There is an aggressive AirDrop campaign for the new information stealing Trojan.
The main target audience is the crypto-community. The Trojan is put to the numerous ICO Telegram groups.
ROMAD provides a short technical description of the Trojan actions.
This is the information stealer Trojan being sent as the *.scr (Microsoft Windows screensavers extension).
First, it unpacks the DLLs required:
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-file-l1-2-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-rtlsupport-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-namedpipe-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-errorhandling-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-heap-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-profile-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-memory-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-processenvironment-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-string-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-console-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-file-l2-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-processthreads-l1-1-1.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-synch-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-debug-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-interlocked-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-processthreads-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-libraryloader-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-sysinfo-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-handle-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-datetime-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-file-l1-1-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-localization-l1-2-0.dll
C:\Users\admin\AppData\Local\Temp\192B570A\api-ms-win-core-synch-l1-2-0.dll
Then it starts performing its main activities.
Data thief abilities
• The Trojan steals the credentials for
o the following web browsers:
Internet Explorer
Firefox
Waterfox
Comodo IceDragon
Cyberfox
Pale Moon
Chrome
YandexBrowser
Comodo Dragon
Amigo
Orbitum
Bromium
Chromium
Nichrome
RockMelt
360Browser
Vivaldi
Opera
Epic Privacy Browser
brave
CocCoc
CentBrowser
7Star
Elements Browser
TorBro
Suhba
Secure Browser
Mustang
Superbird
Chedot
Torch
o Email clients
Outlook
Thunderbird
o Messengers
QIP
Skype
Telegram
o FTP clients
filezilla
WinSCP
• The Trojan also steals the web browsers data such as:
o Cookies
o Cache
o Surfing history
• The Trojan looks for cryptowallets files:
o wallet.dat
o electrum.dat
• The Trojan also looks for the secret keys from the following cryptowallets:
monero
Bitcoin
BitcoinGold
BitCore
Litecoin
BitcoinABC
• The Trojan reads the information from the *.txt and *.png files on the user’s Desktop
• The Trojan looks for the software installed in the following Registry hives:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Software\Microsoft\Windows\CurrentVersion\Uninstall
It also uses GetUserName, GetTimeZoneInformation, GetSystemInfo APIs to get more data. The Trojan also uses the process enumeration APIs (CreateToolhelp32Snapshot - Process32First - Process32Next) to list the running processes.
Remote access abilities
The Trojan is able to install a remote access client (VNC) by injecting into a svchost.exe process. The inject is done via a novel Doppelganging injection technique.
Users’ protection
The ROMAD Endpoint Defense users are already protected from this threat as the Generic Sequence Generic.Injector.Pre protects our users from the additional payload behavior.
The Genetic Sequence Stealer.Pre has been created to protect from the main Trojan module behavior.
IOCs
Droppers
2f531a2bbea179623da6e2aed2df58dd74e5d6b1b2a86dce16541e1d93aca9de
3dbe11c28d87499f26394302714ef74857d18f61c61a1c192059d39138214776
Main stealing module (the one that uses Doppelganging technique)
5e3953703e401479a391016ba9f05da60031305bcac59473e9e03daff4fea48f
132375a6e117cd5aa43b18f7de7814bc6c0431f74ccf679f6e95790e4cfc222e
VNC module
6a8b88c1cf0524a46c3fd09d18a237f8795a729582b585937f75ca73ed3e4a83
e13e86881370d9df53b9df383d847a33c523181d661fc249de9f0db063dc60c4