Cyble-blogs-Exela-Stealer

Exela Stealer Spotted Targeting Social Media Giants

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) recently came across a new stealer called “Exela”.
  • Exela is a Python-based open-source stealer that steals a wide range of sensitive information from compromised systems.
  • It features an extensive array of anti-debugging and anti-virtual machine (VM) techniques, making it a potent tool for Threat Actors (TAs).
  • Exela primarily targets Discord users by modifying the Windows Discord client to steal sensitive information, including login credentials, personal data, and potentially even financial information.
  • Exela Stealer is also designed to target multiple browsers’ data and credentials.
  • It can additionally steal session details from a wide range of applications, including popular social media platforms and gaming platforms.
  • The ability to exfiltrate data through Discord channels demonstrates the evolving tactics of Threat Actors (TAs) behind Excela Stealrusing legitimate platforms for malicious purposes.

Overview

The rise of open-source data stealers has been noteworthy in recent times due to their ability to adapt to specific requirements. These versatile tools serve as valuable assets for reconnaissance purposes, empowering TAs with the ability to collect critical information that could potentially fuel a range of malicious activities.

On September 14th, CRIL came across an interesting zip file in VirusTotal named “Exela-V2.0-main.rar”. Upon investigation, we found that it contained the source of a new stealer named “Exela”.

Further, we have also identified that the developer of this stealer hosted the entire source code on GitHub. A security researcher, Yogesh Londhe, initially spotted this stealer on August 17th, 2023.

In May 2023, the developer of Exela Stealer uploaded the initial version to GitHub. Following this, the developer continued to improve its features and went on to create the subsequent version of Exela Stealer Version 2.0.

The figure below shows the Exela Stealer Github page and its Telegram channel.

Figure 1 – Author’s GitHub page

Exela Stealer is a Python-based tool designed to discreetly extract sensitive data, including credentials, tokens, sessions, cookies, and more. Notably, it accomplishes this covert data exfiltration solely through Discord webhook URLs, making its operation both interesting and worthy of further investigation. In this analysis, we will delve deeper into Exela Stealer, illuminating its functionalities and potential implications.

Exela Builder functionalities

The builder only executes if it detects a compatible Python version installed on the system, specifically either version 3.10.0 or 3.11.0, and initiates the process of creating the stealer executable based on the preferences selected by the TA.

The image below shows all the preferences provided by the builder.

Figure 2 – Exela Stealer builder console

Upon executing the builder batch file located in the Exela setup folder, it prompts the TAs to provide a Discord webhook URL. If the user doesn’t provide the URL, the builder displays an error message (“Please enter your webhook URL!!!”) and terminates the building process. If the user provides a URL, the builder verifies whether the provided URL matches the expected format for a Discord webhook URL.

This webhook essentially acts as a remote server for TAs to receive all pilfered data captured by Exela Stealer from the compromised system. If the supplied webhook URL matches the specified pattern, the builder then proceeds to construct the stealer with the following features.

PumpFile

The PumpFile feature is used to append zero padding to the end of a compiled file, with the user specifying the desired padding size in MegaBytes (MB). The purpose of this technique is to evade detection by security products.

GetIcon

This feature is designed to interact with the TAs to determine whether they want to change the icon of the output file. A convincing icon is often used as a social engineering tactic to trick users into believing a file is legitimate.

AntiVM

This feature is designed with multiple techniques to detect the presence of a Virtual Machine (VM) or sandbox environment on a host system.

Discord Injection

The purpose of this functionality is to modify Discord’s core files to monitor user actions and illicitly acquire sensitive information.

Keylogger

This feature integrates a keylogger function into the stealer. The keylogger captures all keystrokes and sends them to the specified Discord webhook.

Startup

This feature is added to ensure persistence by enabling the automatic execution of the stealer upon the user’s system login. It can either add an entry to the Windows Registry or create scheduled tasks depending on a value provided by the TA.

Fake Error Message

This functionality seems to be employed to generate a fake error message when the stealer runs on the victim’s system, creating the effect that the program was not installed correctly in order to mislead the user.

Other features of this Builder

Obfuscation – The builder adds an additional layer of security to protect the original source code. This is accomplished by performing a sequence of operations to obfuscate the original stealer code while building the executable.

The image below shows the sequence of methods used in the obfuscation process.  

Figure 3 – Binary Obfuscation flow

This multi-step process makes the resulting Exela Stealer Python installer exceptionally challenging for anyone attempting to reverse engineer or comprehend the underlying code.

