Threat Research

BbyStealer Malware Resurfaces, Sets Sights On VPN Users – Cyble

Securonix

Cyble Research and Intelligence Labs uncovered a phishing-driven VPN malware campaign that delivers BbyStealer via VPN installer downloads. The campaign impersonates VPN services, drops BbyStealer to steal browser and crypto wallet data, and even performs a clipper attack to redirect cryptocurrency transactions.

Keypoints

  • CRIL uncovered a campaign using multiple phishing domains to target VPN Windows applications.
  • The downloaded VPN app is used as a delivery vector for BbyStealer, an information-stealing malware.
  • BbyStealer first appeared in early 2022 and has resurfaced with a new developer.

MITRE Techniques

  • [T1566] Phishing – This malware reaches users via VPN phishing sites. Quote: “This malware reaches users via VPN phishing sites.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – cmd.exe is used to run commands like tasklist, taskkill, etc. Quote: “cmd.exe is used to run commands like tasklist, taskkill, etc.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell commands are used to get & modify the clipboard content. Quote: “PowerShell commands are used to get & modify the clipboard content.”
  • [T1047] Windows Management Instrumentation – Queries various information from victim’s system. Quote: “Queries various information from victim’s system.”
  • [T1547.001] Registry Run Keys / Startup Folder – Dropps malware file to the startup folder. Quote: “Drops malware file to the startup folder.”
  • [T1003] OS Credential Dumping – Tries to harvest and steal browser information. Quote: “Tries to harvest and steal browser information.”
  • [T1057] Process Discovery – Queries a list of all running processes using the tasklist command. Quote: “Queries a list of all running processes using the tasklist command.”
  • [T1012] Registry – The malware is examining the registry to extract system details. Quote: “The malware is examining the registry to extract system details.”
  • [T1005] Data from Local System – Tries to harvest and steal browser information. Quote: “Tries to harvest and steal browser information.”
  • [T1115] Clipboard Data – Open/Modify clipboard. Quote: “Open/Modify clipboard.”
  • [T1071] Application Layer Protocol – Performs DNS lookups. Quote: “Performs DNS lookups.”

Indicators of Compromise

  • [Domains] Phishing/C2 domains – totalvpn.tech, wolfervpn.com, vpncyberfortress.com, vpnfortres.online, itroppervpn.online, rufflesrefined.com, taffylollipop.com
  • [URLs] Phishing site download URLs – hxxps://totalvpn[.]tech/download/TotalVPN[.]rar, hxxps://wolfervpn[.]com/download/WolferVPN[.]rar, hxxps://vpnfortres[.]online/download/FortresVPN[.]rar, hxxps://itroppervpn[.]online/download/iTropperVPN[.]rar, hxxps://cdn.discordapp[.]com/attachments/1160770898966622230/1161087215963738174/CyberFortressVPN.rar?ex=653705bc&is=652490bc&hm=b9417ffe67ed173e46c662f30bd7f0d642770438b07040b99d4bd217c44c7942&
  • [MD5/SHA1/SHA256] TotalVPN.exe – 2cf6efb8104b5d4606fb1698ae97e4f5, effb88250fcb89bbab77f46c1022f3c9c0aad37e, 55a6a784d4acb7e9761a99fb38eb441519cdcd2943bfdf1a1558fe8513690c97
  • [MD5/SHA1/SHA256] CyberFortressVPN.exe – 3cf9c1d65d59b63d479ec26e9fd98b57, eab9cf1e969b5d9a3fda7714c6ae2796aaf44fd0, e97b03c98056d7c88bad83b7422767d51ac75fe959e7d1582cc645d6a2bae84b
  • [Files/Executables] Executable names – TotalVPN.exe, CyberFortressVPN.exe
  • [C2] Domain – rufflesrefined[.]com

Read more: https://cyble.com/blog/bbystealer-malware-resurfaces-sets-sights-on-vpn-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint