Keypoints
- WhiteSnake generates payloads in many formats (CMD, VBS, WSF, HTA, MSI, Python, macros) that carry Base64-encoded stealer blobs decoded on the host (commonly via certutil) and executed from %TEMP%.
- The builder supports RC4 encryption for exfiltrated data and an optional RSA layer to protect the RC4 key; logs are packaged as .wsr files and exfiltrated to transfer.sh and via a Telegram bot message containing a download URL.
- The stealer uses Tor (downloads Tor binaries, configures torrc and a HiddenService) for anonymized C2 and creates a local Tor hidden service (.onion) for attacker access.
- Persistence options include scheduled tasks (schtasks) for resident mode; spreading features include USB copy checks and copying to other users’ Startup folders.
- Anti-analysis checks include WMI queries to detect virtualization/sandbox indicators (e.g., SELECT * FROM Win32_ComputerSystem) and optional file-size pumping to evade sandboxes.
- Operational features include an auto keylogger (SetWindowsHookExA-based), remote terminal supporting screenshots/webcam/DPAPI decryption, loader functionality (download & execute), and structured configuration parsing for targeted data extraction.
- Author provided configuration extractors (XOR and RC4 variants) to decrypt embedded configuration and list C2 endpoints and enabled features.
MITRE Techniques
- [T1047] Windows Management Instrumentation – used for sandbox and system enumeration via WMI queries such as ‘SELECT * FROM Win32_ComputerSystem’ to check Model/Manufacturer for virtualization indicators.
- [T1053.005] Scheduled Task/Job – persistence is created using schtasks (example command shown: ‘schtasks /create /tn /sc MINUTE /tr “C:Usersusername>AppDataLocalEsetSecurity /rl HIGHEST /f’ ) to register resident execution.
- [T1090] Proxy (Tor) – WhiteSnake downloads and configures Tor and creates a hidden service for anonymized C2, as described: ‘WhiteSnake uses TOR for communication’ and creates HiddenServiceDir under the LocalAppData folder.
- [T1056.001] Input Capture: Keylogging – implements a keylogger using Windows APIs (‘SetWindowsHookExA’, ‘GetKeyState’, ‘CallNextHookEx’, etc.) to capture keystrokes.
- [T1567.002] Exfiltration Over Web Service – exfiltrated WSR files are uploaded to transfer.sh and the resulting URL is sent via Telegram Bot (‘https://transfer.sh/’ and Telegram API snippet used to post download URL).
- [T1105] Ingress Tool Transfer – loader capability fetches additional payloads from a hosting URL and saves them under %LOCALAPPDATA% before executing with UseShellExecute (described: ‘If the Loader capability is enabled, the stealer will attempt to retrieve it from the payload hosting URL’).
- [T1012] Query Registry – credentials and Outlook details are parsed from registry keys (‘retrieves Outlook information from the registry key based on the default profile’).
Indicators of Compromise
- [C2 IPs] C2 servers – 172.104.152.202:8080, 116.202.101.219:8080, and 26 more IPs listed in the article’s C2 table.
- [SHA-256] Sample hashes – f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50, c219beaecc91df9265574eea6e9d866c224549b7f41cdda7e85015f4ae99b7c7.
- [Domains/URLs] Exfiltration and tooling endpoints – https://transfer.sh/ (used to host uploaded reports), https://api.telegram.org/ (used to send Telegram bot messages); article also references https://archive.torproject.org/ for Tor download.
- [Filenames] Temp/extracted payload names and report files – examples: P114cace969bca23c6118304a9040eff4.exe (decoded payload saved to %TEMP%), hhcvT_administrator@WINDOWS-CBVFCB_report.wsr (generated WSR report filename), and od1718d0be65b07c0fd84d1d9d446.exe.
The technical deployment flow begins at the builder: operators generate payloads in many supported extensions (CMD, VBS, WSF, HTA, MSI, Python, macro-enabled Office files) that embed a Base64 blob of the stealer. On execution the wrapper decodes the blob (commonly using certutil for Windows-based scripts), drops the decoded executable into %TEMP% under a random name, and launches it. The .NET stealer performs Mutex checks, optional AntiVM via WMI queries (e.g., ‘SELECT * FROM Win32_ComputerSystem’), and can auto-delete (non-resident) or install persistence (resident) by creating a scheduled task (schtasks) with parameters controlled by configuration.
Once running, WhiteSnake parses an XML configuration to enumerate targeted directories and registry keys for browsers, wallets, messaging apps, FTP/SSH clients, and Outlook; extracted items are RC4-encrypted with a random 16-byte key, prefixed with ‘LWSR$’, compressed into a .wsr archive, and either uploaded to transfer.sh or sent via Telegram Bot (the bot message contains the transfer.sh download URL and an ‘Open’ link that points to a localhost handler). If RC4+RSA is enabled the RC4 key is encrypted with the configured RSA public key stored in the configuration before upload.
For anonymized C2, the stealer can download and configure Tor under %LOCALAPPDATA%, write a torrc (SOCKSPort/ControlPort/DataDirectory/HiddenServiceDir/HiddenServicePort) and produce a HiddenService (.onion) to accept inbound operator connections. Optional capabilities include a SetWindowsHookEx-based keylogger, USB and local user spreading (copying to removable drives and other users’ Startup folders), loader functionality that fetches and executes remote payloads, a remote terminal (screenshot/webcam/DPAPI decryption/file transfer), and self-deletion via cmd after execution.
Read more: https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/