New Infostealer ‘ColdStealer’ Being Distributed

The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer. The malware disguises itself as a software download for cracks and tools, a distribution method that was mentioned multiple times in previous ASEC blog posts.

There are two cases for this type of malware distribution:

1. Distributing a single type of malware such as CryptBot or RedLine
2. Dropper-type malware decompressing and executing various internal malware strains

ColdStealer was distributed with the second method. For more information, check the following blog post.

The downloader malware exists within the dropper malware. When the downloader is run, it downloads ColdStealer from the C2 server. The following figure shows the process.

Figure 1. Infection process of ColdStealer

ColdStealer has a structure of multiple packing layers. It currently uses the .NET obfuscation packing method, yet it was initially possible to obtain the original version that was built using process hollowing and .NET load packing method.

As its name suggests, ColdStealer is an infostealer, a simple type of malware that collects various user information and sends it to C2. It is configured in .NET, and as it has simple features, its size is a mere 80KB. As the namespace of the sample that appears to have the original source’s build is “ColdStealer,” the malware was named as such.

Figure 2. ColdStealer

When the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of files in the memory. To do so, it used a source code made public on GitHub. After collecting the information, it sends memory streams to C2. Doing so will allow the malware to bypass detection as there are no traces of files and execution.

Figure 3. Uses ZIP streams when collecting information

The infostealer has six main features.

  • Stealing browser information
  • Stealing cryptocurrency wallet information
  • Stealing files
  • Stealing FTP server information
  • Stealing system information
  • Sending exception (error) information
  • Stealing browser information

Targets are multiple Chromium-based browsers, Opera, and FireFox. The list of targeted Chromium-based browsers is as follows:

Battle.net, Chromium, Google Chrome, Google Chrome (x86), MapleStudio ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements, Epic, uCozMedia Uran, Sleipnir5, Citrio, Coowon, Liebao, QIP Surf, Orbitum, Comodo Dragon, Amigo, Torch, Yandex Browser, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Atom, BraveSoftware, Microsoft Edge, Nvidia, Steam, CryptoTab
Table 1. List of targets (Chromium-based browsers)

Figure 4. Code for collecting information of Chromium browsers

The code is configured to support browsers to their latest versions. The malware collects IDs, passwords, cookies, and web data files saved in the browser. Extension programs are also inquired, meaning the programs on the list are targeted for collecting as well. The list was found to include sensitive programs related to cryptocurrency wallets or user verification.

Metamask, YoroiWallet, Tronlink, NiftyWallet, MathWallet, Coinbase, BinanceChain, BraveWallet, GuardaWallet, EqualWallet, JaxxLiberty, BitAppWallet, iWallet, Wombat, AtomicWallet, MewCx, GuildWallet, SaturnWallet, RoninWallet, PhantomWallet, Arweave, Auro, Celo, Clover, Coin98, Crypto.com, Cyano, Cyano PRO, Dune, Fractal, Gero, Harmony, Hiro, Iconex, Kardia Chain, Keplr, KHC, Lamden, Liquality, Maiar, Mew CEX, Mobox, NeoLine, Nami, Oasis, Polymesh, Rabby, Solflare, Sollet, Solong, Temple, Terra Station, TezBox, Theta, XDeFi, ZebeDee, Authenticator CC
Table 2. List of browser extension programs for collecting

Instead of stealing entire files, the malware is configured to parse the files internally and send only the necessary information. Yet as it did not take account of Unicode encoding, an error occurs when it tries to parse files with information related to browsers (SQLite format) in Windows that has Korean as the system language.

Figure 5. SQLite parsing error

When the parsing is successful, the browser access record is saved in “Domain.text” while account IDs and passwords are saved in “Passwords.text”.

Figure 6. Collected browser passwords (example)
  • Stealing files

Files in the desktop and subdirectories of the user account are targeted. The malware collects any files that have a “wallet” string or extensions .txt and .dat.

Figure 7. Code for collecting files
  • Stealing FTP server information

Collects the list of servers and passwords saved in FileZilla, the most common FTP program.

