Page 69 - Cyber Defense eMagazine December 2022 Edition
P. 69
Part One: Illicit Business as Usual
This attack, like so many others, begins with an email titled, “Important Windows Defender Update!”
formatted in a believable faux-Windows Defender template replete with official-looking graphics and MSL
logos. The recipient is warned that Windows Defender has recently detected malicious software on the
user’s computer and is then prompted to download additional software for removing the malware. After
clicking the link, the recipient is then redirected to a spoofed landing page for the malware itself.
The landing page offers links to two fictitious ‘software removal tools,’ one for a 32-bit system and the
second one for a 64-bit system. Both links yield the same malicious results, but present two further
options in order to establish legitimacy, which fools users into continuing the process.
These links lead to a shared drive containing a ZIP archive with two files inside: first, a README.txt file
that, when opened, explains how to use the tool, and second, the actual malware, a 64 bit C++ PE,
compiled using Node.js with the size of 102mb. When running the malware, analysts searched for unique
strings and found an unusual one:
<================[t.me/doenerium]>================>
The unusual string is actually a short URL to a Telegram server, which leads to a Github repository called
doenerium created by the user doener2323. This is but one of many instances of malware being hosted
on Github.
Because the user’s profile remained available for some time, with the malware publicly available, we
were able to review its source code and analyze the malware. In this instance, the malware had two main
capabilities – harvesting individuals’ personal data and mining their crypto wallets.
It does so by first identifying the CPU of the victim’s computer – information found in the victim’s profile
– that is sent to the hacker’s Discord server. The malware then creates an exfiltration folder on the victim’s
computer, which is saved in the TEMPdirectory. Every directory entry contains the victim’s computer
name concatenated with an underscore and “36 char UUID” (universally unique identifier).
The malware then searches for crypto wallets housed in the victim’s computer and creates a folder called
“Wallets” within the exfiltration folder to store any crypto wallets discovered. Additionally, it creates a
small text file that summarizes the findings.
Next, the malware hunts for Discord tokens, decrypts them, and tries to validate them before finally
harvesting the rest of the browser data to look for passwords, cookies, bookmarks, history, autofill, and
more.
Cyber Defense eMagazine – December 2022 Edition 69
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.