Infostealer Being Distributed to Japanese Users

AhnLab Security Emergency response Center (ASEC) has recently discovered Infostealers disguised as an adult game being distributed to Japanese users. Although the distribution route has not been confirmed as of yet, it can be assumed that the Infostealers are being distributed via torrent or illegal file-sharing websites since it is being disguised as an adult game.

The method of distributing malware by disguising it as an adult game is often employed here in Korea as well. Instead of using known malware, the threat actor used malware strains that appeared to have been compiled by the threat actor themselves. The names Stellar and ReceiverNeo could be confirmed through the PDB information. The following paths are where these strains of malware were detected, and it is suspected that they were distributed as parts of various other adult games in addition to the one covered in this post.

• %UserProfile%\Desktop\bubbledehousede_trial\バブルdeハウスde〇〇〇 体験版\
• %UserProfile%\Download\anim_あねつまみ 体験版\

Generally, these types of adult games are distributed as compressed files and come in the format shown below. The “Start.exe” file inside the extracted folder serves as the game launcher, while the “Lib” folder contains the library files required by the game program.

The malware was also distributed as a compressed file, but what sets it apart from legitimate copies is that the malware is included within the “Lib” folder. The following format can be inferred by looking at the malware routine. A dropper exists under the name “Sound.dll”, while the original “Sound.dll” file is renamed to “SoundDX.dll” instead. In addition to this, the malware that makes firewall configurations is also included with the filename “Vorbis64.dll”.

1. Malware Execution Using DLL Hijacking

The malware is executed via the DLL hijacking method. When the game program, “Start.exe”, is executed, the “Sound.dll” file inside the “Lib” folder is loaded. However, since the threat actor overwrote the “Sound.dll” path with their malware, the malware is loaded instead of the normal library file. The malicious “Sound.dll” disguises itself as a legitimate file and even has the same Export functions.

When “Start.exe” attempts to load a certain function of the normal “Sound.dll” file upon being launched, the malicious “Sound.dll” makes it so that the corresponding function is executed from the “SoundDX.dll” file that exists in the same folder. The malicious routine exists within the DllMain() function and is immediately executed when the DLL is loaded. Since it also supports the ability to call functions from the normal library, the adult game itself is able to operate normally as well. Due to this, users believe that the game is running normally while unaware that a malicious routine is running alongside the game.

2. Dropper

“Sound.dll” is a dropper. The actual Infostealers are contained inside the .data section of the file, which it generates under the following paths.

• %APPDATA%\Roaming\SakuradaInc\UpdChk.exe
• %APPDATA%\SakuradaInc\UpdChk.exe.config
• %TEMP%\taskdiskmgr.exe
• %TEMP%\taskdiskmgr.exe.config

Out of the generated malware files, “taskdiskmgr.exe” is executed directly, while “UpdChk.exe” is registered under the name “App” on the task scheduler, allowing it to be executed every 8 hours.

Aside from the above dropper features, “Sound.dll” also contains a routine that executes another malware through privilege escalation. In addition to “Sound.dll”, the “Lib” folder also holds the “Vorbis64.dll” file. “Sound.dll” uses the UAC bypassing technique to allow “Vorbis64.dll” to be executed with admin privileges.

“Sound.dll” bypasses UAC by exploiting the code profiling feature of .NET. The registry key shown below can be used without admin privileges. When the path of a malicious DLL is defined in this key and “mmc.exe” is executed, the designated DLL is loaded and executed on the “mmc.exe” process. The issue lies in the fact that “mmc.exe” is a program that can be executed with admin privileges without triggering the UAC prompt.

The malware generated by “Sound.dll” are Infostealers that have the task of sending the information they steal to the C&C servers. To accomplish this, the threat actor must configure the firewall to allow the network behavior of the installed malware. Since the “Vorbis64.dll” file is responsible for this feature, it is operated with admin privileges through the UAC bypassing technique as admin privileges are required to configure the firewall.

3. Infostealers

3.1. Stellar

The “taskdiskmgr.exe” file that is executed first is an Infostealer that steals user credentials from various places such as FTP clients, password managers, cryptocurrency wallet files, etc. The creator of this malware gave it the name Stellar, which can be confirmed through the PDB information below.

