A phishing campaign impersonating a VPN provider targets Windows, Linux, and macOS users with platform-specific stealer binaries designed to harvest crypto wallet data, passwords, and SSH keys. The operation is tied to a Telegram channel with 54k+ subscribers and uses multi-OS delivery, registrar changes, and HTTPS exfiltration to a C2 server. #CheanaStealer #WarpVPN #ganache #Warpvpn #VPN #Windows #Linux #macOS
Keypoints
- Phishing site impersonates a VPN provider targeting Windows, Linux, and macOS users.
- Distinct stealer binaries are created for each operating system.
- Windows version targets crypto browser extensions, crypto wallets, and stored passwords.
- Linux version focuses on crypto wallets, browser data, cookies, and SSH keys.
- MacOS version steals browser data, Keychain, and SSH keys, among other credentials.
- Campaign is linked to a Telegram channel with over 54,000 subscribers active since 2018, with operator changes around 2021.
- Phishing domain registrar changes occurred with the latest on August 21, 2024.
- Threat actors initially provided legitimate VPN services before pivoting to malware distribution.
MITRE Techniques
- [T1566] Phishing – Brief description of how it was used. Quote: “…This malware reaches users via VPN phishing sites…”
- [T1059.003] Windows Command Shell – Brief description of how it was used. Quote: “…cmd.exe is used to run commands…”
- [T1059.001] PowerShell – Brief description of how it was used. Quote: “…Invoke-WebRequest is used for downloading batch files…”
- [T1059.006] Python – Brief description of how it was used. Quote: “…Python stealer is used for targeting windows users…”
- [T1204] User Execution – Brief description of how it was used. Quote: “…User is instructed to execute the commands…”
- [T1555.003] Credentials from Web Browsers – Brief description of how it was used. Quote: “…Retrieves passwords from Login Data…”
- [T1555.001] Keychain – Brief description of how it was used. Quote: “…Attempts to exfiltrate Keychains from MacOS system…”
- [T1539] Steal Web Session Cookie – Brief description of how it was used. Quote: “…Steals browser cookies…”
- [T1056.002] GUI Input Capture – Brief description of how it was used. Quote: “…Shows command window to enter password on MacOS…”
- [T1552.004] Private Keys – Brief description of how it was used. Quote: “…Tried to exfiltrate SSH keys…”
- [T1560.001] Archive via Utility – Brief description of how it was used. Quote: “…Zip utility is used to compress the data before exfiltration…”
- [T1560.002] Archive via Library – Brief description of how it was used. Quote: “…Zip library is used to compress the data before exfiltration…”
- [T1041] Exfiltration Over C2 Channel – Brief description of how it was used. Quote: “…Exfiltration Over C2 Channel…”
Indicators of Compromise
- [SHA-256] Hashes associated with Cheana Stealer components – 70f08497d7a9e6a8e5f2dd3683a20563d20668e1c78df636ff1e36a014c9d493, acf807def82c4b56752a9fa9b081dbb37ba9cc9f6e1c522568ff502b6b49b6db
- [SHA-256] Additional component hashes observed in the campaign – 48964c11fcbefd6508164239866c94b55ca2798e9745671c37447ad0a6f3e1c4
- [Domain] Phishing and C2 domains – warpvpn.net, ganache.live
- [File Name] Malicious installer scripts referenced – install-linux.sh, main.py
Read more: https://cyble.com/blog/new-cheana-stealer-targets-vpn-user/