Gremlin Stealer’s Evolved Tactics: Hiding in Plain Sight With Resource Files

MITRE Techniques

• [T1027 ] Obfuscated Files or Information – The malware hides its payload in the .NET Resource section and uses XOR encoding to evade static analysis (‘the malicious payload into the .NET Resource section, masking it with XOR encoding to bypass signature-based detection and heuristic scanning’).
• [T1027.016 ] Stripped Payload – The sample is packed and transformed into custom bytecode executed by a private virtual machine, hindering inspection (’employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine’).
• [T1027.013 ] Encrypted/Encoded File – Strings and configuration data are encrypted and recovered only through a decoder routine (‘All important strings are hidden’ and ‘uses these numbers to calculate an offset and a length’).
• [T1055 ] Process Injection – The malware requests data directly from the running browser process to hijack live sessions (‘requesting the data directly from the running browser process’).
• [T1115 ] Clipboard Data – The clipper continuously monitors the clipboard for cryptocurrency wallet strings and replaces them in real time (‘continuously monitors the system clipboard’ and ‘replaces the victim’s address with the attacker’s wallet’).
• [T1005 ] Data from Local System – It collects local browser and system data such as cookies, tokens, clipboard contents, and stored credentials (‘Browser cookies’, ‘Session tokens’, ‘Clipboard contents’, ‘FTP and VPN credentials’).
• [T1566 ] Phishing – The article notes theft of digital identity and social engineering-related artifacts such as Discord tokens (‘signifies a pivot toward targeting digital identity and social engineering’).
• [T1041 ] Exfiltration Over C2 Channel – Stolen data is uploaded to attacker-controlled servers for publication or sale (‘exfiltrates it to attacker-controlled servers’).