• Malware PDB information: C:\Users\Visual\Documents\Visual Studio 2015\Projects\Stellar\Stellar\Stellar\obj\Release\Informatiq.pdb

Stellar first creates a folder like “%TEMP%\2568da71-f70d-4fb2-b12c-2e277b618cbe”, and this is where the credentials stolen during the later process are saved.

Type	Details
Basic Information	OS info, username, process list.
Web browser account credentials	Chrome, FireFox, Edge.
Email client account credentials	Thunderbird.
FTP client account credentials	NextFTP, WinSCP.
Password manager	KeePass, 1Password.
Cryptocurrency	Bitcoin.
User files	Files within the Desktop (%USERPROFILE%\Desktop\) and Documents (%USERPROFILE%\Documents\) folders.
Others	Dropbox, Putty.

Table 1. Information exfiltration targets

Files in the Desktop and Documents folders become targets of information theft if they contain certain keywords in their file name or exist inside a folder that has a name that contains certain keywords. In the case of Bitcoin, specific files with certain names in the installation path are also targeted for theft. The following are the lists of keywords.

• User files within the Desktop (%USERPROFILE%\Desktop\) folder (file name): “.fmp12”, “.fm7”, “Admin”, “admin”, “1PasswordExport”, “.1pux”, “.kdbx”, “.keyx”, “kdb”, “wallet”, “Vpn”, “vpn”, “Ftp”, “PASS”, “ftp”, “Backup”, “backup”, “パスワード”, “メモ”, “めも”, “memo”, “Memo”, “MEMO”, “アカウント”, “account”, “Account”, “ACCOUNT”, “id”, “Id”, “ID”, “pw”, “Pw”, “PW”, “pass”, “Pass”, “サーバ”
• User files within the Desktop (%USERPROFILE%\Desktop\) folder (folder name): “Wallet”, “wallet”, “Vpn”, “vpn”, “Ftp”, “PASS”, “ftp”, “Backup”, “backup”, “パスワード”, “メモ”, “めも”, “memo”, “Memo”, “MEMO”, “アカウント”, “account”, “Account”, “ACCOUNT”, “id”, “Id”, “ID”, “pw”, “Pw”, “PW”, “pass”, “Pass”, “PASS”, “サーバ”, “Admin”, “admin”, “ADMIN”
• User files within the Documents (%USERPROFILE%\Documents\) folder (file name): “Admin”, “admin”, “1PasswordExport”, “.1pux”, “.kdbx”, “.keyx”, “.kdb”, “wallet”, “Vpn”, “vpn”, “Ftp”, “PASS”, “ftp”, “Backup”, “backup”, “パスワード”, “メモ”, “めも”, “memo”, “Memo”, “MEMO”, “アカウント”, “account”, “Account”, “ACCOUNT”, “id”, “Id”, “ID”, “pw”, “Pw”, “PW”, “pass”, “Pass”, “サーバ”
• User files within the Documents (%USERPROFILE%\Documents\) folder (folder name): “Wallet”, “wallet”, “Vpn”, “vpn”, “Ftp”, “PASS”, “ftp”, “Backup”, “backup”, “パスワード”, “メモ”, “めも”, “memo”, “Memo”, “MEMO”, “アカウント”, “account”, “Account”, “ACCOUNT”, “id”, “Id”, “ID”, “pw”, “Pw”, “PW”, “pass”, “Pass”, “PASS”, “サーバ”, “Admin”, “admin”, “ADMIN”
• Configuration files within the BitCoin installation folder (file name): “banlist.dat”, “fee_estimates.dat”, “mempool.dat”, “peers.dat”, “db.log”, “debug.log”, “.lock”

The collected information and files are sent to the C&C server using the POST method by connecting to the HTTP. Stellar divides the collected files for transmission because of the variety of files that are stolen.

While most of its information theft routines are similar to known Infostealers, Stellar sets itself apart by utilizing PowerShell’s PasswordVault specifically for the Edge browser. Additionally, in order to prevent the PasswordVault PowerShell command from being blocked by the AMSI of security products, Stellar attempts to disable the AMSI before running the aforementioned command.