Digital Signature – The builderadds a Windows digital signature from an existing certified file to the compiled file to make it appear more legitimate. To achieve this, the builder utilizes a separate Python script – “digital-sign.py” – to sign the compiled binary. The image below shows the command line parameters used by the builder to add the digital signature.

Figure 4 – Parameters used for adding digital signature.

The image below shows the builder utilizing Microsoft’s digital certificate to sign the compiled binary of Exela’s stealer. Upon inspection of the compiled binary, however, this signature appears invalid, as shown below.

Figure 5 – Adding Invalid Digital Signature to Exela Stealer

Upon the successful inclusion of all the user-selected features, the builder proceeds to compile the executable. The image below displays the successful creation of Exela Stealer by the builder without any errors.

Figure 6 – Successful Creation Of Exela Stealer

Technical Analysis

Upon execution, the stealer attempts to create a mutex with the name “Exela | Stealer | on | Top”. If a mutex with this name already exists, indicating that another instance of the program is running, it doesn’t create a new one. Then, it prints a message to the console stating “mutex already exists” and terminates itself.

If no other instance is running on the system, the stealer proceeds with its data-stealing activities. To divert the user’s attention away from its malicious actions, the stealer employs a deceptive tactic by generating a fake error message, as shown below.

Figure 7 – Fake error message

Anti Debug Check

The stealer executes a set of commands aimed at detecting processes and system settings related to debugging or virtualization. It gathers the system’s Universally Unique Identifier (UUID) using “wmic csproduct get uuid” and the computer’s name through “os.getenv(“computername”)” Then, it compares the fetched system data with the hardcoded lists of computer names and UUIDs. If a match is found, the stealer terminates its operation.

The image below shows the code for the anti-debug check.

Figure 8 – Anti-debug check used by the stealer

Furthermore, the stealer scans through the names of all currently running processes and verifies whether any of these process names correspond to entries in a predefined list. This list usually contains processes commonly linked to security tools, as shown in the table below. If a match is identified, the stealer proceeds to terminate the identified process.

httpdebuggeruinodewiresharkfiddler
regedittaskmgrvboxservicedf5serv
processhackervboxtrayvmtoolsdvmwaretray
ida64ollydbgpestudiovmwareuser
vgauthservicevmacthlpx96dbgvmsrvc
x32dbgvmusrvcprl_ccprl_tools
xenserviceqemu-gajoeboxcontrolksdumperclient
ksdumper   

AntiVM

The stealer utilizes various techniques to check whether the stealer is being run in a virtual environment by checking for the existence of specific files, strings, and process names and even loading the modules associated with common virtualization platforms.

Figure 9 – Various VM-detecting functions

The table below summarizes the Anti VM functions implemented, their descriptions, the predefined search strings, process names, paths, and modules used in the stealer code to identify the virtual environment.

Function nameDescriptionIdentify elements
VmcikExamines the disk drive containing description matching to virtualization software‘vbox’ or ‘virtual’
check_hostnameChecks the hostname of the target system containing any strings related to virtualization‘sandbox’, ‘cuckoo’, ‘vm’, ‘virtual’, ‘qemu’, ‘vbox’, ‘xen’
check_processesChecks for virtualization platforms related process names‘vmtoolsd.exe’, ‘vboxtray.exe’, ‘prl_tools.exe’, and ‘xenservice.exe’
CheckFilescheck for the presence of specific device paths“\Device\Harddisk0\DR0”, “\Device\Harddisk0\DR1”, “\Device\Harddisk0\DR2”, “\Device\Harddisk0\DR3”
check_gdbDetects the presence of the GNU Debugger (GDB)‘GDB’
CheckHypervisorChecks for the presence of a hypervisor or VMware‘Hypervisor’ or ‘VMware’
Sandboxie()Attempts to load the dynamic link library (DLL) associated with Sandboxie‘SbieDll.dll’

Persistence

To establish persistence on a victim system, Exela Stealer copies itself into a newly created directory located at “\appdata\local\ExelaUpdateService” with the name “Exela.exe” and marks both the directory and the copied file as hidden and system attributes, as shown in the figure below.

Figure 10 – Modifying File Attributes

After successfully copying the file, the stealer checks the startup value provided while building the binary. The stealer adds a startup entry based on the user’s choice. It can utilize either the Windows Registry (regedit) or Task Scheduler (schtasks) to achieve persistence.

The script below shows both these startup features provided in the builder.

