Cyble researchers describe Temp Loader and Temp Stealer, malicious tools advertised on the Dark Web that bundle with cracked software to drop a loader and an information stealer. The malware targets crypto wallets and various data sources, uses anti-VM and RunPE techniques, persists via autorun, and exfiltrates stolen data to remote servers.
Keypoints
- Temp Loader and Temp Stealer are marketed on Dark Web forums as a loader and a stealer, respectively.
- Temp Loader is designed to deploy additional malicious files onto the victim’s system.
- Temp Stealer can exfiltrate crypto wallets, browser data, system information, and more to the attacker’s server.
- The malware is bundled with free/cracked software (e.g., Topaz Clean) and masquerades as legitimate installers.
- Initial infection occurs when users run bundled installers; persistence is achieved via an autorun registry entry.
- The stealer collects data from wallets, browsers, Telegram/Steam/FTP sessions, cookies, autofills, and passwords, and can act as a Telegram bot.
- It geolocates targets via ip-api and exfiltrates data to remote European IPs.
MITRE Techniques
- [T1113] Screen Capture – The stealer takes a screenshot of the current Windows and saves it for exfiltration. ‘The stealer then takes a screenshot of the current Windows and saves it for exfiltration.’
- [T1041] Exfiltration Over C2 Channel – The stealer sends the collected data to a remote server. ‘After getting all the above information, the stealer then sends the data to the attacker’s remote server.’
- [T1083] File and Directory Discovery – Recursively searches for browsers (including custom or renamed ones) as part of data collection. ‘Recursive search for browsers (even finds custom browsers or browsers with a changed folder name).’
- [T1005] Data from Local System – Gathers extensive system information and wallet data. ‘Collection of Telegram, Steam, and FTP sessions.’
- [T1213] Data from Information Repositories – Collects wallet-related information and data sources. ‘Collection of more than 40 types of crypto wallets.’
- [T1555] Credentials from Password Stores – Collects browser cookies, autofills, and password-like data. ‘Cookies, Autofills, and Passes.’
- [T1528] Steal Application Access Token – The malware features a multifunctional Telegram bot component used for data access/collection. ‘Multifunctional Telegram bot.’
- [T1539] Steal Web Session Cookie – Access to web session data and cookies collected from browsers. ‘Collection of Cookies, Autofills, and Passes.’
- [T1071] Application Layer Protocol – Uses network communications to exfiltrate data/trigger C2 communication. ‘beaconing and data transfer to remote server.’
- [T1041] Exfiltration Over C2 Channel – Reiterated as data is sent to attacker-controlled infrastructure. ‘The Temp stealer identified to be sending the stolen information to IPs…’
Indicators of Compromise
- [MD5] Temp Stealer Executable – 49aefb24f729dbd71cef9cb382692ca6, bc6bb3430654d410bd9e40292bf32d77, 47dbbc7793152a8cb36cde2da0529684
- [SHA1] Temp Stealer Executable – f025735b2dfffe4ae43c5154881a3f7fcd9f32ea, 8b54d67c889e9f13f232cd9b4d72253f9e5af99a, 16dc7205c3931c0f873c8b2e236742720d1e3a55
- [SHA256] Temp Stealer Executable – d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c, 38b387b09dee7eefddcf164239be0bda1fb15285aea27e3f5b1008c7c727929a, 8619435c6dc202f45919fafdc7538d46220f42cadefccdba2cf094eccb09e436
- [SHA256] Temp Stealer Executable – 3c9df1d7f4835810fad268435699f1a7, 7b9830bfdd87e47b4e6995b3e88640eb690bdef7642c74775e1f3ab89e71d5ce, c84a51c0e598563ff4c5b2e494da0152
- [MD5] Temp Stealer Executable – dfbb9e4a30a266ea453637ddfe370e14, 4da571eb595d83a4f3ffe3e0047efd8a, 51a4b9154b05dde9c7e14831fc54c6b3
- [SHA1] Temp Stealer Executable – ddb20679f08d94e84c5e64d5f2fa00f105ad8204, 063d687a6a88804000162deeb00244d22cfe3228, 55d86d705daefee9c692cd742d83ec670b976261d0c2e28ccb4933d4f6483182
- [IP] Communicating IP – 79.137.199.73, 157.90.126.84
Read more: https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/