Figure 8. Code for collecting FTP server information
  • Stealing system information

Collects various system information including Windows version, language, CPU type, clipboard data, execute permission, etc.

Figure 9. Code for collecting system information
  • Stealing cryptocurrency wallet information

Collects information of wallet programs saved in Roaming directory, Local directory, registry, etc.

ZCash, Armory, Bytecoin, JaxxClassic, JaxxLiberty, Exodus, Ethereum, Electrum, Electrum-LTC, Electrum-BCH, Atomic, Guarda, Wasabi, Daedalus, Coinomi, Litecoin, Dash, Bitcoin, monero-core, Binance
Table 3. Wallet programs targeted for collection

  • Collecting and sending error information

Records and sends every error (exception) that occurred while the program was running. As the SQLite parsing error in Windows with the Korean language setting is also recorded and sent, the patched version might be distributed soon.

Figure 10. Code for collecting errors

After every process for collecting information is complete, the information is sent to C2. The URL for sending (C2 URL) is hard-coded in a particular location. The malware uses the HTTP POST method.

Figure 11. C2 URL

As shown above, ColdStealer is an infostealer with a very simple form that can cause severe secondary damage by leaking major system information upon infection. Hence users need to take caution.

The following is the IOC info related to ColdStealer.

[IOC Info]

Downloader

1578ad8f244ae82c36e3feadeb7d66e3
8f021266830397dac3e34f1b3bdde60c
05c97434f3c6970103a3ceda97572481
529951790a4a6da8743af98a24c4088e
a141acc27f79584575a7d2af634be917
8550ebb8f4f5b377df3a3492dbc08f63
511b48b4471e8ab08a4ec6495157f62a
0b3b4b02ed9d4844ec53a3f2a7064432
8e0486fb2291090d4411f58aa030dd23
90f31a31dee14f1efc80e7f121a44763
e23b0bab2ebcff10bc39f95cb92e6d9f
28f7a338c703cf695e776108a7dc3f00
5ccb4a79accca8b6fdc364042705b1a9
7789b3c473654e3251b102083d49128a
50920220980a2c188fb88ba770a72ded
452aeffb5c3c564988b0b7686a1433e9
2ef96ecfe9a2d05bfc24a936a97e66f1
fb0dcc61efe76eccef9b7fa20514a1b9
ac34f72d560a282b919da74e2f5ef8e1
3144517e723720c79c5f975a629cd2d7
f1006f3968f9edf76090e34702e647e6
03c3f6369b934cf86576c394e9172359


ColdStealer

758f815f3775e1b063eba3ab33479a9f
0d34d8571c6998796a2edb212a8037f5
6953629af9858647b65c47ae738334db
f94e8d62921d078c58860ffc2374a357
50f2b28aba4d4cb47544bcc98980a63e
9ec150a4c04da6a1087a3cd36086fde3
79a9f2ae5af2b370eea6c7fc6681e3ef
3b94bf347edcc8f137741989de3eb882
485edc4695212c4e97cf2e841661151c
a48f8e50e74b3792eeaffc6d25ca0080
dc2cbd65ca5411b8a9326338c74c7758
940d63f67b70b37e7ee662b851ae389b
05748b4e8730bb2a705fe1e2e00c5d77
8f0f4e736d83e296b55802c2337f341b
01144efd1dc06a0b9d3ea8a1e632dc26
cd9ba1e78dab227e2fda2cf952adcab4


C2

hxxp://jordanserver232[.]com
hxxp://realacademicmediausa[.]com
hxxp://topexpertshop[.]com
hxxp://realmoneycreate[.]xyz
hxxp://thehomenow[.]xyz
hxxp://real-enter-solutions[.]xyz
hxxp://enter-me[.]xyz

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post New Infostealer ‘ColdStealer’ Being Distributed appeared first on ASEC BLOG.

Article Link: New Infostealer 'ColdStealer' Being Distributed - ASEC BLOG