Threat Research

HookSpoofer: The Modified Open Source Stealer Bundlers Making the Rounds

Securonix

Uptycs Threat Research Team uncovered HookSpoofer, a new C#-based infostealer spread via bundlers that includes keylogging and clipper capabilities and exfiltrates stolen data to a Telegram bot. It’s inspired by StormKitty and uses in-memory loading of a hidden module, with extensive anti-analysis and anti-VM checks. Hashtags: #HookSpoofer #StormKitty #TelegramBot #AnonFile #DotNetZip

Keypoints

  • HookSpoofer is an infostealer spread through bundlers, e.g., the “Spotify proxyless checker 2022.rar” that contains 17 files with the main payload named “Spotify checker.exe.”
  • It is coded in C#/.NET and packed by Confuser, an obfuscator, and is inspired by StormKitty open source code.
  • The infection flow includes in-memory module loading (the “koi” module) and AES-based decryption; the loader exposes a fake error message to hide its background activity.
  • HookSpoofer uses a hardcoded Telegram API/ID and downloads DotNetZip.dll and AnonFileApi.dll from GitHub to enable data exfiltration and packaging.
  • Anti-analysis and anti-VM checks are employed (VirtualBox, Sandbox, Debugger, VirusTotal, Any.Run) along with process and sandbox DLL detections to hinder analysis.
  • The malware steals VPN credentials, browser data, Wi‑Fi passwords, screenshots, webcam captures, and data from chat apps, then archives it in a password‑protected ZIP before exfiltrating via a Telegram bot and anonfile.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – “packed by Confuser, a .NET obfuscator.”
  • [T1560] Archive Collected Data – “All collected data is again archived in a password protected Zip file having the password .”
  • [T1055] Process Injection – “the koi module is loaded internally to the main stub.exe file inside memory.”
  • [T1497] Virtualization/Sandbox Evasion – “Anti-Analysis Techniques are used to detect VirtualBox, SandBox, Debugger, VirusTotal, and Any.Run.”
  • [T1057] Process Discovery – “checks for processes (used by reverse engineers) such as process hacker, netstat, tcpview, and regmon are present. If detected, the program stops its execution.”
  • [T1113] Screen Capture – “Captures desktop screenshots.”
  • [T1125] Video Capture – “Webcam screenshot.”
  • [T1555.003] Credentials from Web Browsers – “Edge web data, cookies, history, etc.”
  • [T1082] System Information Discovery – “Information about processes running on the system, including process name, PID, path; System info.”
  • [T1056.001] Keylogging – “keylogging and clipper abilities.”
  • [T1115] Clipboard Data – “clipper abilities” (clipboard data collection).
  • [T1041] Exfiltration – “Zip file is uploaded to anonfile.com… and the message ID is processed by the Telegram bot.”

Indicators of Compromise

  • [File name] Bundler – de90466d983da595e863339c34ee4b6b
  • [File name] Packed Hookspoofer – 7fce055a581c0b116a9679291bf89b7d
  • [File name] Unpacked Hookspoofer – 474e0cd6bc1f0fb71bbffa1ae7dd8e66
  • [Hash] MD5 – de90466d983da595e863339c34ee4b6b
  • [Hash] MD5 – 7fce055a581c0b116a9679291bf89b7d
  • [Hash] SHA1 – 474e0cd6bc1f0fb71bbffa1ae7dd8e66
  • [URL] DotNetZip.dll location – https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll
  • [URL] AnonFileApi.dll location – https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll
  • [URL] Telegram API (deobfuscated example) – https://api.telegram.org/bot6122846074:AAF6rJZMCIphpMPrSWQdU2PZSf14u6p4zeA/
  • [URL] GitHub hosting for dependencies – https://raw.githubusercontent.com/LimerBoy/StormKitty/…
  • [Domain] anonfile.com – file hosting for uploaded ZIPs
  • Source: https://www.uptycs.com/blog/threat-research-hookspoofer

Read more: https://www.uptycs.com/blog/threat-research-hookspoofer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint