Threat Research

Cyble – New Information Stealer Targeting Crypto-wallets

Securonix

CRIL researchers traced a malicious domain used in a spear-phishing campaign to steal Office 365 credentials and to host a new information stealer, Doenerium Stealer, which masquerades as legitimate Windows tools and is available on GitHub. The malware exhibits anti-sandbox/anti-analysis features, persistence via startup, extensive data theft (including crypto wallet data and browser information), and C2 activity via Discord webhook for exfiltration. Hashtags: #DoeneriumStealer #CryptoWallets #Office365 #Discord

Keypoints

  • CRIL identifies a malicious domain used in a spear-phishing email campaign targeting Office 365 users to steal credentials and host Doenerium Stealer.
  • Case 1 shows a link masquerading as a PDF in an email that redirects to a phishing page (neon.page) and to a malicious domain hosting the stealer as a Windows tool.
  • Case 2 describes a website offering two download links for a Windows executable masquerading as Node.js-related software, with a large 102 MB stealer that hides anti-analysis features.
  • The stealer is open-source on GitHub and is being actively updated, with plans for additional features (Discord bot, keylogging, Firefox data, etc.).
  • Technical analysis reveals a 64-bit VC++ console executable masquerading as “Windows-KB890830-x64-V5.104.exe,” using Node.js components and persistence via startup.
  • Post-execution, the malware performs process listing/termination, privilege escalation attempts, and extensive data theft (clipboard, wallet data, browser data, system info) before exfiltrating via a Discord webhook.
  • The campaign highlights a trend of open-source malware builders hosted on GitHub being used or adapted by threat actors to target crypto wallets.

MITRE Techniques

  • [T1204] User Execution – Malicious File – The spear phishing email contains a link masquerading as a PDF attachment targeting Office365 users. ‘The spear phishing email contains a link masquerading as a PDF attachment targeting Office365 users.’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The malware drops itself as “Updater.exe” to the Start-up entry to establish persistence. ‘drops itself as “Updater.exe” to the Start-up entry to establish persistence.’
  • [T1055] Process Injection – The malware then tries to perform privilege escalation using the RTLAdjustPrivilege() function. ‘The malware then tries to perform privilege escalation using RTLAdjustPrivilege() function.’
  • [T1036] Masquerading – The downloaded file’s icon is similar to the icon of Node JavaScript framework. ‘the file’s icon is similar to the icon of Node JavaScript framework.’
  • [T1497] Virtualization/Sandbox Evasion – The malicious file is unusually large and comes equipped with anti-sandbox and anti-analysis features. ‘anti-sandbox and anti-analysis features.’
  • [T1057] Process Discovery – The malware runs cmd.exe and executes tasklist to list currently running programs. ‘tasklist’ to list currently running programs on the victim’s machine.
  • [T1071] Application Layer Protocol – The stolen data is compressed and sent to the C2 server/Discord webhook. ‘sends the zip file to the Discord webhook.’

Indicators of Compromise

  • [MD5] Malicious node.exe – 9b4864d3de5fd251843d09bec1252bef, and [SHA1] Malicious node.exe – afaffc4c8c314249a0ce8017fcf9a549b2ac8337
  • [SHA256] Malicious node.exe – 609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249e
  • [MD5] Malicious Zip – f8ea2163d80aca793eefd7b2797f01e4, [SHA1] Malicious Zip – 83ffbd5f4f4c2d1b681741d9f751105c4177fafd, [SHA256] Malicious Zip – 1b005dd76abc86ada724297b6698d3cbbe77f0bceb8fee41d9303114d689f609
  • [URL] Malicious Domain – hxxps://neon[.]page/Microsoft-Windows-MSRT
  • [URL] Malicious Link – hxxps://neon[.]page/doc0365
  • [Domain] Phishing Webpage – Jaye8059.myportfolio[.]com

Read more: https://blog.cyble.com/2022/09/28/new-information-stealer-targeting-crypto-wallets/