Figure 11 – Establishing  persistence

Discord Injection

After successfully creating startup entries, the stealer proceeds to modify the Windows Discord client files. Initially, it seeks the path to the Discord application within the local `%AppData%\Discord\` directory. If this directory isn’t found, it bypasses the Discord injection step and continues with other functionalities. However, if the directory is present, it continues searching through directories until it locates the specific path: `%AppData%\Discord\[app-version]\modules\discord_desktop_core\`.

Once this path is identified, the stealer attempts to retrieve the `index.js` file from the aforementioned location. It then checks for any previous injections in the file. If no prior injections are found, it proceeds to download custom injection code directly from the GitHub repository provided by the author.

After obtaining the downloaded file, the stealer replaces the default webhook URL with the URL specified during the code compilation by the attacker. Following this replacement, it writes the custom code into the core file of Discord, specifically into the “index.js” file. The script below shows the function to modify the core file in the Discord application.

Figure 12 – Discord injection script

Ultimately, the Discord application is launched with modified TA code, enabling unauthorized access and collection of user data such as User’s email, password, Nitro subscriptions and any payment information etc. The collected data is then sent to the attacker’s Webhook URL

The below image shows the format (embed) of collected data before sending it to the TA.

Figure 13 – Discord embed before sending to TA’s Webhook

Exela Targeting Chromium-based browsers

Exela Stealer proceeds to search through directories related to several Chromium-based web browsers, including Google Chrome, Opera, Vivaldi, Microsoft Edge, and Brave, on the victim’s computer. Upon identifying these browsers, it extracts various data from their respective database files located at the following paths:

  • “AppData\Local\Browser-Name\User Data\Default\Login Data”
  • “AppData\Local\Browser-Name\User Data\Default\Web Data”
  • “AppData\Local\Browser-Name\User Data\Default\Network\Cookies”
  • “AppData\Local\Browser-Name\User Data\Default\History”

The following table provides a summary of the queried and retrieved values from the respective database files.

Data collectedFiles
Login credentials (username and password)Login Data
Credit card information (card number, expiration year, expiration month, name on card)Web Data
Cookies data (host_key, name, path, encrypted value)Cookies
URL, target_path from downloadsHistory
url, title, visit_count, last_visit_time from urlsHistory

Once all the data is collected, the stealer adds the content to the respective lists – which function as temporary storage – for further processing.

Exela Targeting Firefox Browser

Next, Exela Stealer prioritizes Mozilla Firefox browser profiles present on the targeted system to gather cookie and browsing history information. User data in Firefox-based browsers is typically stored in a “Profiles” folder within the “AppData\Browser_name” directory. The stealer scans each Mozilla Firefox profile directory to retrieve the following details from the database files utilized by the Firefox web browser.

Database filePurposeExtracted data from moz_cookies and moz_places table
cookies.sqlitestores cookie datahost, name, path, value, and expiry
places.sqlitecontains browsing historyID, URL, title, visit count, and last visit date

Using the cookie data obtained from the browsers, Exela Stealer filters cookies associated with specific websites such as Instagram, Twitter, TikTok, Reddit, Steam, and Roblox. It does so by examining the “host” and “name” attributes.

If the “host” attribute contains the name of the targeted website (in a case-insensitive manner) and the “name” attribute includes “sessionid,” the stealer proceeds to extract values from the “moz_cookies” table.

After obtaining these values, the stealer attempts unauthorized access to the victim’s user accounts on the platforms mentioned above. It does this by sending HTTP GET requests to unique API URLs for each platform and retrieving specific session information. The provided image illustrates the code snippet for making an Instagram request.

Figure 14 – Exela Stealer making GET request for Instagram

After a successful request, the API responses from each platform usually contain session information in JSON format. The following table summarizes the session information extracted by the Exela Stealer from the responses of all these platforms.

PlatformsExtracted data from JSON
InstagramProfile URL – Username – Nickname – Verification Status – Email – Followers – Following – Biography
TwitterProfile URL – Username – Screen Name – Biography – Follower Count – Following Count – Total Tweets – Created At – Verification Status
TikTokUser Identifier – Profile URL – Username – Email – Phone – Coins
RedditProfile URL – Username – Email – Comment Karma – Total Karma – Coins – Moderator Status – Gold Status – Suspended Status
SteamSteam ID – Profile URL – Profile Name – Time Created – Player Level
RobloxProfile URL – Total Robux – Name – Email – Email Verification Status

Finally, the stealer creates an embed, which is a specific formatting method for presenting information in Discord. It populates this embed with the acquired session data and dispatches it to a Discord webhook URL associated with the attacker. This enables the attacker to receive the captured session data in an organized manner through a Discord channel or chat.