AMSI is disabled through the above assembly. Stellar loads the DLL that exists as an internal string before calling the off() function which is responsible for disabling the AMSI. The off() function patches the AmsiScanBuffer() function so that the PowerShell command that is later executed within Stellar is not transmitted to the AMSI buffer.

Once it finishes, it deletes the folder which contains the collected information and assigns a random string to the “Id” entry of the “HKCU\Software\Kdslnc” registry key before shutting down.

3.2. ReceiverNeo

“UpdaChk.exe”, which is registered to the task scheduler and run periodically, is an Infostealer that exfiltrates screenshots from the infected system. Upon examining the PDB information, it becomes apparent that the malware was named ReceiverNeo by its creator.

• Malware PDB information: C:\Users\Visual\Documents\Visual Studio 2015\Projects\ReceiverNeo\ReceiverNeo\ReceiverNeo\obj\Release\UpdateCheck.pdb

After examining the “Id” entry of the registry key set by Stellar, specifically “HKCU\Software\Kdslnc,” ReceiverNeo will cease its operation and terminate if the key does not exist. The threat actor designed the malware to run Stellar first before running ReceiverNeo to exfiltrate screenshots periodically.

The screenshots are saved in paths such as “%TEMP%\29b4f6eb-ef41-4563-a989-c3d2ca47dbe5\scrnshot.jpg”. ReceiverNeo only has the simple feature of capturing screenshots. Similar to Stellar, it sends the captured screenshots to the C&C server.

4. Conclusion

Recently, an Infostealer disguised as an adult game has been actively distributed to Japanese users, so users need to be cautious. Users must be wary when running executables downloaded from file-sharing sites, and it is recommended to download products such as utility programs and games from their official websites. Caution must be practiced by updating V3 to the latest version to block malware infection in advance.

File Detection
– Trojan/Win.Generic.C5424217 (2023.05.09.01)
– Trojan/Win.InfoStealer.C5424223 (2023.05.09.01)
– Infostealer/Win.Agent.C5424884 (2023.05.10.03)
– Infostealer/Win.Agent.C5424920 (2023.05.10.03)
– Dropper/Win.Agent.C5424923 (2023.05.10.03)
– Dropper/Win.Agent.C5424924 (2023.05.10.03)

Behavior Detection
– Malware/MDP.Infostealer.M2499

IOC
MD5
– 0e4d58680ea90bc4840694571e823a58: Dropper (Sound.dll)
– 393a9015d6ccfa61b9f3824fdf00fb61: Trojan (Vorbis64.dll)
– a6c9ef96866913cd0a9443061451a43c: Dropper (hid.dll)
– 1ec7fdd8444138c84ae766cdee8dcb4b: Dropper (hid.dll)
– ac513b749dc1c9f73eae5598dac651ea: Dropper
– db6659f917ddc2f28cd38dc4be86bb90: Stellar (taskdiskmgr.exe)
– 4ab2be7e1f935f498577cbcc15684ed9: Stellar (taskdiskmgr.exe)
– 886a071fecc488cbdb7ca3f1f7e8585d: Stellar (taskdiskmgr.exe)
– 6413a1dd52a0335cf774be770eab151f: Stellar (Update.exe)
– c06b7f31b91f1386f7453fe52e6f9ce5: ReceiverNeo (updchk.exe)
– 75663b7e5879317a182b06eb9f273b7a: ReceiverNeo (UpdateCheck.exe)

C&C URLs
– hxxp://hokuto-kyoto[.]jp/Library/books/index.php: Stellar
– hxxp://kyoto-senbon.or[.]jp/info/news/index.php: Stellar
– hxxps://gestiss[.]org/news_/data/index.php: ReceiverNeo
– hxxp://kyoto-med[.]jp/news/index.php: ReceiverNeo

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Infostealer Being Distributed to Japanese Users appeared first on ASEC BLOG.

Article Link: Infostealer Being Distributed to Japanese Users - ASEC BLOG