Keypoints
- Serpent Stealer is a .NET 64-bit portable executable designed to steal sensitive data from browsers and applications.
- Initial execution performs environment checks, comparing the current username against a large blacklist and detecting debuggers and virtual machines to evade analysis.
- Browser data collection targets Chrome (and Chromium-based browsers) by opening SQLite DBs under the user profile and running queries such as “SELECT * FROM autofill” and “SELECT url FROM urls”.
- Collected data includes autofill entries, browsing history, saved passwords, bookmarks, crypto wallet files, Steam installation/registry data, SSH keys from .ssh, and FTP credentials from the registry.
- Exfiltration is performed to a C2 via webhooks and Discord abuse after verifying the machine’s remote IP address.
- The stealer includes a file-collection routine that enumerates Desktop, Documents, Pictures, Videos, and Downloads and targets specific file extensions.
- Privilege escalation is attempted using UAC bypass techniques; the observed sample uses the Fodhelper registry-based bypass by creating keys under HKCU to run commands with elevated privileges.
MITRE Techniques
- [T1497] Virtualization/Sandbox Evasion – used to detect and avoid analysis by checking for ‘bypass… debuggers, and virtual machines.’
- [T1548.003] Abuse Elevation Control Mechanism: Bypass UAC – uses Fodhelper registry manipulation; example command: [‘New-Item “HKCU:SoftwareClassesms-settingsShellOpencommand” -Force’]
- [T1555.003] Credentials from Web Browsers – collects browser-stored credentials and autofill data via SQLite queries such as [‘SELECT * FROM autofill’]
- [T1567] Exfiltration Over Web Service – exfiltrates collected browser data and passwords via webhooks and Discord as noted: [‘exfiltrates the browser data and passwords via Web hooks and Discord abuse.’]
- [T1005] Data from Local System – gathers local files and artifacts, targeting user directories like [‘Desktop, Documents, Pictures, Videos, Downloads’] for file collection.
- [T1552] Unsecured Credentials – harvests SSH and FTP credentials by reading the ‘.ssh’ directory and extracting FTP data from the Windows registry: [‘steal SSH credentials from ‘.ssh’ directory and FTP credentials from the windows registry.’]
Indicators of Compromise
- [File Hash] Malware sample hashes – e97868c8431ccd922dea3dfb50f7e0b5, a3c4785a011c350839669b8e73c823f5
- [File Path] Browser profile path used to access SQLite DBs – %Localappdata%GoogleChromeUser Data (used to open Login Data and other DBs)
- [Registry Key] UAC bypass keys created under user hive – HKCU:SoftwareClassesms-settingsShellOpencommand (seen in Fodhelper bypass commands)
- [Filename] Legitimate binary abused for elevation – fodhelper.exe (used as the elevation vector)
Serpent Stealer is implemented as a .NET 64-bit PE whose Main() routine executes a sequence of environment and evasive checks before collection. On startup it compares the current username against an embedded blacklist and detects debuggers and virtual machines; if a blacklist match or analysis environment is detected it sleeps and exits. After passing these checks the malware enumerates browser profiles under the local appdata path for Chromium-based browsers, opens SQLite databases and runs queries such as “SELECT * FROM autofill” and “SELECT url FROM urls” to extract autofill entries, history, bookmarks and saved credentials.
Following browser collection, the stealer probes the host (including remote IP checks) and gathers additional artifacts: saved passwords from Chrome/Brave/Edge, known crypto wallet files, Steam installation/registry entries, SSH keys from the .ssh directory, and FTP credentials from the Windows registry. It also runs a targeted file stealer that recursively scans user folders (Desktop, Documents, Pictures, Videos, Downloads) for specific extensions to include in exfiltration bundles.
For persistence/privilege escalation and to maintain stealth, the sample implements UAC bypass techniques and chooses the Fodhelper method in the observed sample by creating HKCU registry keys (e.g., the ms-settings ShellOpenCommand entries) to execute commands with elevated privileges. Collected data is sent to the operator via webhooks and Discord abuse to a C2 after verification steps. Read more: https://labs.k7computing.com/index.php/uncovering-the-serpent/