Discord Token Stealer

This stealer targets multiple application folders, including Discord, Discord Canary, Discord PTB, Opera GX, Opera, Chrome, Brave, Edge, and Vivaldi, in search of files with either the “.log” or “.ldb” extensions. Here are the directory paths where it conducts its searches:

  • C:\Users\User Profile\ AppData\Roaming \discord\Local Storage\leveldb
  • C:\Users\User Profile\AppData\Roaming \discordcanary\Local Storage\leveldb
  • C:\Users\User Profile\AppData\Roaming \discordptb\Local Storage\leveldb
  • C:\Users\User Profile\AppData\Local\Opera Software\Opera GX Stable
  • C:\Users\User Profile\AppData\Local\Opera Software\Opera Stable
  • C:\Users\User Profile\AppData\Local\Google\Chrome\ User Data
  • C:\Users\User Profile\AppData\Local\BraveSoftware\Brave-Browser\User Data
  • C:\Users\User Profile\AppData\Local\Microsoft\Edge\User Data
  • C:\Users\User Profile\AppData\Local\Vivaldi\User Data

Upon locating these files, Exela Stealer proceeds to read the content and applies a regular expression pattern to filter Discord tokens. The image below showcases the specific regular expressions used to identify tokens, both within the Discord application folder and the browser folder.

Figure 15 – Code used to identify tokens

These identified tokens are then decrypted using the decryption key found in a “Local State” file, which by default is located in “C:\Users\{user Profile]\AppData\Roaming\discord\”.

Once the identified tokens are successfully decrypted, the stealer sends a GET request to the Discord API with the stolen token in the Authorization Header, as shown in the figure below.

Figure 16 – Discord GET Request

If the response status code is 200 (indicating success), it retrieves additional user information such as user ID, username, email, phone number (if available), MFA (Multi-Factor Authentication) status, Nitro subscription status, billing/payment information (if available), biography from the Discord API. These are then sent to the TA’s Webhook URL.

Keylogging

If this feature is enabled, the stealer records all keystrokes in a text file named “key_logs.txt” located within the “\appdata\local\temp” directory and keeps track of the number of keys pressed. Once the total count of keys pressed reaches or exceeds 300, the stealer begins sending this captured keystroke data to the Discord webhook URL, which was configured during the stealer’s setup.

Upon successfully transmitting the logs, the stealer resets the key press count and wipes the log file clean, preparing itself for future keystroke monitoring.

Screenshots:

The stealer takes screenshots of all connected monitors and stores them as separate PNG image files in the %temp%\{UUID} directory. This is achieved by executing a PowerShell script containing obfuscated code. This script results in the execution of a C# code.

Figure 17 – Deobfuscated CS code

The C# code shown above is compiled and executed when the PowerShell script uses the ‘Add-Type’ cmdlet. By executing this command, the C# compiler(csc.exe) is invoked by PowerShell to compile the C# code on the fly. The image below shows the process chain for compiling and executing the C# code.

Figure 18 – process chain for compiling C# code

In recent observations, we’ve noticed several malware families, including Blank Grabber and AgentTesla, utilizing this method to load their components and avoid detection.

Additional Data captured

In addition to capturing screens, Exela Stealer gathers various other data points from the compromised system. The table below provides an overview of these additional functionalities of Exela Stealer.

  • Active_window_title: Retrieves the title of the currently active window on the system.
  • clipboard_text: Retrieves and stores the last text data copied to the clipboard.
  • last_clipboard_image: Retrieves and saves the last image data copied to the clipboard as a file.
  • System Information: Gathers various system information, including system details, environment variables, logical disk information, user details, startup information, and firewall status.
  • WifiPasswords: Collects Wi-Fi network profiles and their associated passwords saved on the system and stores them in a file.

The below image shows the process and commands used to achieve the stealing activities mentioned above.

Figure 19 – Commands used for various stealing activities

Collection and Exfiltration

All the harvested data from the respective lists is then stored in text files within a newly generated directory identified by a Universally Unique Identifier (UUID). This folder is located within the system’s “%temp%” directory.

The image below shows the location of these newly generated files.

Figure 20 – Files created for exfiltration

Prior to forwarding the gathered data in a ZIP file to the TAs, the stealer assembles an embedded message resembling a report. This message comprises numerous sections containing developer details, session records, statistics, and more.

It is customized with a title, description, color, URL, and a thumbnail image. Subsequently, the code dispatches the embed message to a Discord webhook along with an accompanying ZIP file. After the message has been sent, the code ensures the removal of both the ZIP file and the temporary directory created earlier.

