My next class:

Python InfoStealer With Dynamic Sandbox Detection

Published: 2024-02-20. Last Updated: 2024-02-20 07:07:02 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Infostealers written in Python are not new. They also onboard a lot of sandbox detection mechanisms to prevent being executed (and probably detected) by automatic analysis. Last week, I found one that uses the same approach but in a different way. Usually, the scripts have a list of "bad stuff" to check like MAC addresses, usernames, processes, etc. These are common ways to detect simple sandboxes that are not well-hardened. This time, the "IOD" (Indicators Of Detection) list is stored online on a Pastebin-like site, allowing the indicators to be updated for all scripts already deployed. It's also a way to disclose less interesting information in the script.

The file, called main.py, has a VT score of 22/61 (SHA256: e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06)[1]

The script will fetch indicators from many files hosted on rentry.co[2]:

remnux@remnux:/MalwareZoo/20240217$ grep hxxps://rentry[.]co main.py 
     processl = requests.get("hxxps://rentry[.]co/x6g3is75/raw").text
     mac_list = requests.get("hxxps://rentry[.]co/ty8exwnb/raw").text
     vm_name = requests.get("hxxps://rentry[.]co/3wr3rpme/raw").text
     vmusername = requests.get("hxxps://rentry[.]co/bnbaac2d/raw").text
     hwid_vm = requests.get("hxxps://rentry[.]co/fnimmyya/raw").text
     gpulist = requests.get("hxxps://rentry[.]co/povewdm6/raw").text
     ip_list = requests.get("hxxps://rentry[.]co/hikbicky/raw").text
     guid_pc = requests.get("hxxps://rentry[.]co/882rg6dc/raw").text
     bios_guid = requests.get("hxxps://rentry[.]co/hxtfvkvq/raw").text
     baseboard_guid = requests.get("hxxps://rentry[.]co/rkf2g4oo/raw").text
     serial_disk = requests.get("hxxps://rentry[.]co/rct2f8fc/raw").text

All files were published on January 27 2024 around 23:19 UTC. The website gives also the number of views. Currently, there are only two (certainly my visits) so the script hasn't been released in the wild yet. I'll keep an eye on these counters in the coming days.

Here is an example of usage:

def checkgpu(self):
    c = wmi.WMI()
    for gpu in c.Win32_DisplayConfiguration():
        GPUm = gpu.Description.strip()
    gpulist = requests.get("https://rentry.co/povewdm6/raw").text
    if GPUm in gpulist:
        sys.exit()

The remaining part of the stealer is very classic. I just extracted the list of targeted websites (cookies are collected and exfiltrated):

keyword = [
    'mail', 
    '[coinbase](https://coinbase.com)', 
    '[sellix](https://sellix.io)',
    '[gmail](https://gmail.com)',
    '[steam](https://steam.com)',
    '[discord](https://discord.com)',
    '[riotgames](https://riotgames.com)',
    '[youtube](https://youtube.com)',
    '[instagram](https://instagram.com)',
    '[tiktok](https://tiktok.com)',
    '[twitter](https://twitter.com)',
    '[facebook](https://facebook.com)',
    'card',
    '[epicgames](https://epicgames.com)',
    '[spotify](https://spotify.com)',
    '[yahoo](https://yahoo.com)',
    '[roblox](https://roblox.com)',
    '[twitch](https://twitch.com)',
    '[minecraft](https://minecraft.net)',
    'bank',
    '[paypal](https://paypal.com)',
    '[origin](https://origin.com)',
    '[amazon](https://amazon.com)',
    '[ebay](https://ebay.com)',
    '[aliexpress](https://aliexpress.com)',
    '[playstation](https://playstation.com)',
    '[hbo](https://hbo.com)',
    '[xbox](https://xbox.com)',
    'buy',
    'sell',
    '[binance](https://binance.com)',
    '[hotmail](https://hotmail.com)',
    '[outlook](https://outlook.com)',
    '[crunchyroll](https://crunchyroll.com)',
    '[telegram](https://telegram.com)',
    '[pornhub](https://pornhub.com)',
    '[disney](https://disney.com)',
    '[expressvpn](https://expressvpn.com)',
    'crypto',
    '[uber](https://uber.com)', 
    '[netflix](https://netflix.com)'
]

You can see that classic sites are targeted but generic keywords are also present like "crypto", "bank" or "card". Cookies belonging to URLs containing these keywords will also be exfiltrated.

[1] https://www.virustotal.com/gui/file/e0f6dcf43e19d3ff5d2c19abced7ddc2e703e4083fbdebce5a7d44a4395d7d06/details
[2] https://rentry.co

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
My next class:

Comments


Diary Archives