VectorStealer is an information-stealer capable of harvesting data from browsers, chat apps, and .rdp session files, enabling threat actors to perform RDP hijacking and remote access. It is sold via a web panel and Telegram channel, uses the KGB Crypter and KoiVM for evasion, and can exfiltrate data through Telegram, Discord, or SMTP.
Keypoints
- VectorStealer can recover sensitive information from major browsers and steal Discord tokens, among other data.
- It targets and steals .rdp files, enabling potential RDP hijacking for unauthorized remote access and lateral movement.
- The malware is distributed via phishing emails with MalDoc attachments and macro-enabled payloads that download the next stage.
- TA-operated web panels advertise a KGB Crypter to evade antivirus, and the payload is often protected/obfuscated with KoiVM.
- Exfiltration occurs through Telegram, Discord, or SMTP, with data compressed into a zip file and sent after initial beaconing and chat messages.
- VectorStealer enumerates and steals from apps like Outlook, Foxmail, Discord, Telegram, and many browsers, as well as crypto wallets.
MITRE Techniques
- [T1566] Phishing – The phishing email themed around spare parts with an attachment named “POM-8501” pretends to be from a supplier. ‘The MalDoc attachment in the spam email is shown below.’
- [T1204] User Execution – MalDoc macro requires enabling macros to trigger malicious activities on the victim’s computer. ‘When the MalDoc attachment is opened, it prompts the user to enable the macro.’
- [T1059.001] PowerShell – The VBA macro de-obfuscates a PowerShell script and executes it to download the next stage payload. ‘The PowerShell script contains code to download the next stage payload…’
- [T1027] Obfuscated/Compressed Files and Information – KoiVM virtualization and KGB Crypter are used to evade detection; crypters alter/obfuscate code. ‘Crypters are a tool used by threat actors…’
- [T1053.005] Scheduled Task – The stealer creates a copy in AppData and uses Task Scheduler to establish persistence. ‘creates a task scheduler to establish persistence’
- [T1012] Query Registry – The stealer queries registry keys to steal credentials for specific apps. ‘The table below shows the registry keys queried by the Stealer for collecting victims’ sensitive information.’
- [T1555.003] Credentials from Web Browsers – The stealer recovers information from major browsers such as Chrome, Firefox, Safari, etc. ‘The TA has claimed the following on their web panel: “The VectorStealer can recover sensitive information from all major browsers, including Firefox, Chrome, and Safari.”’
- [T1041] Exfiltration Over C2 Channel – Data is compressed and exfiltrated via Telegram/Discord/SMTP. ‘The archive can then be exfiltrated using SMTP, Discord webhooks, or Telegram API.’
- [T1071] Application Layer Protocol – Exfiltration and C2 operations use application-layer protocols (Telegram, Discord, SMTP). ‘exfiltrates the data using Telegram API and Discord webhooks.’
Indicators of Compromise
- [URL] Malicious URL – hxxp[:]//185.246.220[.]65/2×2/img-078-410-00[.]exe, hxxp[:]//185.246.220[.]65/2×2/PCqcxNVzIHq2raQ.exe
- [IP] IP Address – 185.246.220.65 (associated with the malicious URLs)
- [Hash] VectorStealer Loader – a6280d3f50d1b373d5fa5f45247ac08b, 421569147d9734ed3f9277bd3fbeacd42f1552ca, 2b3aaa175f97c142679b9d9e7e9b9a2b2d85bf3990b1f9276f0dc79b0aaab06e
- [Hash] VectorStealer Loader – 939d6f6dd06eb826b27eda72f2ebe9c2, 2ca7b12d8473867b6667a463aec7588a41ef9803
- [Hash] VectorStealer Payload – ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb, ff06e0ddf65aafa2eb9a12fe38efbeb5
- [Hash] VectorStealer Payload – a2148b40c7dc3c5a198881ac403c98c9650b4374, b2d0305532b6f08f041cd109be667486c4a80deedb1394daad1e880a1d9a09d5
Read more: https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/