Future enhancements

We have also noticed a few defined functions in the code: `setSpotify`, `setYoutube`, and `setTwitch`. While they currently don’t contain any functionalities, it appears that the author has left room for future enhancements in upcoming versions of Exela Stealer.

The below image shows the empty function definitions.

Figure 21 – Features may come in the next version

Conclusion

Open-source repositories have become a double-edged sword in the fields of software development and cybersecurity. On the positive side, these platforms have democratized access to valuable code, fostering collaboration, innovation, and transparency within the software development community. However, this accessibility has also exposed vulnerabilities, inviting malicious actors to exploit these resources for their own purposes.

Exela Stealer is a pertinent example of an open-source project that, through Discord webhooks, showcases how individuals can effortlessly gather sensitive information from compromised systems. This underscores the inherent risks associated with open-source repositories, particularly when misused by a Threat Actor.

Our Recommendations

  • Given that this stealer is available as open source, there is a higher likelihood that it could be distributed through various channels, such as phishing websites or free software download platforms. It’s essential to emphasize the importance of downloading and installing software exclusively from reputable and well-established sources. It’s strongly recommended to avoid acquiring software from online sources that lack credibility or proper verification.
  • Monitor the network communication to block data exfiltration by this stealer.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

MITRE ATT&CK® Techniques

Tactic TechniqueProcedure
Initial Access (TA0001)Phishing (T1566)This malware could reach users via phishing sites.
Execution  (TA0002)User Execution (T1204)The user needs to manually execute the malicious file downloaded from the
phishing site.
Execution  (TA0002)Command and Scripting
Interpreter (T1059)
cmd.exe is used to collect system
information.
Execution  (TA0002)Command and Scripting
Interpreter (T1059.001)
PowerShell commands are used to compile C# code.
Execution  (TA0002)Windows Management Instrumentation (T1047)WMIC command used to get system
information.
Persistence (TA0003)Registry Run Keys /
Startup Folder (T1547.001)
The malware adds run entry/Startup for persistence.
Defense Evasion (TA0005)Virtualization/Sandbox Evasion (T1497)Performing Anti-VM/Anti-Debug technique
for evasion
Defense Evasion (TA0005)Disable or Modify Tools
(T1562.001)
The malware scans for VM and Debugger-
related processes and terminates them.
Credential Access (TA0006)Input Capture (T1056.001)The malware possesses the capability to
engage in keylogging activities.
Discovery (TA0007)Process Discovery (T1057)The malware captures all the running process
Discovery (TA0007)System Information
Discovery (T1082)
The malware gathers system information through PowerShell, Command Prompt
(cmd), and WMIC.
Discovery (TA0007)Security Software
Discovery (T1518.001)
The malware is searching for processes
associated with virtual machines and
debuggers to forcibly terminate.
Collection (TA0009)Data from the Local System
(T1005)
The malware collects sensitive data from
victim’s system.
   

Indicators Of Compromise

IndicatorsIndicator
Type
Description
b9bc445af6729a95599f1a39e37f559f3ca18dbbc8ae4e60263af565ef4f4db3SHA256Exela-V2.0-main.rar
882484b56ad4418786852f401b1b81f31030bec8566b6b07c9798d4ea3033516SHA256Exela Stealer
ccb1337383351bb6889eb8478c18c0142cb99cbb523acc85d0d626d323f5d7adSHA256Exela Stealer
d8488f93b8c096838b3d9b335091216667ce4ffc7ae2cf3c8925271f0f190c11SHA256Exela Stealer
b6ca47065e68aebb007657ff0e6b0dfa0fc4e19823f336ab73f42b25dd5cfc22SHA256Exela Stealer
206278545b897a7e2ebb1ec4687e6ec31d7ca8f1828792a34f4fca745db8e3d4SHA256Exela Stealer
53b1b3c6f73312cdae7be69d16a42d298fae0cb3721c7fc11252f65b10f5a323SHA256Exela Stealer
2db54628a877ab40463a128496cb94523ccae6186d1648c6f372c719f6ed8152SHA256Exela Stealer

YARA Rule

rule Exela_Stealer

{

meta:

author = “Cyble”

description = “Detects Exela Stealer”

date = “2023-09-25”

os = “Windows”

threat_name = “Exela Stealer”

scan_type = “file”

severity = 90

reference_sample = “ccb1337383351bb6889eb8478c18c0142cb99cbb523acc85d0d626d323f5d7ad”

strings:

$a = “Exela Corporation” ascii wide

$b = “Exela Update Service” ascii wide

$c = “Exela.exe” ascii wide

condition:

uint16(0) == 0x5a4d and all of them

}

Scroll to Top