Keypoints
- Observed campaign delivers a .NET executable from a counterfeit Russian government domain (govermentu[.]ru), likely via spam emails.
- The malicious executable is SapphireStealer, packaged to appear as a PDF (PDF icon) and drops embedded lure PDFs when run.
- On execution, Main() extracts and opens an embedded PDF to distract the user while background stealing routines run.
- The binary is obfuscated/packed with .NET Reactor and uses an AES-based string decryption routine to reveal runtime strings and paths.
- SapphireStealer harvests browser data (Login Data, Web Data, Local State, Network Cookies), Telegram tdata, FileZilla files, .ssh, and targeted desktop file extensions.
- Collected files are summarized into an XML, archived into a GUID-named ZIP, system info is appended, and the ZIP is exfiltrated to a C2 (193.39.185[.]4) before deletion.
- Several file hashes, the malicious download URL, and the phishing domain are published as IOCs; the actor remains unidentified.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Used lure PDFs to execute malicious code on victim systems (‘drops and opens a PDF document named “Постановлениe.pdf” (translated as: Resolution.pdf)’)
- [T1036] Masquerading – Malware is presented with a PDF icon and distributed from a fake Russian government site to appear legitimate (‘disguised with a PDF icon’)
- [T1027] Obfuscated Files or Information – Binary is obfuscated/packed with .NET Reactor to hinder analysis (‘.NET executable, protected and obfuscated using .NET Reactor’)
- [T1140] Deobfuscate/Decode Files or Information – Uses an AES-based decryption function to reveal runtime strings such as paths and file extensions (‘StringCipher.Decryptasdfasdfasdfs() … decrypts ciphertext utilizing AES’)
- [T1003] OS Credential Dumping – Harvests stored browser credentials and related web data from browser files (‘steal browser information (cookies, passwords, etc)’)
- [T1083] File and Directory Discovery – Enumerates desktop files and specific directories (FileZilla, .ssh, Telegram tdata) for collection (‘retrieves files with the extension … from the Desktop folder’ and ‘verifies the existence of … Telegram Desktop/tdata’)
- [T1005] Data from Local System – Collects local files (browser data, FileZilla, .ssh, grabbed desktop files) for exfiltration (‘copies key data files … Login Data, Web data, Local State, and Network Cookies’)
- [T1560] Archive Collected Data – Generates an XML summary, compresses stolen files into a ZIP archive named with a GUID (‘compresses it into a ZIP archive. It creates a GUID and saves the ZIP file with that ID name’)
- [T1082] System Information Discovery – Gathers host metadata such as IP, MAC address, and hostname to include with exfiltrated data (‘collects user system information like IP address, MAC address, and Hostname’)
- [T1071] Application Layer Protocol – Sends the ZIP archive with victim details to a remote C2 server over application-layer network traffic (‘sends the ZIP archive file with the above victim’s system information to the TAs Command-and-Control (C&C) server’)
Indicators of Compromise
- [File Hashes] SapphireStealer executable – SHA256 850a99d2039dadb0c15442b40c90aa4dac16319114455ab5904aa51e062fe6e1, SHA256 c816d0be8d180573d14d230b438a22d7dda6368b1ef1733754eda9804f295a2f
- [Domain] Phishing site – govermentu[.]ru
- [URL] Malware download – hxxp://govermentu[.]ru/media/FederalnoeUpravlenie_postanovlenie_o_vozbuzdenie_ispolnitelnogo_proizvodstava[.]exe
- [IP] Command-and-Control – 193.39.185[.]4
- [File names] Dropped lure and payload – FederalnoeUpravlenie_postanovlenie_o_vozbuzdenie_ispolnitelnogo_proizvodstava.exe, “Повестка.pdf” (Agenda.pdf)
The SapphireStealer sample observed is a .NET executable obfuscated with .NET Reactor and disguised with a PDF icon; running Main() extracts an embedded PDF resource (e.g., “Повестка.pdf”) and opens it via Process.Start() to distract the user while background routines execute. The background routine (Class1.Log() → Log2()) uses an AES-based decryption function to reveal runtime strings (paths, targeted extensions, folder names) and then creates a “sapphire” folder under the Temp directory with subfolders such as “GrabbingFiles” and “FileZilla”.
Operational steps include checking for Telegram Desktop tdata and copying key files if present, harvesting browser artifacts (Login Data, Web Data, Local State, Network Cookies) from targeted browser paths, collecting desktop files matching specific extensions, and copying FileZilla and .ssh directories into the malware workspace. The stealer iterates the collected files to generate an XML summary, compresses the data into a GUID-named ZIP archive, appends system identifiers (IP, MAC, hostname), transmits the ZIP to the C2 (observed 193.39.185[.]4) over application-layer network traffic, and then deletes the local archive.
The sample’s obfuscation and AES decryption impede static analysis, but code snippets show explicit behaviors—resource extraction and display, encrypted string decryption (StringCipher.Decryptasdfasdfasdfs()), file/directory enumeration and copying routines, ZIP creation, and network exfiltration—allowing defenders to detect these actions via telemetry on process creation, unexpected file writes to Tempsapphire, access to browser/Telegram/FileZilla/.ssh locations, and outbound connections to the listed C2. Read more: https://cyble.com/blog/sapphirestealer-sneaks-in-deceptive-legal-documents-prey-on-russians/