AhnLab Security Emergency response Center (ASEC) released an analysis report on an Infostealer that is being distributed through YouTube.
As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer infection.
AhnLab EDR keeps logs of what information has been stolen by Infostealers and where it was sent, greatly aiding in the tracking process and preventing further harm. As covered in the previously released analysis report, this malware steals an assortment of data stored on a PC. A folder named 44 is randomly created in either the ApplicationData, LocalApplicationData, or the CommonApplicationData path, where the stolen information is then copied and compressed before being sent. Currently, a connection cannot be established to the destination URL.
Figure 1. EDR detection screen
Figure 2. Process tree summary
Figure 1 shows the AhnLab EDR detection screen for the Infostealer that was distributed through YouTube which was mentioned earlier in this post. The various recorded data is summarized and organized in Figure 2. Based on the summarized process tree, the stolen data can be tracked through AhnLab EDR.
Figure 3. Detection screen of a compressed file being created
The search result shown in Figure 3 displays the timeline where the detection phrase from the process tree of Figure 2 was used. It can detect compressions that happen for the purpose of information stealing.
Figure 4. Detection screen of file creation
Figure 4 shows the detection screen that is displayed on AhnLab EDR about the txt files created by the Infostealer that contains the PC and process information. A process list is saved in process.txt while information.txt contains the extracted system information.
Figure 5. Detection screen of computer information collection
Figure 6. Detection screen of WMI queries
Figure 7. Clipboard data collected
Figures 5 through 7 demonstrate the detection of the stolen system information being stored in information.txt.
Figure 8. Screen capture
Figure 8 shows a record of the Infostealer taking a screenshot.
Figure 9. Checking stolen files
As shown in Figure 9, every EDR behavior is recorded in AhnLab EDR, including the copying of files by a stealer. This enables users to search for such behaviors.
Beyond the information already discussed, AhnLab EDR provides additional details that aid in tracking stolen information and its destination. Due to the accessibility of malware on various platforms, it is important for users to refrain from downloading illegal programs and opening emails from untrusted senders. Even if proactive measures are taken against all threats, mistakes can still occur. AhnLab EDR is able to respond to threats that occur due to mistakes.
[File Detection]
– Infostealer/Win.CALIBER.R513735 (2022.09.06.00)
[IOC]
MD5
– 6649fec7c656c6ab0ae0a27daf3ebb8e
C2
– hxxps://discordapp[.]com/api/webhooks/947181971019292714/gXE5T4ZQQF0yGOhuBSDhTkFXB0ut9ai71IZmOFvsdIaznalhyvQP0h45xCss-8W7KQCo
– hxxps://discord[.]com/api/webhooks/940299131098890301/RU4T0D4gNAYM0BZkAMMKQRwGBORfHiJUJ5lJ20Gd-s2yCIX9lXCbyB6yZ6zHUA5B-H42
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.
The post EDR Product Analysis of an Infostealer appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/50685/