Cyble – Mini Stealer: Possible Predecessor Of Parrot Stealer

MITRE Techniques

• [T1204] User Execution – The test button shown in the figure below sends the Test Logs to the C&C server to check if the connection can be established. “The test button shown in the figure below sends the Test Logs to the C&C server to check if the connection can be established.”
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – The stealer uses multiple AntiAnalysis checks to prevent debugging of the sample. To detect profiling, the code verifies if the COR_ENABLE_PROFILING environment variable is present and set to 1. “The stealer uses multiple AntiAnalysis checks to prevent debugging of the sample. To detect profiling, the code verifies if the COR_ENABLE_PROFILING environment variable is present and set to 1.”
• [T1070.006] Indicator Removal on Host: Timestomp – Mini Stealer is a 64-bit .NET-binary that uses Timestomping. Timestomping is a technique that modifies the timestamps of a file. “Mini Stealer is a 64-bit .NET-binary that uses Timestomping. Timestomping is a technique that modifies the timestamps of a file.”
• [T1555] Credentials from Password Stores – The stealer payload steals data from the following Chromium-based browsers and FTP applications. For the browser, the stealer copies certain files for exfiltration present in the AppDataBrowser directory, which stores user session and login credentials. “For the browser, the stealer copies certain files for exfiltration present in the AppDataBrowser directory, which stores user session and login credentials.”
• [T1539] Steal Web Session Cookie – See credentials extraction context in the browser/AppDataBrowser data exfiltration description. “The stealer copies certain files for exfiltration present in the AppDataBrowser directory, which stores user session and login credentials.”
• [T1552] Unsecured Credentials – See credentials context in the browser/AppDataBrowser data exfiltration description. “The stealer copies certain files for exfiltration present in the AppDataBrowser directory, which stores user session and login credentials.”
• [T1528] Steal Application Access Token – See credential access and browser data exfiltration context as it relates to token-like data within browsers and applications. “The stealer copies certain files for exfiltration present in the AppDataBrowser directory, which stores user session and login credentials.”
• [T1087] Account Discovery – The stealer targets a broad set of installed software to exfiltrate data from. “Over 25 Chromium-based browsers: Chrome, AvastBrowser, AVGBrowser, Browser360, CCleanerBrowser, CentBrowser, …”
• [T1518] Software Discovery – The malware enumerates numerous Chromium-based browsers it can exfiltrate data from. “Over 25 Chromium-based browsers: Chrome, AvastBrowser, AVGBrowser, Browser360, CCleanerBrowser, CentBrowser, …”
• [T1057] Process Discovery – The malware enumerates processes related to browsers and FTP clients to locate data to steal. “Over 20 FTP Applications: Filezilla, FlashFXP, AutoFTPManager, …”
• [T1007] System Service Discovery – The sample’s behavior indicates interactions with system-level components to access stored data, including AppDataBrowser data and browser files. “Figure 7 – File Details” (contextual reference to system data sources)
• [T1071] Application Layer Protocol – The exfiltration/C2 channel uses application-layer protocols to communicate with the C&C. “The test button shown in the figure below sends the Test Logs to the C&C server to check if the connection can be established.”
• [T1041] Exfiltration Over C2 Channel – A web panel is released to receive stolen data from a target network. “The TA released the source code of the web panel, which can be used to receive stolen data from a target network.”