Join Us for Zenith Live 2019 Learn More
Join Us for Zenith Live 2019 Learn More

Immortal information stealer

Malware steals browser data, credentials, wallet data, and more

By: Rajdeepsinh Dodia, Uday Pratap Singh

Immortal information stealer

Recently, the Zscaler ThreatLabZ team came across new information-stealer malware called Immortal, which is written in .NET and designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions. This blog provides an analysis of the data Immortal steals from browsers, the files it steals (and the applications it steals from), and what it does with the stolen data.

Immortal starts its infection by creating a directory with a random name in a temp folder. Next, it creates a password.log file in "\%Temp%\{Random_DirName}\password.log”.

Immortal writes the malware name, author’s name, and telegram address of the author in a password.log file.

  • Date: Current date and time  “MM/dd/yyyy HH:mm:ss”
  • Windows Username: Username
  • HWID: MachineGuid
  • System: Operating system name

Browser info stealing

Immortal steals data from 24 browsers. It steals stored credentials, cookies, credit card data, and autofill data from the targeted browsers.

When the user saves a username and password in the targeted browser, it stores the data in a “Login Data” file in an SQLite database format, and the browser-stored cookie information in the “Cookies” file. It also stores autofill data, credit card data, and other web information in the “Web Data” file. Below are the file paths for those files:

  • “\%AppData%\Local\{Browser}\User Data\Default\Login Data”
  • “\%AppData%\Local\{Browser}\User Data\Default\Web Data”
  • “\%AppData%\Local\{Browser}\User Data\Default\Cookies”

List of targeted browsers:

  • Chrome
  • Yandex
  • Orbitum
  • Opera
  • Amigo
  • CentBrowser
  • Torch
  • Comodo
  • Go!
  • ChromePlus
  • Uran
  • BlackHawk
  • CoolNovo
  • AcWebBrowser
  • Epic Browser
  • Baidu Spark
  • Rockmelt
  • Sleipnir
  • SRWare Iron
  • Titan Browser
  • Flock
  • Vivaldi
  • Sputnik
  • Maxthon

Credential stealing

The malware fetches credentials from the “Login Data” file and stores them in the password.log file as per the format below: Path: ” \%Temp%\{Random_DirName}\password.log”.

  • SiteUrl: Website URL
  • Login: Username
  • Password: Password
  • Program: Targeted browser

Cookie stealing

Immortal fetches cookie data from the cookies file and stores it in {Browsername}_cookies.txt file.

Path: “\%Temp%\{Random_DirName}\Cookies\{Browsername_cookies.txt}". The format is shown below.

Credit card data

Immortal fetches credit card data from the “Web Data” file and stores it in the {Browsername}_CC.txt file.

Path: “\%AppData%\{Random_DirName}\CC\{Browsername_CC.txt}”. The format is shown below.

Autofill data

The autofill feature of a browser allows the user to store commonly entered information in web forms. This information might include username, email, password, address, and credit card information. So, when the user opens a web page, it will automatically fill in the information already saved by the browser. The autofill information is stored in the “Web Data” file.

Immortal fetches autofill data from the “Web Data” file and stores it in the {Autofill}_CC.txt file.

Path: “\%AppData%\{Random_DirName}\Autofill\{Browsername_Autofill.txt}”. The format is shown below.

 

File stealing

Immortal steals files from many different applications. The details are below.

Minecraft launchers

The malware steals user data files and sessions from Minecraft launcher applications. The malware copies those applications' files into “%Temp%\{Random_DirName}\Applications\{AppName}\”. The following is a list of the applications:

  • MinecraftOnly
  • McSkill
  • LavaCraft
  • MinecraftLauncher
  • VimeWorld
  • RedServer

Steam

The malware steals files for the Steam application. Steam is an application for playing, discussing, and creating games. The files stolen by Immortal are as follows:

  • SSFN (2 files)
  • VDF files from the config folder
    • Config.vdf
    • loginusers.vdf

Telegram and Discord

Immortal also steals session-related files from Telegram and Discord. Telegram is a cloud-based instant messaging and voice over IP service. Discord is the cross-platform voice and text chat application designed to help gamers talk to each other in real time. Immortal copies those files into “%Temp%\{Random_Name}\Applications\{AppName}\”.

File Path:

  • %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\
  • %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map0
  • %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map1
  • %AppData%\discord\\Local Storage\\https_discordapp.com_0.localstorage

FileZilla

Immortal steals files that contain FileZilla credentials. FileZilla is a known FTP tool used for file transfer. The malware copies the below files into “\%Temp%\{Random_DirName}\FileZilla\”.

  • \%AppData%\Filezilla\recentservers.xml
  • \%AppData%\Filezilla\sitemanager.xml

Bitcoin-Qt wallet

Immortal steals wallet.dat files from Bitcoin-Qt, a free and open-source Bitcoin wallet software. Below is a screenshot of the code for fetching the wallet path from the registry. The malware copies the wallet.dat file in “%Temp%\{Random_DirName}\”.

Desktop files

Immortal also goes through every file in the desktop folder on the victim’s system. It steals extension files (listed below) and copies them into “%Temp%\{Random_DirName}\Files\”.

  • Txt
  • Log
  • Doc
  • Docx
  • sql

Screenshot & Webcam

Immortal takes a screenshot of the desktop of the infected system and saves it in “\%AppData%\{Random_DirName}\desktop.jpg”. It also captures a webcam snapshot and saves in it “\%AppData%\{Random_DirName}\CamPicture.jpg”.
 

Network communication

The malware stores all the stolen data in the directory “\%Temp%\{Random_DirName}\”. After that, it compresses all the files in a ZIP archive and saves the compressed file in \%Temp%\{Random_filename}.zip. Further, it sends {Random_filename}.zip to its command-and-control server as shown below. It also deletes the “\%Temp%\{Random_DirName}\” before sending the ZIP file.

  • User = User name
  • Hwid = MachineGuid

At the time of analysis, the command & control panel for this stealer was live.

We found the Immortal stealer being advertised and sold with different build-based subscriptions. The following is a screenshot of a page that describes all of Immortal's functionality and cost per build. A per-post price for one build is $30.

IOCs

Md5: 1719ff4ff267ef598a1dcee1d5b68667

Downloading URL : www.appleidservice[.]jp/stealer/files/svhost.exe

NetworkURL: www.appleidservice[.]jp/stealer/files/upload.php

 




Suggested Blogs