Another InfoStealer Enters the Field, ExelaStealer | FortiGuard Labs

Affected Platforms: Windows
Impacted Users: Windows users
Impact: The information collected can be used for future attacks
Severity Level: Medium

In 2023, the InfoStealer market is a reasonably crowded affair. The likes of RedLine, Raccoon, and Vidar own a significant market share, with new entrants such as SaphireStealer appearing frequently. The latest entry, ExelaStealer has now taken the field. Very little backstory is available on ExelaStealer, with the earliest public mentions FortiGuard Labs could locate occurring in August 2023.

FortiGuard Labs research reveals that ExelaStealer is a largely open-source InfoStealer with paid customizations available from the threat actor. It is written in Python, although it pulls resources from other languages (e.g., JavaScript) where needed. It can steal sensitive information from a Windows-based host (e.g., passwords, credit cards, cookies and session data, and general keylogging).

FortiGuard Labs was able to obtain a sample. This blog will analyze its inner workings.

Advertising

Advertising on the Dark Web for ExelaStealer offers both an open-source and paid-for version. These advertisements also provide good insight into its capabilities.

Figure 1: Advert detailing the malware’s major capabilities and some build options.


Figure 1: Advert detailing the malware’s major capabilities and some build options.

Some ads appear to have been posted by the prime contact for ExelaStealer, an individual or group using the handle “quicaxd.”

Figure 2: Advert for ExelaStealer posted by quicaxd.


Figure 2: Advert for ExelaStealer posted by quicaxd.

As shown in Figure 2, the cost for a month of use is $20, while three months is $45. A lifetime subscription is $120. Additionally, its Telegram channel is shown, which was active at the time of writing. Its Telegram home allows individuals to purchase a copy of the paid-for version and the GitHub repo for the open-source version.

Figure 3: Telegram channel advertising ExelaStealer by quicaxd.


Figure 3: Telegram channel advertising ExelaStealer by quicaxd.

Building the Malware

Anyone with the necessary skills could create an ExelaStealer binary using the freely available source code.

Figure 4: The types of options available when building ExelaStealer.


Figure 4: The types of options available when building ExelaStealer.

The malware can currently only be compiled and packaged on a Windows-based host. The primary code for the malware is contained in a file named “Exela.py.”

Figure 5: “Exela.py” source code.


Figure 5: “Exela.py” source code.

The build process is initiated using a batch file that then calls Python and the “builder.py” file.

Figure 6: ExelaStealer build files.


Figure 6: ExelaStealer build files.

The builder uses a file named “obf.py” to make the calls necessary to obfuscate ExelaStealer’s code, making it harder to analyze.

Figure 7: “obf.py” handles the main obfuscation of the code.


Figure 7: “obf.py” handles the main obfuscation of the code.

The non-library and now obfuscated code is distilled into a file named “Obfuscated.py,” which is ready for use.

Initial Infection Vector

The binaries analyzed by FortiGuard Labs appeared to have been released as part of a specific campaign. The use of a decoy document supports this.

Unfortunately, the initial infection vector was not available to us. However, initial infection could be achieved in any number of ways (e.g., phishing, watering holes, other malware, etc.).

sirket-ruhsat-pdf.exe (f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048)

This binary acts as a container and first stage for the deployment. Its job is the spawning of the “sirket-ruhsat-pdf.exe”  (95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51) executable and launching a PDF viewer to display a decoy document (BNG 824 ruhsat.pdf) to the user.

It will deposit both files into the root of the C: Drive.

Figure 8: Newly deposited “sirket-ruhsat-pdf.exe” and “BNG 824 ruhsat.pdf”.


Figure 8: Newly deposited “sirket-ruhsat-pdf.exe” and “BNG 824 ruhsat.pdf”.

BNG 824 ruhsat.pdf

“sirket-ruhsat-pdf.exe” automatically attempts to find a compatible viewer and launch “BNG 824 ruhsat.pdf”. The PDF is a copy of a Turkish vehicle registration certificate for a Dacia Duster. The document is entirely benign and simply a visual decoy to the user.

Figure 9: Decoy PDF document of a Turkish vehicle registration certificate.


Figure 9: Decoy PDF document of a Turkish vehicle registration certificate.

Static Analysis of sirket-ruhsat-pdf.exe (95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51)

“sirket-ruhsat-pdf.exe” is a PyInstaller executable. As such, a tool such as “pyinstxtractor” (https://github.com/extremecoders-re/pyinstxtractor) can extract the archive’s contents for inspection.

Figure 10: PyInstaller archive contents for “sirket-ruhsat-pdf.exe.”


Figure 10: PyInstaller archive contents for “sirket-ruhsat-pdf.exe.”

The executable is most likely signed with a fraudulent or invalid certificate and uses the name “Runtime Broker,” a legitimate Microsoft process.

