My next class:

Are You Still Storing Passwords In Plain Text Files?

Published: 2023-09-29. Last Updated: 2023-09-29 07:35:31 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

"Infostealer" malware have been in the wild for a long time now. Once the computer's victim is infected, the goal is to steal "juicy" information like passwords, cookies, screenshots, keystrokes, and more. Yesterday, I spotted an interesting sample. It's delivered through an FTP connection. The file (SHA256:2bf9a44bd546e0fd1448521669136220dc49146b0f3a5cd7863698ac79b5e778) is unknown on VirusTotal.

The malware behavior is pretty simple: It scans the complete drive for interesting files. Here is an example: "*pass*.txt":

I also discovered that it searches for other files:

  • *seed*.txt
  • *ledger*.txt
  • *trezor*.txt
  • *metamask*.txt
  • *bitcoin*.txt
  • *words*
  • *wallet*.txt
  • *.kbdx

Simple but efficient. C2 communications are performed with slimtvsocico[.]fun.

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

2 comment(s)
My next class:

Comments

Here's an interesting and juicy path to consider:
C:\Users\USER\AppData\Roaming\Notepad++\backup
%AppData%\Notepad++\backup

On an admin machine, flip a coin on whether or not "unsaved temporary .txt files" are actually cached here.
Sometimes you need to store in plain text, or at least have to choose between several evils. Given a Java environment (Apache Tomcat) with certificates stored in the Java KeyStore (keytool). You either store it without a password, or you store it with a password and the password is in plain text written in the Tomcat config file. Or you have to enter the password manually each time you restart Tomcat.

Diary Archives