White Snake Stealer is an evolving information-stealer threat first highlighted in 2023, targeting browsers, crypto wallets, email clients, VPNs, and other applications to steal credentials and sensitive data. The article reviews the updated White Snake Stealer v1.6, detailing its new capabilities, persistence, TOR-based beaconing, and expanded exfiltration workflow. #WhiteSnakeStealer #MaaS #Tor #Telegram #CryptoWallets
Keypoints
- White Snake Stealer emerged in February 2023 and has evolved through updates (notably version 1.6) with Windows and Linux variants observed.
- Targets include a wide range of applications (browsers, crypto wallets, FTP clients, Outlook, etc.) and adds capabilities like keylogging, webcam capture, and document grabbing.
- New features expand 2FA app and VPN data targeting, and its distribution is indicated by public repository samples and Telegram announcements.
- Persistence and propagation include AppData duplication with a scheduled task, startup-folder user spread, and USB-based removable media spread.
- Anti-VM checks use WMI to detect virtual environments, with string obfuscation and other obfuscation techniques complicating analysis.
- The stealer introduces a TOR-based beacon for C2 communications, with HiddenServicePort redirection and an HTTPListener for command handling and data exfiltration.
- Exfiltration involves XML serialization, RSA encryption, hardcoded server IPs, and PUT-based data transfer, plus Telegram Bot API notifications for attacker awareness.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – “execution of commands on the victim’s system enabling activities like taking screenshots and capturing webcam.”
- [T1071] Application Layer Protocol – “The beacon functionality is implemented by establishing a connection between TOR and an open port on the victim’s system.”
- [T1497] VM/Sandbox Evasion – “Anti VM method… uses Windows Management Instrumentation (WMI) queries to retrieve the system’s ‘Manufacturer’ and ‘Model’ information.”
- [T1053.005] Scheduled Task – “The stealer achieves persistence by duplicating itself in the Appdata directory and creating a scheduled task.”
- [T1547.001] Registry Run Keys/Startup Folder – “copying itself to the startup folders, ensuring automatic execution upon user login or system restart.”
- [T1091] Replication Through Removable Media – “USB Spread: Is able to spread through USB devices by making copies on removable drives.”
- [T1119] Automated Collection – “The malware exhibits the capability to extract sensitive information from various types of applications.”
- [T1041] Exfiltration Over C2 Channel – “The data exfiltration… uses the WebClient class’s PUT HTTP method.”
Indicators of Compromise
- [SHA-256] context – b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b, e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
- [SHA-256] context – fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea, c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
- [SHA-256] context – 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
- [SHA-256] context – bc7536cb39c4dc0ef7522b46efbc97b87edd958248267932c46cdda2d571a72b