Threat Research

Gomorrah Stealer v5.1: Comprehensive Examination of .NET Malware – CYFIRMA

Cyfirma

Cyfirma’s report offers an in-depth look at Gomorrah Stealer, a .NET-based information-stealing tool sold as MaaS that uses anti-analysis and persistence techniques to remain on infected systems. It documents its data targets (browsers, wallets, VPNs, messaging apps) and describes how stolen information is compressed, exfiltrated to a C2, and the malware is distributed via Telegram, with ongoing development including a future ‘Lucifer’ version. #GomorrahStealer #Lucifer #RougeCommunications #Telegram

Keypoints

  • Gomorrah Stealer is a potent information-stealing malware sold as a MaaS tool.
  • Targets data from web browsers, cryptocurrency wallets, VPN clients, messaging apps, and FTP client data.
  • This malware is marketed and supported via Telegram channels.
  • Created using .NET with pure IL code and uses Just-In-Time (JIT) compilation to evade static analysis.
  • Establishes persistence by creating an Autorun registry entry.
  • Compresses and uploads stolen data to a command-and-control (C2) server and deletes local copies post-upload.
  • Employs anti-analysis measures to detect and terminate processes associated with security analysis or debugging; indicates ongoing threat evolution and need for vigilance.

MITRE Techniques

  • [T1592] Gather Victim Host Information – Collects data about installed programs from the Windows registry. ‘Collects data about installed programs from the Windows registry.’
  • [T1204.002] Malicious File – Distributes malware through malicious files. ‘Distributes malware through malicious files.’
  • [T1622] Debugger Evasion – Employs measures to detect debugging environments and terminate processes. ‘Employs measures to detect debugging environments and terminate processes.’
  • [T1497] Virtualization/Sandbox Evasion – Checks for virtual environments to evade detection. ‘Checks for virtual environments to evade detection.’
  • [T1140] Deobfuscate/Decode Files or Information – Utilizes techniques to decode or deobfuscate information. ‘Utilizes techniques to decode or deobfuscate information.’
  • [T1083] File and Directory Discovery – Enumerates directories to gather sensitive information. ‘Enumerates directories to gather sensitive information.’
  • [T1071.001] Web Protocols – Uses web protocols for command and control communications. ‘Uses web protocols for command and control communications.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates data through a command-and-control channel. ‘Exfiltrates data through a command-and-control channel.’

Indicators of Compromise

  • [File hash] context – e02089570b24b11d6350337069b7e823 (update_windows10.exe), 201fb3d8b93205488e1a6a408ce18539 (Newtonsoft.Json.dll)
  • [Domain] context – rougecommunications.org
  • [IP Address] context – 172.93.223.99
  • [File name] context – update_windows10.exe, Zip.exe
  • [Registry] context – HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunWindows Defender Updater
  • [URL] context – http://rougecommunications.org/webpanel//logs.php?hwid=IN1F8BFBFF000806C1&Passwords=*&CreditCards=*&Cookies=*&AutoFill=*&Wallets=*
  • [URL] context – http://rougecommunications.org/webpanel/Panel/login.php

Read more: https://www.cyfirma.com/research/gomorrah-stealer-v5-1-an-in-depth-analysis-of-a-net-based-malware/