Warp Loader, Warp Dropper, and Stealerium form a modern multi-stage stealer malware chain that delivers via email, downloads a dropper, and exfiltrates sensitive data to a Telegram-based C2. The article details anti-analysis techniques, UAC bypass, and a set of IOCs including MD5 hashes and download URLs. Hashtags: #WarpLoader #WarpDropper #Stealerium #WarpStealer #UACBypass #Telegram
Keypoints
- The malware chain comprises Warp Loader, Warp Dropper, and Stealerium, forming a staged attack that culminates in data theft.
- Delivery occurs via malicious email attachments, with a Telegram bot/C2 component used for command and exfiltration.
- The loader downloads the dropper; the dropper includes a UAC bypass and an AV/EDR killer component.
- The final stealer collects extensive data, including system information, credit card details, crypto wallet data, browser cookies, and saved passwords, and even captures webcam shots.
<liAnti-analysis capabilities are present (anti-debugging, anti-VM, anti-sandbox) and the malware checks for analysis tools to hide its behavior.
<liA set of IOCs is provided, including MD5 hashes and download/communication URLs used by the malware.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The attacker deploys the executable as an email attachment and sends it to the victim’s mail. ‘The attacker deploys the executable as an email attachment and sends it to the victim’s mail.’
- [T1105] Ingress Tool Transfer – It acts as a loader and downloads the dropper component. ‘It acts as a loader and downloads the dropper component.’
- [T1548.002] Abuse Elevation: UAC Bypass – Two files, one for bypassing UAC and the other to kill AV/EDR solutions. ‘This, in turn, drops two files, one for bypassing UAC and the other to kill AV/EDR solutions.’
- [T1497] Virtualization/Sandbox Evasion – Anti-debugging, anti-VM, and anti-sandbox are used to hide its presence. ‘anti-debugging, anti-VM, and anti-sandbox, and it also checks for any analysis tools present in the system to hide its behavior.’
- [T1082] System Information Discovery – The stealer collects and exfiltrates all victim system information. ‘steals all the victim’s system information, credit card details, crypto wallet details, social media account details, web browser cookies, and saved passwords.’
- [T1125] Video Capture – The malware collects webcam shots. ‘web camera shots and saves them as logs.’
- [T1041] Exfiltration Over C2 Channel – Data is sent to the attacker’s C2. ‘will be sent to the attacker’s C2.’
Indicators of Compromise
- [MD5] – Warp Loader/Dropper/Stealer hashes – ac941919c2bffaf6aa6077322a48f09f, fe08102907a8202581766631b1e31915, and 3 more hashes
- [URL] – Telegram API endpoints used for C2/exfil – hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/sendMessage?&parse_mode=HTML&chat_id=-1001963477498&text=, hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/getChat?chat_id=-1001963477498
- [URL] – Additional Telegram endpoints and download link – hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/sendDocument?chat_id=-1001963477498, hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/sendMessage?parse_mode=Markdown&chat_id=-1001963477498, hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/getFile?file_id=-1001963477498, and additional values
- [URL] – Download URL for Adobe Acrobat Update – hxxps://softstock[.]shop/download/Adobe%20Acrobat%20Update.exe
- [File name] – Adobe Acrobat Update.exe – Filename observed in the delivery chain
Read more: https://www.seqrite.com/blog/new-warp-malware-drops-modified-stealerium-infostealer/