Threat Research

Cyble – New WhiteSnake Stealer Offered For Sale Via MaaS Model

Securonix

WhiteSnake is a cross-OS infostealer targeting Windows and Linux, offering multi-channel data theft capabilities and ongoing updates via threat actors. It exfiltrates collected data through a Telegram bot and is marketed with a MAAS-style model; the Linux version mirrors Windows functionality. #WhiteSnake #Cyble #CRIL #Windows #Linux #Telegram #Discord #PowerShell #MAAS

Keypoints

  • CRIL identified a new infostealer called WhiteSnake, available for Windows and Linux.
  • The stealer collects passwords, cookies, credit card data, screenshots, and other sensitive information from browsers and wallets.
  • Infection starts with a spam email delivering a BAT disguised as a PDF, followed by PowerShell and a downloaded build.bat from Discord.
  • Linux version exists with identical functionality; Linux binary can be compiled as .py/.sh and is small in size.
  • After decoding, a 32-bit .NET build.exe runs as the payload; it uses a mutex to run once and performs anti-VM checks.
  • Exfiltration is done via a Telegram bot with data formatted in XML and encrypted with RC4; the campaign is sold via a MAAS model with listed pricing.

MITRE Techniques

  • [T1566.001] Phishing – The initial infection begins with a spam email containing an executable file disguised as a PDF document. (‘The initial infection begins with a spam email containing an executable file disguised as a PDF document.’)
  • [T1059.001] PowerShell – The BAT file further executes a PowerShell script, which then proceeds to download another BAT file named “build.bat” from a Discord URL. (‘The BAT file further executes a PowerShell script, which then proceeds to download another BAT file named “build.bat” from a Discord URL.’)
  • [T1036] Masquerading – The executable is disguised as a PDF document to mislead the user. (‘executable file disguised as a PDF document’)
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM check to avoid analysis; terminates if VM is detected. (‘Anti-VM check… If there is a match, the malware terminates without further execution.’)
  • [T1027] Obfuscated/Compressed Files and Information – Data is compressed and RC4-encrypted before exfiltration. (‘The XML data is then compressed and encrypted using the RC4 encryption algorithm’)
  • [T1010] Data from Local System – ProcessCommands collects data from multiple sources including browsers, messaging apps, FTP clients, and wallets. (‘…to obtain sensitive information from multiple sources, including web browsers, messaging apps, FTP clients, and cryptocurrency wallets…’)
  • [T1005] Data from Local System – The malware stores targeted files such as Cookies, Autofills, Login Data, and Web Data from browsers. (‘The ProcessCommands function… is capable of stealing files such as “Cookies”, “Autofills”, “Login Data”, and “Web Data” from various browsers’)
  • [T1083] File and Directory Discovery – The malware enumerates files/directories as part of collection. (‘File and Directory Discovery’)
  • [T1518] Security Software Discovery – The malware checks for security software as part of discovery. (‘Security Software Discovery’)
  • [T1105] Ingress Tool Transfer – The build.bat file is downloaded from Discord during initial infection. (‘download another BAT file named “build.bat” from a Discord URL’)
  • [T1071.001] Application Layer Protocol – Exfiltration via Telegram web service. (‘sendDocument?chat_id=…&caption=win’)
  • [T1573] Encrypted Channel – Data exfiltration occurs over an encrypted/obfuscated channel. (‘Encrypted Channel’)

Indicators of Compromise

  • [Hash] Initial WhiteSnake Loader – 77d7369f704afac82a5b9dc53e9736bc, ef63ffa8c293a81a1492cb8f11c01c0fd07fc297, and 1 more hashes
  • [Hash] BAT Downloader – d490e588da438247a57f6e424ab5b753, b915a0c7f36e41f3696602b2580c8cd5acecffa7, and 1 more hashes
  • [Hash] BAT Dropper – 8cf2faaf885a8057601149d78a4a12ca, 8b4c1cb8a417fe7651c243f3b0843d063058ac02, and 1 more hashes
  • [Hash] WhiteSnake Stealer Executable – dd42fe39cf54bc3b95f427dff59c99ce, d077e75315f5027b18a89a2260509c2eaaa30d43, and 1 more hashes
  • [Hash] WhiteSnake Stealer Executable – 716d01d18140ec5e18b1a15c17fb213f, b4f2063ade43a0c6ddd15f3f34dbfde348e3eecc, and 1 more hashes
  • [Hash] WhiteSnake Stealer Executable – 251f6f352d7a0a13c63abf103daaeb89, 495b40959859ee46b583a867008e26dc4097d2a9, and 1 more hashes
  • [Hash] WhiteSnake Stealer Executable – 0597f91bd8cd1a9ea5d183b6b61dc750, 80ee81b99a62592ddfa871b4be87c662856b446a, and 1 more hashes
  • [URL] Download/Exfil Links – hxxps[:]//cdn[.]discordapp[.]com/attachments/1077715839513526352/1077716714613121074/build[.]bat, and hxxps[:]//api.telegram[.]org/bot56[Redacted]47CR9V3wq4ss/sendDocument?chat_id=61xxxx924&caption=win
  • [File name] Build artifacts – build.bat, build.exe, and tmp46D2.tmp.bat

Read more: https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint