Keypoints
- New WhiteSnake variant is less obfuscated and omits string decryption, making analysis easier for defenders and allowing attackers clear control over features.
- On execution the binary checks a configuration mutex and optionally performs Anti‑VM checks via WMI queries (e.g., Win32_ComputerSystem) to detect sandboxes and exit if found.
- ProcessCommands() harvests browser artifacts (cookies, autofill, login data, history) across many Chromium‑ and Firefox‑based browsers and targets numerous desktop cryptocurrency wallets and wallet extensions.
- Optional capabilities include keylogging, screenshot capture, microphone recording, and webcam image capture, all invoked by remote commands (e.g., KEYLOGGER, MICROPHONE, WEBCAM, SCREENSHOT).
- Persistence can be created by copying to %AppData% and scheduling a schtasks job named “WhiteSnake_Stealer”; Wi‑Fi profiles and nearby networks are exfiltrated using netsh commands.
- Collected data and system information (WMI/registry/processes/DLLs) are serialized to XML, compressed, encrypted with RC4 (and optionally RC4 key encrypted with RSA), then uploaded to C2 via HTTP/PUT or sent metadata to a Telegram bot; if upload fails a .wsr log file is created and retried against other configured servers.
MITRE Techniques
- [T1047] Windows Management Instrumentation – Uses WMI queries to enumerate system and device details and to detect virtualization/sandboxes via queries like ‘SELECT * FROM Win32_ComputerSystem’.
- [T1056.001] Input Capture: Keylogging – Implements a keylogger loaded via Windows APIs and activated by the ‘KEYLOGGER’ command (‘KEYLOGGER’).
- [T1113] Screen Capture – Captures screenshots on command (‘SCREENSHOT’).
- [T1123] Audio Capture – Records microphone audio after checking ‘SELECT * FROM Win32_SoundDevice’ and when commanded (‘MICROPHONE’).
- [T1125] Video Capture – Captures webcam images after querying ‘SELECT * FROM Win32_PnPEntity WHERE (PNPClass = ‘Image’ OR PNPClass = ‘Camera’)’ (‘WEBCAM’).
- [T1053.005] Scheduled Task – Achieves persistence by creating a scheduled task using schtasks, e.g. ‘schtasks /create /tn “WhiteSnake_Stealer” /sc MINUTE /tr “C:UsersAdministratorAppDataLocalRobloxSecurityWhiteSnake_Stealer.exe”‘.
- [T1567.002] Exfiltration Over Web Service – Exfiltrates stolen data via HTTP(S) endpoints and PUT requests, and posts metadata to a Telegram bot (example C2 URL ‘hxxp://45.61.137.41:8080/sendData…’ and Telegram API URL ‘https://api.telegram.org/bot…/sendMessage’).
- [T1555.003] Credentials from Web Browsers – Extracts browser stored credentials and artifacts such as ‘Cookies’, ‘Autofills’, and ‘Login Data’.
- [T1012] Query Registry – Reads installed applications from the registry key ‘SOFTWAREMicrosoftWindowsCurrentVersionUninstall’ to enumerate installed software.
- [T1022] Data Encrypted – Serializes stolen data to XML, compresses it, encrypts with RC4, and optionally encrypts the RC4 key with RSA (‘RC4 + RSA encryption option enabled’).
Indicators of Compromise
- [File Hash] Sample binary SHA256 – 94048358360fd46766cdf1d4f487c1c61a391f97ebc10704c388170ae4e66b88
- [IP / C2] Command-and-control server – 45.61.137.41:8080 (used in example sendData URL) and other configured IPs attempted for WSR upload
- [Network Service] Telegram bot endpoint – https://api.telegram.org/bot6889064496:AAHoMJK9ptSrhXHFUPG4rXCObxc34Q3oqzY/sendMessage?chat_id=1914807690 used to post exfiltration metadata
- [File Names / Patterns] Exfiltration log filenames – example fTdXL_administrator@WIN-K973GNOQK0A_report.wsr and other similarly formatted .wsr files
- [Persistence / Paths] Scheduled task and persistence path – schtasks name ‘WhiteSnake_Stealer’ and example path ‘C:UsersAdministratorAppDataLocalRobloxSecurityWhiteSnake_Stealer.exe’
On execution WhiteSnake performs a mutex check (configured value) to avoid duplicate instances, then may run Anti‑VM WMI checks against Win32_ComputerSystem properties and exit if virtualization strings are found. It proceeds to invoke its primary Create()/ProcessCommands() routine which enumerates and harvests browser artifacts (cookies, autofills, login data, history) across a wide set of Chromium- and Firefox-based browsers, targets numerous desktop cryptocurrency wallet directories and known extension IDs, and collects system telemetry via WMI and registry queries.
The stealer implements optional modular capabilities that are command‑driven: screenshots (SCREENSHOT), keylogging (KEYLOGGER) via runtime-loaded Windows APIs, microphone recordings after verifying Win32_SoundDevice (MICROPHONE), and webcam image capture after querying Win32_PnPEntity (WEBCAM). It gathers running processes, loaded DLLs, installed applications (from SOFTWAREMicrosoftWindowsCurrentVersionUninstall), and also pulls Wi‑Fi profiles and nearby network info via netsh commands, storing credentials and nearby SSID/BSSID/signal data into text files for exfiltration.
Collected data is serialized to XML, compressed, encrypted with RC4 (with RC4 key optionally encrypted using embedded RSA public key), and exfiltrated by appending Base64 metadata to a C2 URL or uploading WSR log files via HTTP/PUT to listed IPs; if immediate C2 upload fails the stealer writes a .wsr file (random prefix_username@computer_report.wsr) and retries other configured servers. Persistence, when enabled, copies the binary to %AppData% and creates a scheduled task to run every minute; control commands also allow remote terminal actions (e.g., TRANSFER, GET_FILE, DECOMPRESS, LOADEXEC) for additional foothold and data retrieval.