Threat Research

Around We Go: Planet Stealer Emerges – InQuest

Securonix

Planet Stealer is a Go-based information-stealing Trojan marketed as malware-as-a-service and used by multiple actors in recent campaigns. It collects browser data, credentials, and other sensitive information, exfiltrating it via HTTP C2 and Telegram, with sandbox evasion features and a modern C2 infrastructure observed in samples.
Hashtags: #PlanetStealer #InQuest #BreachForums #HackForums #Go

Keypoints

  • Planet Stealer is a Go-implemented information stealer offered as MaaS, used by active threat actors in recent campaigns.
  • Distributed as EXE files and sometimes as a loader payload, with a publicly accessible C2 server noted in campaigns.
  • Capabilities include browser data theft (cookies, session data, credentials), cryptocurrency wallet theft, and credential theft for messengers and game clients.
  • Includes virtualization/sandbox evasion techniques to hinder analysis (T1497).
  • Exfiltration methods include Telegram-based exfil and HTTP POST to a C2 endpoint with JSON payloads (endpoints: /submit/info, /submit/file).
  • Observed network indicators include specific IPs, domains, and ZIP data exfiltration patterns, underscoring a modern C2 setup.

MITRE Techniques

  • [T1555.003] Credentials in Web Browsers – Browser data theft (Chromium and Gecko), including cookies, session data, and credentials. Quote: “Chromium and Gecko browsers” and “Target data: cookies, session data, credentials”
  • [T1497] Virtualization/Sandbox Evasion – The actor uses suspected sandbox/VM evasion features to hinder analysis. Quote: “T1497 Virtualization/Sandbox Evasion”
  • [T1071.001] Web Protocols – C2 communications via an HTTP API using JSON; endpoints include /submit/info and /submit/file. Quote: “HTTP (POST) Communication with the C2 server is implemented using an HTTP API with inner JSON data. Analysis of the C2 servers indicates a likely modern Python ASGI-based service using the Uvicorn app server on the backend, coupled with the FastAPI API library.”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration observed via a ZIP archive; ZIP archive for data exfiltration. Quote: “Observed C2 request data, ZIP archive for data exfiltration:”

Indicators of Compromise

  • [IP Address] C2 servers – 193.178.170.30, 181.214.173.146 (observed in sample communications)
  • [Domain] hzp02itt0a[.]com – C2 endpoints (submit/info, submit/file)
  • [File] GQHQf1zL-cc081a61-1139-4400-934e-adfed816b758.zip – ZIP archive used for exfiltration
  • [URL] hXXp://hzp02itt0a[.]com/submit/info and hXXp://hzp02itt0a[.]com/submit/file – C2 HTTP endpoints
  • [File Path] C:UsersadminAppDataLocalTempGQHQf1zL-cc081a61-1139-4400-934e-adfed816b758.zip – Exfiltration artifact

Read more: https://inquest.net/blog/around-we-go-planet-stealer-emerges/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint