Threat Research

Cyble – PennyWise Stealer: An Evasive Infostealer Leveraging YouTube To Infect Users

Securonix

Cyble Research Labs uncovered PennyWise, a new evasive infostealer that targets 30+ Chrome-based and 5+ Mozilla-based browsers as well as crypto wallets, with updated version 1.3.4 already observed in the wild. The malware is distributed via YouTube campaigns promoting free Bitcoin mining software, uses process hollowing to inject into a legitimate AppLaunch.exe, and exfiltrates stolen data to a C2 server.
#PennyWise #CybleResearchLabs #YouTubeCampaign #ProcessHollowing #ChromeBasedBrowsers #CryptoWallets

Keypoints

  • PennyWise is an emerging infostealer that already has multiple samples in the wild, with an updated version 1.3.4.
  • It can target 30+ Chrome-based browsers and 5+ Mozilla-based browsers, plus crypto wallets and related extensions.
  • Distribution occurs via YouTube videos promoting free Bitcoin mining software, including a password-protected zipped installer and a deceptive VirusTotal link to a clean file.
  • The loader injects PennyWise into a legitimate .NET binary (AppLaunch.exe) using process hollowing and then exfiltrates data to a C2 server.
  • The malware creates a mutex to enforce a single instance and uses multithreading (over 10 threads) to accelerate data theft.
  • PennyWise enumerates targeted browsers, harvests credentials, cookies, and wallet data, captures screenshots, and collects system information before exfiltrating data.
  • Exfiltration is performed by compressing the stolen data and sending it to a C2 URL (then deleting traces), with numerous anti-analysis/detection checks and country-based execution restrictions.

MITRE Techniques

  • [T1204] User Execution – ‘The TA has created a video on YouTube containing the link to download the malware.’
  • [T1055.012] Process Hollowing – ‘injected into a legitimate .NET binary named “AppLaunch.exe” using a technique called “process hollowing”.’
  • [T1140] Deobfuscate/Decode Files or Information – ‘encoded strings that are decoded during the initial execution of malware.’
  • [T1497] Virtualization/Sandbox Evasion – ‘Anti-Analysis and Anti-Detection checks to prevent the execution of the malware in a controlled environment.’
  • [T1113] Screen Capture – ‘The malware … takes a screenshot of the victim’s system.’
  • [T1518] Software Discovery – ‘The malware then gets the path of the targeted browsers for stealing user data.’
  • [T1124] System Time Discovery – ‘converting the timezone into Russian Standard Time (RST)’
  • [T1007] System Service Discovery – ‘gets the graphic driver and processor names of the victim’s machine using a WMI query.’
  • [T1071] Application Layer Protocol – ‘C2 communication over HTTP-style channels (Application Layer Protocol).’
  • [T1041] Exfiltration – ‘exfiltrates the folder to http[:]//185[.]246.116.237[:]5001/getfile and then deletes traces.’

Indicators of Compromise

  • [URL] Exfiltration/C2 URL – http[:]//185[.]246.116.237[:]5001/getfile
  • [MD5] Loader – eef01a6152c5a7ecd4e952e8086abdb3, 66502250f78c6f61e7725a3daa0f4220
  • [SHA-1] Loader – fd3c1844af6af1552ff08e88c1553cc6565fe455, 8cfc5d40a8008e91464fd89a1d6cb3a7b3b7a282
  • [SHA-256] Loader – e43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0, 05854ea1958ef0969a2c717ce6cb0c67cd3bcd327badac6aa7925d95a0b11232
  • [MD5] Stealer Payload – a1249d31ea72e00055286c94592bc0e3, 8644ac0cc1a805f1682a0b0f65052a1835e599b1
  • [Mutex] Single Instance – 9D16FBEF0D8A8F87529DE06A1C43C737

Read more: https://blog.cyble.com/2022/06/30/infostealer/