Affected Platforms: Windows
Impacted Users: Windows users
Impact: The information collected can be used for future attacks
Severity Level: Medium
In 2023, the InfoStealer market is a reasonably crowded affair. The likes of RedLine, Raccoon, and Vidar own a significant market share, with new entrants such as SaphireStealer appearing frequently. The latest entry, ExelaStealer has now taken the field. Very little backstory is available on ExelaStealer, with the earliest public mentions FortiGuard Labs could locate occurring in August 2023.
FortiGuard Labs research reveals that ExelaStealer is a largely open-source InfoStealer with paid customizations available from the threat actor. It is written in Python, although it pulls resources from other languages (e.g., JavaScript) where needed. It can steal sensitive information from a Windows-based host (e.g., passwords, credit cards, cookies and session data, and general keylogging).
FortiGuard Labs was able to obtain a sample. This blog will analyze its inner workings.
Advertising
Advertising on the Dark Web for ExelaStealer offers both an open-source and paid-for version. These advertisements also provide good insight into its capabilities.
Figure 1: Advert detailing the malware’s major capabilities and some build options.
Some ads appear to have been posted by the prime contact for ExelaStealer, an individual or group using the handle “quicaxd.”
Figure 2: Advert for ExelaStealer posted by quicaxd.
As shown in Figure 2, the cost for a month of use is $20, while three months is $45. A lifetime subscription is $120. Additionally, its Telegram channel is shown, which was active at the time of writing. Its Telegram home allows individuals to purchase a copy of the paid-for version and the GitHub repo for the open-source version.
Figure 3: Telegram channel advertising ExelaStealer by quicaxd.
Building the Malware
Anyone with the necessary skills could create an ExelaStealer binary using the freely available source code.
Figure 4: The types of options available when building ExelaStealer.
The malware can currently only be compiled and packaged on a Windows-based host. The primary code for the malware is contained in a file named “Exela.py.”
Figure 5: “Exela.py” source code.
The build process is initiated using a batch file that then calls Python and the “builder.py” file.
Figure 6: ExelaStealer build files.
The builder uses a file named “obf.py” to make the calls necessary to obfuscate ExelaStealer’s code, making it harder to analyze.
Figure 7: “obf.py” handles the main obfuscation of the code.
The non-library and now obfuscated code is distilled into a file named “Obfuscated.py,” which is ready for use.
Initial Infection Vector
The binaries analyzed by FortiGuard Labs appeared to have been released as part of a specific campaign. The use of a decoy document supports this.
Unfortunately, the initial infection vector was not available to us. However, initial infection could be achieved in any number of ways (e.g., phishing, watering holes, other malware, etc.).
sirket-ruhsat-pdf.exe (f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048)
This binary acts as a container and first stage for the deployment. Its job is the spawning of the “sirket-ruhsat-pdf.exe” (95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51) executable and launching a PDF viewer to display a decoy document (BNG 824 ruhsat.pdf) to the user.
It will deposit both files into the root of the C: Drive.
Figure 8: Newly deposited “sirket-ruhsat-pdf.exe” and “BNG 824 ruhsat.pdf”.
BNG 824 ruhsat.pdf
“sirket-ruhsat-pdf.exe” automatically attempts to find a compatible viewer and launch “BNG 824 ruhsat.pdf”. The PDF is a copy of a Turkish vehicle registration certificate for a Dacia Duster. The document is entirely benign and simply a visual decoy to the user.
Figure 9: Decoy PDF document of a Turkish vehicle registration certificate.
Static Analysis of sirket-ruhsat-pdf.exe (95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51)
“sirket-ruhsat-pdf.exe” is a PyInstaller executable. As such, a tool such as “pyinstxtractor” (https://github.com/extremecoders-re/pyinstxtractor) can extract the archive’s contents for inspection.
Figure 10: PyInstaller archive contents for “sirket-ruhsat-pdf.exe.”
The executable is most likely signed with a fraudulent or invalid certificate and uses the name “Runtime Broker,” a legitimate Microsoft process.
