Warning Against Infostealer Disguised as Installer

by Prapattimynk, Thursday, 21 March 2024 (4 weeks ago)
Warning Against Infostealer Disguised as Installer

The StealC malware disguised as an installer is being distributed en masse.

It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL.

StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data.

Figure 1. The malware uploaded on GitHub

The malware strain and its operation method are similar to those of the past malware type distributed while being disguised as cracks, but it was identified to use a different distribution site. The distribution process of the malware strain disguised as software cracks was covered multiple times on the ASEC Blog. Follow the links below for more details.

The recently distributed malware strain was downloaded by an unusually large number of users during a short time span. There is a high possibility that it was disguised as a program also popular in Korea.

The following are the top two samples in distribution volume and they are still in circulation. The file names are “setup_2024.008.20534_win64_86.exe” and “Setup_21.4_win64_86” respectively. The malicious actions are not triggered if the file names are changed, a feature intended for bypassing analysis environments such as sandboxes.

Figure 2. StealC malware sample icons

When the malware is executed, it downloads a PNG file from an image hosting site. The image file has encoded malicious data embedded in the middle of the image data. The malware contains three different website addresses with the files being downloaded from each site being the same.

Figure 3. The malicious PNG file

When the data within the PNG file is decoded, it creates the shell code and file binary needed for malicious behaviors. When the aforementioned shell code is executed, StealC Infostealer is ultimately run after going through the process of file creation, execution, and various injection processes.

During this process, normal child processes of SysWOW64 (netsh.exe and more.com) and the AutoIt processes (WinAPIHObj.au3 and DllCall.au3) created in the Temp directory are executed. The StealC malware is run after being loaded onto the AutoIt process. The execution process tree is as follows.

Figure 4. StealC execution process tree

The ntdll manual mapping and Heaven’s Gate techniques are used for injection. The former is a method of manually loading ntdll.dll and executing an internal function and the latter is a method of executing x64 commands with the WOW64 process. Both are techniques employed to bypass and hinder analysis by security products.

Figure 5. Heaven’s Gate code

These behavioral characteristics are the same as those of the malware strain distributed a few weeks ago disguised as a software crack. The sample distributed at the time was the Vidar Infostealer which, like the sample in this case, was disguised as an installer. It used techniques such as checking file names, downloading a PNG file, creating and injecting into a normal process, manual ntdll mapping, and Heaven’s Gate. The same image hosting site was used to download the PNG file.

Figure 6. Vidar malware sample icons
Figure 7. Vidar execution process tree

At the time, a legitimate file (imewdbld.exe) which was included by default in Windows 11 and only able to be executed in that OS was created and then injected. This means that only Windows 11 environments had been attack targets in the past, but the recently distributed StealC sample runs normally in earlier versions of OS environments.

Vidar is also an Infostealer that accesses account profiles on platforms such as Steam and Telegram to obtain the C2 address. Thus, the C2 can be changed constantly.

Figure 8. Vidar malware C2 pages

On March 14th 5 AM, a sample among malware strains disguised as software cracks was identified as having the same C2 as the StealC sample in this post. The case shows how different malware strains with the same execution method and malware strains with different execution methods but using the same C2 are constantly being made and distributed.

The samples mentioned above are all deemed to be either attributable to the same threat actor or be meaningfully related, constantly posing threats to users.

  • d58a6009dec024aee176df38d39bc32b (Stealc MD5)
    413aa458fb04b7ff1c455cefdb720135 (Stealc MD5)
  • hxxps://mega[.]nz/file/AhEBmaBI#lyluDB_AcC4qphklfyKhGYHyJnwyRCfvX2UC-zi6YA8 (Distribution Site)
    hxxps://mega[.]nz/file/VWs2HKSQ#PnyLXgyDKNY1REGwFIG2D_K0Vmw8K0z_KM-aVGVEBWI (Distribution Site)
  • hxxp://193.143.1[.]226/129edec4272dc2c8.php (Stealc C2)

As malware strains disguised as installers are actively being distributed, caution is needed. Users must check if the executable file they are attempting to download is being downloaded from the official website domain and must not execute files downloaded from untrusted links.

AhnLab detects the malware samples covered in this post under the aliases below.

[IOC Info]

– StealC

  • MD5s
    c935f54929475d06b6d11c746ac64156 (setup_2024.008.20534_win64_86.exe)
    d3bbe6f53dec9b65400f6477fb7ad697 (Setup_21.4_win64_86)
  • URLs
    hxxps://i.ibb[.]co/FxjS8cy/1492239061.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/ZZsYr33PtdW0.png?o=1 (PNG)
    hxxps://pixeldrain[.]com/api/file/Qutj1LyJ (PNG)
    hxxps://iili[.]io/JV2qk2p.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/eZYxpEiX6alk.png?o=1 (PNG)
    hxxp://193.143.1[.]226/129edec4272dc2c8.php (StealC)
  • Detection Names
    Infostealer/Win.Stealc.C5598726 (2024.03.09.03)
    Infostealer/Win.Vidar.R635589 (2024.03.14.00)

– Vidar

  • MD5s
    2c7c25d67a82fd3ab94ec5a84ce0bf9c (S3tup.exe)
    56043b1a19ee26f8a1886992a4db63fd (Setap.exe)
    a1a3f635d93b9326202bdad56492f68f (Setap.exe)
    b226d4ea9a9532321e1b3fec2924ba61 (Setap.exe)
    c7270a045c095dc78da8596c456aedd5 (Set3pCrack.exe)
    e5a9d16cf0d3d545add724a27a8e8556 (Set3pCrack.exe)
  • URLs
    hxxps://gcdnb.pbrd[.]co/images/U8847YouMZ4x.png?o=1 (PNG)
    hxxps://i.ibb[.]co/pyz97pz/1094446753.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/TkqrZotY6Ps8.png?o=1 (PNG)
    hxxps://i.ibb[.]co/dmyD1nF/2941038318.png (PNG)
    hxxps://i.ibb[.]co/c1szv4r/3351445504.png (PNG)
    hxxps://i.ibb[.]co/sQxVVvz/648044317.png (PNG)
    hxxps://qu[.]ax/JRUO.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/v5x684hwBX2v.png?o=1 (PNG)
    hxxps://qu[.]ax/BVmc.png (PNG)
    hxxps://i.ibb[.]co/Qk1PrqS/2373180300.png (PNG)
    hxxps://qu[.]ax/CwQB.png (PNG)
    hxxps://gcdnb.pbrd[.]co/images/oXcmE8xyi8RR.png?o=1 (PNG)
    hxxps://qu[.]ax/Ppkk.png (PNG)
    hxxps://qu[.]ax/dpfx.png (PNG)
    hxxps://37.27.36[.]6/ (Vidar)
    hxxps://t[.]me/hypergog/ (Vidar)
    hxxps://142.132.224[.]223:9001/ (Vidar)
    hxxps://steamcommunity[.]com/profiles/76561199642171824/ (Vidar)
    hxxps://65.109.172[.]49/ (Vidar)
  • Detection Names

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.