A Stealer Capable of Targeting Both Windows and Linux Users
Cyble Research and Intelligence Labs (CRIL) came across a new malware strain called “WhiteSnake” Stealer. The stealer was first identified on cybercrime forums at the beginning of this month. It is designed to extract sensitive information from the victim’s computer.
This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data. Once the stolen files have been collected and compressed, the Stealer sends them to a Telegram bot. It is worth noting that the Infostealer binary undergoes frequent updates by Threat Actors (TAs) on a daily basis, as it is still in its development phase.
The below figure displays the TA’s advertisement on a cybercrime forum, which includes the name of the stealer and its functionalities.
WhiteSnake Stealer is priced as shown below:
- 120$ / 1 month
- 300$/ 3 months
- 500$ / 6 months
- 900$ / 1 year
- 1500$ / Lifetime
As per the advertisement screenshot shared by the TA, the WhiteSnake Stealer has been released for Linux operating systems, with identical functionalities to the Windows version. The Linux stealer binary, which has a file size of 5KB, can be compiled using extensions such as .py and .sh.
While CRIL did not find WhiteSnake Stealer samples that were specifically aimed at Linux systems, a few samples that were intended for Windows platforms were identified. This blog covers the technical details of WhiteSnake Stealer with the aim of understanding its behavior and capabilities.
The initial infection begins with a spam email containing an executable file disguised as a PDF document. The executable file is actually a BAT file that has been converted into an executable format using the “Bat2Exe” converter. When the user runs this executable file, it drops a BAT file named “tmp46D2.tmp.bat” in the %temp% folder and executes it.
The BAT file further executes a PowerShell script, which then proceeds to download another BAT file named “build.bat” from a Discord URL, as shown in the figure below.
The SHA256 hash value of the downloaded “build.bat” file is 2a85f257acd4bb897e5d1c2c571fe7e3f2a76a668106ba5954f6b29a569a1094, and it has been intentionally encoded in UTF-16 format.
The image below depicts a “build.bat” file opened in a text editor displaying traditional Chinese characters, and the decoded BAT file contains a Base64 encoded executable binary inserted between digital certificates.
After running the “build.bat” file, the script utilizes the “CERTUTIL” executable to decode a Base64-encoded content that is enclosed between two certificate boundaries.
The decoded output is then saved as a binary executable file named “build.exe” in the %temp% folder.
Finally, the BAT file runs the “build.exe” file, as illustrated in the figure below.
The payload “build.exe” is a 32-bit GUI-based .NET executable binary that is identified as a WhiteSnake Stealer with SHA256, b4c9d3abd4fe5b4be84884c933e8d9a6a80ce326e05432a7ecb8a7c28f393941.
The figure below shows the static details of the malicious binary file.
When “build.exe” is executed, it first creates a mutex named “kwnmsgyyay”. This is done to ensure that the malware only runs once at a time on the compromised system.
In order to obtain the name of the mutex, the malware decrypts the hardcoded encrypted strings in the binary file using a function called Ibhiyptxjhiacrnxomvqjb(). This function is utilized multiple times throughout the malware to retrieve the necessary strings that the stealer uses.
The below image displays the code snippet of the function responsible for decrypting strings in the malware.
After creating the mutex, the malware proceeds to run the AntiVM() function, which is designed to prevent the malware from running within a virtual environment.
This function queries the system’s “Manufacturer” and “Model” information using a WMI query “SELECT * FROM Win32_ComputerSystem”. It then compares the obtained details with specific strings related to Virtual Machines (VM), as indicated in Figure 6. If there is a match, the malware terminates without further execution.
After performing an Anti-VM check, the malware calls the Create() function, which then executes the ProcessCommands() function. This function is specifically designed to obtain sensitive information from multiple sources, including web browsers, messaging apps, FTP clients, and cryptocurrency wallets, among others.
The ProcessCommands() function of the malware is capable of stealing files such as “Cookies”, “Autofills”, “Login Data”, and “Web Data” from various browsers:
- Mozilla Firefox
- Google Chrome
- Microsoft Edge
It can also steal important files from various cryptocurrency wallets, such as:
WhiteSnake stealer has the capability to not only access cryptocurrency wallets through specific directories, but it can also retrieve data from crypto wallet browser extensions, as shown below.
Additionally, the malware gathers sensitive session data from messaging applications like Discord, Pidgin, Steam, and Telegram. Moreover, it can extract files from mail clients such as Thunderbird, FTP clients like FileZilla, and various other applications, including Snowflake.
The code snippet below collects all the sensitive details from various applications.
Once the malware has gathered the targeted confidential files from various applications, it converts the data into Base64Encode format and stores them in an XmlArray structure named ‘Files’.
Additionally, it captures the victim’s system information, including a screenshot, and saves it in another XmlArray structure called ‘Information’, as illustrated in the figure below.
After that, the malware uses the XmlSerializer class to convert the data into XML format. The image below displays the sensitive data that has been collected by the malware, which has been converted into XML format.
The XML data is then compressed and encrypted using the RC4 encryption algorithm to protect it using the code snippet shown in the figure below.
Once the stolen data has been processed, the malware will attach tags such as the filename (e.g., Username@Computername_report.wsr) and the content type (e.g., application/octet-stream) and then send the data to the below Telegram bot URL.
The figure below shows the code snippet of the function used by the malware to send the stolen data to the Telegram bot.
The image below displays the exfiltrated information of the victim, as viewed on the attacker’s panel.
WhiteSnake Stealer is a recently emerged type of Infostealer. Despite the availability of established and widely-used InfoStealers in the cybercrime market, TAs prefer to use new toolkits to update their tactics, techniques, and procedures to evade antivirus detections. In this case, the Stealer has expanded its reach by developing a Linux-based malware version in addition to its Windows version in order to target a broader range of users.
Cyble Research and Intelligence Labs will maintain its surveillance on the latest phishing or malware strains in circulation, providing up-to-date blogs containing actionable intelligence to safeguard users against these infamous attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|User Execution |
|Defense Evasion||T1497 |
|Virtualization/Sandbox Evasion |
Obfuscated Files or Information
|Credential Access||T1528 |
|Steal Application Access Token |
OS Credential Dumping
|Application Window Discovery |
Security Software Discovery
File and Directory Discovery
|Collection||T1005||Data from Local System|
|Command and Control||T1071 |
|Application Layer Protocol |
Ingress Tool Transfer
Indicators of Compromise
|MD5 SHA1 SHA256||Initial WhiteSnake Stealer Loader|
|MD5 SHA1 SHA256||BAT Downloader|
|hxxps[:]//cdn[.]discordapp[.]com/attachments/1077715839513526352/1077716714613121074/build[.]bat||URL||Stealer Download Link|
|MD5 SHA1 SHA256||BAT Dropper|
|MD5 SHA1 SHA256||WhiteSnake|
|MD5 SHA1 SHA256||WhiteSnake|
|MD5 SHA1 SHA256||WhiteSnake|
|MD5 SHA1 SHA256||WhiteSnake|