Cyble researchers highlight a trojanized Visual Studio installer that bundles a cookie-stealing malware, enabling attackers to harvest browser cookies and other data. The stolen information is compressed and exfiltrated via Telegram, while the attacker attempts to conceal their tracks by cleaning up traces.
#VisualStudioTrojanizedInstaller #MainProjectExe
#VisualStudioTrojanizedInstaller #MainProjectExe
Keypoints
- The attacker distributes a counterfeit Visual Studio installer (VisualStudio.exe) that includes an information-stealing component named “MainProject.exe.”
- The malicious installer can be delivered through phishing sites, third-party sites, file-sharing platforms, and other deceptive methods.
- After execution, the stealer gathers system information (machine name, username, OS, IP, etc.) and targets cookies stored by browsers such as Chrome and Firefox.
- Chrome cookies are harvested by enumerating user profiles in the Chrome data path and saving cookies to temporary text files; Firefox cookies are pulled from its SQLite database in the Firefox profiles folder.
- Stolen data is compressed into a zip file and exfiltrated via a Telegram bot, with ongoing steps to cover tracks (deleting Temp folders and terminating the stealer process).
- The operation includes a process tree showing how the trojanized installer launches the legitimate Visual Studio plus the MainProject stealer.
- MITRE ATT&CK techniques cited include User Execution, Hide Artifacts, Browser Information Discovery, and Exfiltration Over Web Service.
- IOCs include specific file names and cryptographic hashes associated with VisualStudio.exe, MainProject.exe, and related artifacts.
MITRE Techniques
- [T1204] User Execution: Malicious File – The malicious installer is run by unsuspecting users, triggering both legitimate Visual Studio installation and the stealer. “When the malicious “VisualStudio.exe” installer is executed, it not only installs the legitimate Visual Studio software but also triggers the execution of the information-stealing malware, “MainProject.exe”.”
- [T1564.001] Hide Artifacts: Hidden Files and Directories – The stealer creates a Temp folder and later deletes the temporary folder containing stolen data to hide its tracks. “deletes the temporary folder containing stolen data, and abruptly terminates the stealer to hide its tracks.”
- [T1217] Browser Information Discovery – The actor enumerates Chrome user profiles to extract cookies from multiple browsers. “To extract cookies from Google Chrome, the stealer initiates by listing the user profiles found in the Chrome path “C:UsersAppDataLocalGoogleChromeUser Data”.”
- [T1567] Exfiltration Over Web Service – The exfiltration channel is a Telegram bot used to transmit the collected zip file. “For exfiltration, the information stealer utilizes Telegram to transmit the zip file to a designated Telegram bot.”
Indicators of Compromise
- [File Name] VisualStudio.exe, MainProject.exe, vs-professional.exe, system.txt – Executable and data artifacts involved in the attack and cleanup
- [SHA256] VisualStudio.exe: 7e8f18c60e35472bf921d3b67fd427933bd150f57d6e83d1472b990a786976db, 7a9e300f7bb0b5f480eb0b6df0373cc6 – Hashes associated with the trojanized installer
- [SHA256] MainProject.exe: e8a449e692f1b21f1bc4d49d8b27068b03dd7e8df583d429266fdfb261ddeed5, 19f9d0023fb23676dead15b02681d65e – Hashes associated with the information stealer
- [Directory Path] Chrome user profiles: C:UsersAppDataLocalGoogleChromeUser Data; Firefox profiles: C:UsersAppDataRoamingMozillaFirefoxProfiles – Locations where cookies are enumerated and extracted
- [Process] vs-professional.exe – The stealer eventually executes this legitimate-looking binary as part of the final operation
- [File Name] Chrome__cookies.txt; other social-media cookies text files – Files created to store stolen cookies
Read more: https://blog.cyble.com/2023/07/25/threat-actor-targeting-developers-via-trojanized-ms-visual-studio/