Threat Research

Cinoshi Project And The Dark Side Of Free MaaS – Cyble

Securonix

Cyble Research and Intelligence Labs uncovered a Malware-as-a-Service platform named “Cinoshi” that bundles a stealer, botnet, clipper, and cryptominer, with free stealer and web-panel access. The MaaS includes a web panel for build configuration, botnet task management, wallet replacement for clippers, and mining controls, increasing risk to gamers, crypto users, and connected ecosystems. Hashtags: #Cinoshi #Cyble #MaaS #Stealer #Clipper #Botnet #Cryptominer #SteamTradeLink

Keypoints

  • Cinoshi is a Malware-as-a-Service platform offering a free stealer and a web panel, plus botnet, clipper, and cryptominer capabilities.
  • Pricing includes a monthly subscription (1000 rubles or $15) for Botnet and Clipper, and a lifetime cryptominer license (2000 rubles or $30).
  • The MaaS web panel supports build compilation with unique tags, Telegram notifications, botnet task management, wallet setup for clipper, and cryptominer configuration.
  • Cinoshi Stealer gathers credentials and data from browsers (Gecko, Chromium, Edge), 35+ wallets/extensions, and can steal Steam/Telegram/Discord sessions, plus screenshots and webcam images.
  • Persistence is achieved via startup folder placement and a ChromeUpdater-like directory; Task Scheduler is used to ensure startup execution.

MITRE Techniques

  • [T1204] User Execution – The stealer payload is generated and executed via the web panel build process. Quote: “The stealer build can be configured on the web panel, which enables features that”
  • [T1547] Boot or Logon Autostart Execution – The malware creates a ChromeUpdater folder in AppDataRoaming, executes as chrome.exe, and adds itself to startup for persistence. Quote: “The malware generates a new directory named “ChromeUpdater” within the “AppDataRoaming” directory and executes in this location under the name “chrome.exe”. It then adds itself to the startup location to maintain persistence.”
  • [T1053] Scheduled Task/Job – A task scheduler entry is created to run the miner on startup. Quote: “creates a task scheduler entry to make the miner execute during startup.”
  • [T1497.001] Virtualization/Sandbox Evasion – The malware uses heavy obfuscation and empty methods to hinder analysis. Quote: “anti-tampering techniques, including heavy obfuscation and the use of empty methods. It modifies its code during runtime and generates error messages when automatic de-obfuscation tools are used.”
  • [T1027] Obfuscated Files or Information – Same obfuscation/anti-tampering approach described. Quote: “heavy obfuscation and the use of empty methods.”
  • [T1113] Screen Capture – The stealer captures screenshots from the victim’s computer. Quote: “Screenshot from the victim’s computer.”
  • [T1087] Account Discovery – The stealer verifies directory presence on the victim’s system via Directory.Exists(). Quote: “verifies their presence on the victim’s system using the Directory.Exists() method.”
  • [T1057] Process Discovery – The stealer initializes and operates across multiple processes/threads to locate sensitive data. Quote: “The stealer now initiates multiple threads to carry out malicious actions.”
  • [T1614] System Location Discovery – Geoinformation is fetched from the victim. Quote: “Geoinformation fetched by the stealer.”
  • [T1071] Application Layer Protocol – The stealer uses HTTP-based C2 communications and decodes C2 URLs. Quote: “The stealer payload makes a request to hxxps[:]//tryno[.]ru/robots… decodes the content, which is Command and Control (C&C) URL (hxxps[:]//anaida.evisyn[.]lol/).”
  • [T1041] Exfiltration Over C&C Channel – The stealer exfiltrates data via POST requests to the C2. Quote: “POST requests to exfiltrate the stolen data.”
  • [T1567] Exfiltration Over Web Service – Data exfiltration patterns extend beyond a single C2 channel (web-based exfiltration). Quote: “and sends POST requests to exfiltrate the stolen data.”
  • [T1489] Service Stop – The miner/loader stops security services to facilitate mining. Quote: “sc stop UsoSvc: This command stops the Windows Update service.”

Indicators of Compromise

  • [MD5] Cinoshi Stealer – 1798e35f14a67741f3425ba67373667d, 40a85e9ac222d66a0f5cf526868ef2a9, and 1 more hash
  • [SHA1] Cinoshi Stealer – b929ed50142b9b43fb85c5b1ddb87ec00ca09f24, b4553412217971d814650995ce9d98c78660fdab
  • [SHA256] Cinoshi Stealer – e3aafd9f478b82cbb53ec020cdc2e00e0c4de60a7f66a1166e54ab75b6a9e8c3, cf1705c39dc3dbf65856ac6f5462027d9a290ab2d38da08f76aabd684b8a9944
  • [SHA256] Miner – 9b7d799895932d8359d7eb5da378b67a481331fa1a912075339d972496d122d6
  • [URL] Malicious URLs – hxxps[:]//tryno.ru/robots, hxxps[:]//anaida[.]evisyn[.]lol
  • [URL] C2 – hxxps[:]//anaida[.]evisyn[.]lol
  • [Filename] Arch666.zip – Arch666.zip (created during data exfiltration)
  • [Filename] UpdateLinks File – UpdateLinks File (content with instructions for subsequent payloads)

Read more: https://blog.cyble.com/2023/03/23/cinoshi-project-and-the-dark-side-of-free-maas/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint