Threat Research

Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities 

AnyRun
Pentagon Stealer: Go and Python Malware with Crypto Theft Capabilities 

Pentagon Stealer is a newly emerged malware written in both Python and Golang, which focuses on stealing sensitive data such as browser credentials, cookies, and cryptocurrency wallet information. It employs various techniques including launching browsers in debug mode to bypass encryption mechanisms for data theft. The malware has evolved over time and has been associated with multiple attack vectors and names. Affected: browsers, cryptocurrency wallets, victims of cyber theft

Keypoints :

  • Pentagon Stealer exists in both Python and Golang versions.
  • It steals browser credentials, cookies, cryptocurrency wallet data, and tokens from applications like Discord and Telegram.
  • Utilizes debug mode in browsers to extract unencrypted cookies.
  • Replaces app.asar files in cryptocurrency wallets to steal sensitive information.
  • Spread through typosquatting and associated with several names including 1312, Acab, Vilsa, and BLX stealer.
  • Communicates with command and control (C2) servers using HTTP requests.
  • Continues to pose a persistent threat with ongoing variations.

MITRE Techniques :

  • T1059.001: Command and Scripting Interpreter: PowerShell – Disables disk C: scanning using Microsoft Defender in the Python version.
  • T1059.003: Command and Scripting Interpreter: Windows Command Shell – Executes a .bat file to download the next stage in the Python version.
  • T1059.005: Command and Scripting Interpreter: Visual Basic – Launches a .vbs script to escalate privileges in the Python version.
  • T1140: Deobfuscate/Decode Files or Information – Decrypts Python stages using Fernet.
  • T1555.003: Credentials from Web Browsers – Steals passwords from various browsers.
  • T1539: Steal Web Session Cookie – Steals cookies from various browsers.
  • T1005: Data from Local System – Collects files with specific names and extensions from user directories.
  • T1071.001: Application Layer Protocol – Sends collected data to the command server.
  • T1659: Content Injection – Injects custom JavaScript code into cryptocurrency management software.
  • T1657: Financial Theft – Steals credentials from cryptocurrency management software.

Indicator of Compromise :

  • [Domain] pentagon[.]cy
  • [Domain] stealer[.]cy
  • [MD5] a1726ff80b020aa291bdcbb21159c618
  • [SHA1] 51c9978e60995174ed2b6b8cc5e8e1a973b66337
  • [SHA256] 0411589551ab684892e3cc776674df0f07bcdbb931c29da93c2afd08fe077336

Full Story: https://any.run/cybersecurity-blog/cybersecurity-blog/pentagon-stealer-malware-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint