Page 69 - Cyber Defense eMagazine December 2022 Edition
P. 69

Part One: Illicit Business as Usual

            This attack, like so many others, begins with an email titled, “Important Windows Defender Update!”
            formatted in a believable faux-Windows Defender template replete with official-looking graphics and MSL
            logos. The recipient is warned that Windows Defender has recently detected malicious software on the
            user’s computer and is then prompted to download additional software for removing the malware. After
            clicking the link, the recipient is then redirected to a spoofed landing page for the malware itself.

            The landing page offers links to two fictitious ‘software removal tools,’ one for a 32-bit system and the
            second one for a 64-bit system. Both links yield the same malicious results, but present two further
            options in order to establish legitimacy, which fools users into continuing the process.

            These links lead to a shared drive containing a ZIP archive with two files inside: first,  a README.txt file
            that, when opened, explains how to use the tool, and second, the actual malware, a 64 bit C++ PE,
            compiled using Node.js with the size of 102mb. When running the malware, analysts searched for unique
            strings and found an unusual one:



             <================[t.me/doenerium]>================>



            The unusual string is actually a short URL to a Telegram server, which leads to a Github repository called
            doenerium created by the user doener2323. This is but one of many instances of malware being hosted
            on Github.


            Because the user’s profile remained available for some time, with the malware publicly available, we
            were able to review its source code and analyze the malware. In this instance, the malware had two main
            capabilities – harvesting individuals’ personal data and mining their crypto wallets.

            It does so by first identifying the CPU of the victim’s computer – information found in the victim’s profile
            – that is sent to the hacker’s Discord server. The malware then creates an exfiltration folder on the victim’s
            computer, which is saved in the TEMPdirectory. Every directory entry contains the victim’s computer
            name concatenated with an underscore and “36 char UUID” (universally unique identifier).

            The malware then searches for crypto wallets housed in the victim’s computer and creates a folder called
            “Wallets” within the exfiltration folder to store any crypto wallets discovered. Additionally, it creates a
            small text file that summarizes the findings.


            Next, the malware hunts for Discord tokens, decrypts them, and tries to validate them before finally
            harvesting the rest of the browser data to look for passwords, cookies, bookmarks, history, autofill, and
            more.












            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         69
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
   64   65   66   67   68   69   70   71   72   73   74