FortiGuard Labs uncovered a Windows infostealer named ThirdEye that collects BIOS, hardware, and other system information and transmits it to a C2 server. The malware is not highly sophisticated but is evolving to gather more data, potentially aiding future attacks against targets, including Russian-speaking organizations. #ThirdEye #Fortinet #FortiGuardLabs #ShlalalaRu #GlovaticketsRu
Keypoints
- ThirdEye is a newly identified Windows infostealer designed to harvest system information and exfiltrate it to a C2 server.
- The first samples collected minimal data (e.g., client_hash, OS_type, host_name, user_name) and were traceable to early submissions in 2023.
- The malware uses a unique identifier (client_hash) and sends data with a custom web header (“Cookie: 3rd_eye=[client_hash value]”).
- Variants evolved to gather more data, including BIOS details, CPU cores, RAM, file lists, network interfaces, and usernames.
- C2 infrastructure includes multiple Russian-hosted domains (e.g., shlalala.ru, glovatickets.ru, ohmycars.ru, anime-clab.ru), with some samples testing against internal IPs.
- Some samples used encoding (hex) and others experimented with icons (PDF icon) to evade detection and masquerade as legitimate documents.
- Fortinet protections include FortiGuard AV signatures and WebFiltering to block C2s, with incident response support available.
MITRE Techniques
- [T1082] System Information Discovery – ‘The ThirdEye infostealer has relatively simple functionality. It harvests various system information from compromised machines, such as BIOS and hardware data. It also enumerates files and folders, running processes, and network information.’
- [T1083] File and Directory Discovery – ‘enumesrates files and folders’ (as described in the article).
- [T1057] Process Discovery – ‘running processes’
- [T1016] System Network Configuration Discovery – ‘network information’ and later mention of ‘network interface data’ and related data collections.
- [T1071.001] Web Protocols – ‘sends data to its command-and-control (C2) server’ with C2 URLs like hxxp://shlalala[.]ru/general/ch3ckState and other domains.
- [T1027] Obfuscated/Compressed Files and Information – ‘data it collected was encoded in hex’ in some variants.
- [T1036] Masquerading – ‘double extension’ files such as ‘.exe’ preceded by a document-related extension and the use of a PDF icon to disguise the file.
- [T1041] Exfiltration Over C2 Channel – ‘gathers all this data and sends it to its command-and-control (C2) server’ (C2 communications).
Indicators of Compromise
- [SHA256 Hash] – 9db721fa9ea9cdec98f113b81429db29ea47fb981795694d88959d8a9f1042e6, 5d211c47612b98426dd3c8eac092ac5ce0527bda09afa34b9d0f628109e0c796, and other hashes (Fourth and additional variants of ThirdEye)
- [C2 Domain] – shlalala[.]ru, glovatickets[.]ru, ohmycars[.]ru, anime-clab[.]ru
- [IP Address] – 10.10.30.36, 192.168.21.182 (internal testing/usage in variants)
- [Filename] – Табель учета рабочего времени.zip, Табель учета рабочего времени.xls.exe (Archive and disguised executable)
- [URL] – hxxp://shlalala[.]ru/general/ch3ckState, hxxp://glovatickets[.]ru/ch3ckState, hxxp://ohmycars[.]ru/general/ch3ckState, hxxp://anime-clab[.]ru/ch3ckState