New cryptostealing trojan

2018-10-22

New cryptostealing trojan sent to various telegram groups.

There is an aggressive AirDrop campaign for the new information stealing Trojan.

The main target audience is the crypto-community. The Trojan is put to the numerous ICO Telegram groups.

ROMAD provides a short technical description of the Trojan actions.

This is the information stealer Trojan being sent as the *.scr (Microsoft Windows screensavers extension). 


First, it unpacks the DLLs required:

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-file-l1-2-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-rtlsupport-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-namedpipe-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-heap-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-profile-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-memory-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-processenvironment-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-string-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-console-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-file-l2-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-processthreads-l1-1-1.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-synch-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-debug-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-interlocked-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-processthreads-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-libraryloader-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-sysinfo-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-handle-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-file-l1-1-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-localization-l1-2-0.dll

C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-synch-l1-2-0.dll


Then it starts performing its main activities. 

Data thief abilities

•  The Trojan steals the credentials for

 the following web browsers:

Internet Explorer

Firefox

Waterfox

Comodo IceDragon

Cyberfox

Pale Moon

Chrome

YandexBrowser

Comodo Dragon

Amigo

Orbitum

Bromium

Chromium

Nichrome

RockMelt

360Browser

Vivaldi

Opera

Epic Privacy Browser

brave

CocCoc

CentBrowser

7Star

Elements Browser

TorBro

Suhba

Secure Browser

Mustang

Superbird

Chedot

Torch

o  Email clients

Outlook

Thunderbird


o  Messengers

QIP

Skype

Telegram

o  FTP clients

filezilla

WinSCP

•  The Trojan also steals the web browsers data such as:

o  Cookies

o  Cache

o  Surfing history

•  The Trojan looks for cryptowallets files:

o  wallet.dat

o  electrum.dat

•  The Trojan also looks for the secret keys from the following cryptowallets:

monero

Bitcoin

BitcoinGold

BitCore

Litecoin

BitcoinABC

•  The Trojan reads the information from the *.txt and *.png files on the user’s Desktop

•  The Trojan looks for the software installed in the following Registry hives:

SOFTWARE\Microsoft\Windows NT\CurrentVersion

HARDWARE\DESCRIPTION\System\CentralProcessor\0

Software\Microsoft\Windows\CurrentVersion\Uninstall


It also uses GetUserName, GetTimeZoneInformation, GetSystemInfo APIs to get more data. The Trojan also uses the process enumeration APIs (CreateToolhelp32Snapshot - Process32First - Process32Next) to list the running processes. 


Remote access abilities

The Trojan is able to install a remote access client (VNC) by injecting into a svchost.exe process. The inject is done via a novel Doppelganging injection technique.


Users’ protection

The ROMAD Endpoint Defense users are already protected from this threat as the Generic Sequence Generic.Injector.Pre protects our users from the additional payload behavior.

The Genetic Sequence Stealer.Pre has been created to protect from the main Trojan module behavior.


IOCs


Droppers

2f531a2bbea179623da6e2aed2df58dd74e5d6b1b2a86dce16541e1d93aca9de

3dbe11c28d87499f26394302714ef74857d18f61c61a1c192059d39138214776


Main stealing module (the one that uses Doppelganging technique)

5e3953703e401479a391016ba9f05da60031305bcac59473e9e03daff4fea48f

132375a6e117cd5aa43b18f7de7814bc6c0431f74ccf679f6e95790e4cfc222e


VNC module

6a8b88c1cf0524a46c3fd09d18a237f8795a729582b585937f75ca73ed3e4a83

e13e86881370d9df53b9df383d847a33c523181d661fc249de9f0db063dc60c4