Figure 10 shows the compiled version of the “Obfuscated.py” file. Using another tool, such as “pycdc” (Python Byte-code Disassembler/Decompiler – https://github.com/zrax/pycdc), the code in “Obfuscated.pyc” can be decompiled.

Figure 11: Decompiled “Obfuscated.pyc”.


Figure 11: Decompiled “Obfuscated.pyc”.

Unfortunately, as good as its word, function names and variable values in the file are heavily obfuscated, increasing the time required to analyze it statically. That does not make it impossible, however.

A large blob of data in the code looks out of place compared to the rest of the instructions.

Figure 12: Data “blob” in the decompiled “Obfuscated.py.”


Figure 12: Data “blob” in the decompiled “Obfuscated.py.”

Functions at the end of the file allow for its decoding and execution.

Figure 13: “blob” decoding functions in “Obfuscated.py.”


Figure 13: “blob” decoding functions in “Obfuscated.py.”

By taking those functions and depositing them with the blob into a test script, we can obtain the full decoded contents for review. Figure 14 shows the final output, which you’ll note is the code for “Exela.py.” except in this case, it is being used in the wild.

Figure 14: The decoded “blob” is revealed to be “Exela.py.”


Figure 14: The decoded “blob” is revealed to be “Exela.py.”

Dynamic Analysis of sirket-ruhsat-pdf.exe (95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51)

Turning our attention to dynamic analysis, the first activity that “sirket-ruhsat-pdf.exe” will complete is spawning itself in a new process.

Figure 15: Seeing double. A second execution of “sirket-ruhsat-pdf.exe”


Figure 15: Seeing double. A second execution of “sirket-ruhsat-pdf.exe”

ExelaStealer then runs the following two commands:

  • C:Windowssystem32cmd.exe /c “ver”
  • wmic csproduct get uuid

These collect the version of Windows and the host’s UUID (Universally Unique Identifier).

What follows next is a base-64 encoded PowerShell command.

Figure 16: Encoded PowerShell command.


Figure 16: Encoded PowerShell command.

Decoded, this command attempts to grab a screenshot of whatever is currently displayed on the screen.

Figure 17: Decoded PowerShell command.


Figure 17: Decoded PowerShell command.

A flurry of both PowerShell and command-line items then follows:

  • powershell.exe -Command ” $clipboardData = Get-Clipboard -Format Image $destinationPath = “C:UsersuserAppDataLocalTemp0000000-0000-0000-0000-D05099DB2397last_clipboard_image.png” $clipboardData.Save($destinationPath)”
  • C:Windowssystem32cmd.exe /c “echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Startup Info#### & wmic startup get caption,command & echo ####Firewallinfo#### & netsh firewall show state “
  • netsh wlan export profile
  • C:Windowssystem32cmd.exe /c “netsh wlan show profile

These commands copy images from the Clipboard and gather basic system information, basic physical disk information, user information, firewall status, and, interestingly, WLAN status and profile.

To store this information locally before sending it back to the TA, a folder is created in “C:Users<user>AppDataLocalTemp” and named using the UUID of the host.

Figure 18: Data collected and stored by ExelaStealer.


Figure 18: Data collected and stored by ExelaStealer.

Each text file contains a URL back to the Telegram channel of the TA.

Figure 19: Data collected from the Windows Clipboard.


Figure 19: Data collected from the Windows Clipboard.

The files are packaged into a Zip archive using the same name as the folder (the UUID). This is then sent using a Discord webhook (https://discord.com/developers/docs/resources/webhook) to post to a TA-controlled Discord channel.

Conclusion

Data has become a valuable currency, and because of this, attempts to gather it will likely never cease. InfoStealer malware exfiltrates data belonging to corporations and individuals that can be used for blackmail, espionage, or ransom. Despite the number of infostealers in the wild, ExelaStealer shows there is still room for new players to emerge and gain traction.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signature detects the malware samples mentioned in this blog

  • W32/ExelaStealer.0943!tr
  • W32/ExelaStealer.C93A!tr

The WebFiltering client blocks all network-based URIs.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

We also suggest that organizations have their end users undergo our FREE NSE trainingNSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.

IOCs

File-based IOCs:

Filename

SHA256

sirket-ruhsat-pdf.exe

f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048

sirket-ruhsat-pdf.exe

95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51

BNG 824 ruhsat.pdf

5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef

RuntimeBroker.exe

34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0

RuntimeBroker.exe

c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44

Network-based IOCs:

IOC

IOC type

hXXps://discord[.]com/api/webhooks/1139506512302194789/X_VYZdAHscWQ
NKWvya9KWqqqTK6UjVvS86_kUy8P8OyCcPhKykCQpEqf93S_qDFVuzp8

Discord webhook address

Source: https://www.fortinet.com/blog/threat-research/exelastealer-infostealer-enters-the-field