be as effective since we would alert after the malware has fully executed but helps to identify this malware in your environment. We see cmd.exe get launched and a command run with similar parameters:
Command: “cmd.exe” /c timeout /t 6 & del /f /q “FilePathToMalware” & exit
/c – Carry out the command then terminate
Timeout – pause command execution
/t 6 – (timeout parameter for 6 seconds)
Del – Delete
/q – Quiet mode
/f – Force deletes
Info stealers in general are not a new type of malware, but recently there has been an uptick in how often they are being utilized. Because of this, we see attacker TTPs changing rapidly to keep from being detected. Some of these have the capability of evading EDR and AV solutions, which makes these false negatives ever more important to hunt for. Many of the more common, yet effective credential stealers are being utilized including Redline, Raccoon, and Vidar.
IOCs (The compressed files)