Figure 10 shows the compiled version of the “Obfuscated.py” file. Using another tool, such as “pycdc” (Python Byte-code Disassembler/Decompiler – https://github.com/zrax/pycdc), the code in “Obfuscated.pyc” can be decompiled.
Figure 11: Decompiled “Obfuscated.pyc”.
Unfortunately, as good as its word, function names and variable values in the file are heavily obfuscated, increasing the time required to analyze it statically. That does not make it impossible, however.
A large blob of data in the code looks out of place compared to the rest of the instructions.
Figure 12: Data “blob” in the decompiled “Obfuscated.py.”
Functions at the end of the file allow for its decoding and execution.
Figure 13: “blob” decoding functions in “Obfuscated.py.”
By taking those functions and depositing them with the blob into a test script, we can obtain the full decoded contents for review. Figure 14 shows the final output, which you’ll note is the code for “Exela.py.” except in this case, it is being used in the wild.
Figure 14: The decoded “blob” is revealed to be “Exela.py.”
Dynamic Analysis of sirket-ruhsat-pdf.exe (95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51)
Turning our attention to dynamic analysis, the first activity that “sirket-ruhsat-pdf.exe” will complete is spawning itself in a new process.
Figure 15: Seeing double. A second execution of “sirket-ruhsat-pdf.exe”
ExelaStealer then runs the following two commands:
- C:Windowssystem32cmd.exe /c “ver”
- wmic csproduct get uuid
These collect the version of Windows and the host’s UUID (Universally Unique Identifier).
What follows next is a base-64 encoded PowerShell command.
Figure 16: Encoded PowerShell command.
Decoded, this command attempts to grab a screenshot of whatever is currently displayed on the screen.
Figure 17: Decoded PowerShell command.
A flurry of both PowerShell and command-line items then follows:
- powershell.exe -Command ” $clipboardData = Get-Clipboard -Format Image $destinationPath = “C:UsersuserAppDataLocalTemp 0000000-0000-0000-0000-D05099DB2397last_clipboard_image.png” $clipboardData.Save($destinationPath)”
- C:Windowssystem32cmd.exe /c “echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Startup Info#### & wmic startup get caption,command & echo ####Firewallinfo#### & netsh firewall show state “
- netsh wlan export profile
- C:Windowssystem32cmd.exe /c “netsh wlan show profile
These commands copy images from the Clipboard and gather basic system information, basic physical disk information, user information, firewall status, and, interestingly, WLAN status and profile.
To store this information locally before sending it back to the TA, a folder is created in “C:Users<user>AppDataLocalTemp” and named using the UUID of the host.
Figure 18: Data collected and stored by ExelaStealer.
Each text file contains a URL back to the Telegram channel of the TA.
Figure 19: Data collected from the Windows Clipboard.
The files are packaged into a Zip archive using the same name as the folder (the UUID). This is then sent using a Discord webhook (https://discord.com/developers/docs/resources/webhook) to post to a TA-controlled Discord channel.
Conclusion
Data has become a valuable currency, and because of this, attempts to gather it will likely never cease. InfoStealer malware exfiltrates data belonging to corporations and individuals that can be used for blackmail, espionage, or ransom. Despite the number of infostealers in the wild, ExelaStealer shows there is still room for new players to emerge and gain traction.
Fortinet Protections
Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:
The following (AV) signature detects the malware samples mentioned in this blog
- W32/ExelaStealer.0943!tr
- W32/ExelaStealer.C93A!tr
The WebFiltering client blocks all network-based URIs.
Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
We also suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.
If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.
IOCs
File-based IOCs:
Filename |
SHA256 |
sirket-ruhsat-pdf.exe |
f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048 |
sirket-ruhsat-pdf.exe |
95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51 |
BNG 824 ruhsat.pdf |
5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef |
RuntimeBroker.exe |
34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0 |
RuntimeBroker.exe |
c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44 |
Network-based IOCs:
IOC |
IOC type |
hXXps://discord[.]com/api/webhooks/1139506512302194789/X_VYZdAHscWQ |
Discord webhook address |
Source: https://www.fortinet.com/blog/threat-research/exelastealer-infostealer-enters-the-field