Akira Stealer : An Undetected Python Based Info-stealer – CYFIRMA

MITRE Techniques

• [T1059.001] PowerShell – Obfuscated PowerShell is used to download and execute the malware. ‘The batch script file embeds the dropped batch file in the current working directory … The hidden.bat file contains obfuscated PowerShell script’
• [T1059.003] Windows Command Shell – The malware originally comes as a Windows command shell (CMD) script file. “The original malware sample comes as a Windows command shell (CMD) script file.”
• [T1059.006] Python – Extracted folder contains executable and compiled bytecode files generated by the Python interpreter and urllib3. “compiled bytecode files generated by the Python interpreter and urllib3”
• [T1204.002] Malicious File – The process uses a multi-step downloader to initialize execution. “Decoded content of the batch file, which is a PowerShell script command is also obfuscated … Further de-obfuscation of the PowerShell command reveals its functionality as a Downloader”
• [T1547.001] Registry Run Keys / Startup Folder – Drops itself in the Startup Folder as part of persistence. “drops itself in the StarUp folder with file name that only includes blank characters in the name with extension ‘.scr’”
• [T1548] Abuse Elevation Control Mechanism – Elevation via fodhelper.exe to gain privilege without a UAC prompt. “under fodhelper.exe (Features on Demand Helper), which provides the effortless privilege elevation without requiring a UAC prompt”
• [T1622] Debugger Evasion – Defense evasion techniques include debugger evasion. “Defense Evasion (TA0005)… T1622: Debugger Evasion”
• [T1564] Hidden Window – The PowerShell and batch execution occur in a hidden window. “Hidden Window”
• [T1070.004] File Deletion – Evasion through file-related actions; referenced within defense evasion techniques. “T1070.004: File Deletion”
• [T1112] Modify Registry – Registry modifications to impair defenses. “modifies setting for Windows Defender to add the file in the exclusion list” and registry changes.
• [T1539] Steal Web Session Cookie – Credential access including web session cookies. “The collected data includes login credentials, … cookies”
• [T1555.003] Credentials from Web Browsers – Web browser credential theft. “credentials from web browsers”
• [T1217] Browser Information Discovery – System profiling includes browser and related data. “Enumeration … Browser Information Discovery”
• [T1082] System Information Discovery – Collects system information. “System Information Discovery”
• [T1016] System Network Configuration Discovery – Collects network configuration data. “System Network Configuration Discovery”
• [T1113] Screen Capture – Takes screenshots as part of data collection. “Takes screenshots”
• [T1071.001] Web Protocols – C2 communication over web protocols using HTTP client. “HTTP client … urllib3”
• [T1132] Data Encoding – Encoded instructions/data from C2. “the C2 server sends the encoded instructions”
• [T1573] Encrypted Channel – Uses encrypted communication with TLS. “encrypted connection” and TLS handshake evidence
• [T1041] Exfiltration Over C2 Channel – Data exfiltration to C2 channel (GoFile/Discord). “uploads the stolen data … to GoFile and Discord”
• [T1567.002] Exfiltration to Cloud Storage – Exfiltration to online storage (GoFile). “to online storage gofile.io”

Recommendations

• Implement threat intelligence to proactively counter the threats associated with Akira Stealer.
• To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection such as Anti-malware security suit and host-based intrusion prevention system.
• Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block the suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
• Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with Akira Stealer command and control servers.
• Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
• Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
• Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security by finding the security loopholes followed by remediation process.
• Use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
• Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
• Security awareness and training programs help to protect from security incidents, such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by Akira Stealer.
• Update security patches which can reduce the risk for potential compromise.