New Stealer Rapidly Evolving into Clipper Malware
During a routine threat-hunting exercise, Cyble Research Labs came across a post on Telegram selling an information stealer malware called “NoMercy stealer.” The malware developer is currently selling the stealer for 780 Indian rupees or 10 USD, indicating that the stealer is developed primarily for Indian Threat Actors (TA). The NoMercy stealer developer is also rapidly adding new capabilities.
The stealer is very primitive, and our observations indicate that it is at the initial stages of development. The NoMercy stealer initially checks for the system’s public IP using hxxp://api.ipify[.]org.
After getting the public IP, the stealer registers itself with the Command-and-Control server (C&C). After registration, the stealer sends various system information to the C&C server.
The stealer then proceeds to continuously send screenshots, keystrokes, webcam photos, and device audio to the C&C server. The figure below shows the Telegram post made by the NoMercy developer.
The Threat Actors (TAs) behind this group are actively working on enhancing the capabilities of the stealer. During the course of our analysis, we noticed that the TAs had added new features to this stealer, including clipper and VPN client-stealer capabilities.
The TAs behind NoMercy are selling this new version of the stealer for 20$. The figure shows the post for NoMercy stealer version v1.1.0.
The sha-256 of the information stealer is 9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65.
This stealer is a 32-bit, console-based C# executable file. The file is a debug version of this stealer project. Figure 3 shows the basic file information.
The NoMercy stealer has a hardcoded configuration embedded into the source code. The configuration contains the details such as C&C URL, file name for establishing persistence, version information, etc. The figure below shows the configuration details.
After initial execution, the information stealer copies itself into the start-up folder of the user’s machine. This results in the execution of the stealer at the time of the system restart.
The figure below shows the malicious file in the start-up folder named “WindowsKernalDrivers.exe.”
After establishing persistence, the stealer generates a unique UID using system artifacts such as the victim’s public IP and account name. The stealer gets the public IP of the victim from hxxp://api.ipify[.]org and appends the account name generated using the whoami command. The figure below shows the method GenerateUID() used to get the UID.
After generating UID, the stealer registers itself to the C&C server using the UID and stealer’s version information. The stealer then uses the format for its C&C communications using the method PostUID(). The TA thus gains information about the victim’s public IP, user account, and stealer version in the below format:
hxxp://six-clowns-sing-103-119-240-166.loca[.]lt/a?uid=[public IP]@[Current Username]&version=NoMercy-v1.0
After sending the victim data to the C&C server, the stealer collects various system information data points from the victim using cmd.exe. The information is extracted using various commands such as whoami, arp, ipconfig, etc. The figure below shows all these commands being used by the stealer.
After getting the internal system information, the stealer queries and extracts additional system information from the infected system such as public IP, hardware ID, main memory, GPU, MAC address, private IP, OS version, details of any antivirus software installed, keyboard language, clipboard, running processes and CPU information.
The figure below shows the code used by the malware to collect additional system information.
After collecting the information, the stealer encodes the stolen data to a base64 string and sends the information to the C&C server.The stealer calls the PostCLIInfoCNC() and PostOtherInfoCNC() methodsfor sending the information to its C&C server, as shown below.
After sending all the victim’s information to its C&C server, the malware runs three separate threads for different operations, which are:
- Send screenshots
- Send microphone audio
- Send webcam snapshots
The malicious URL resolves to the IP address 193.34.76[.]44, which is highly active and hosts multiple malicious files. We have observed strains of various information stealers connecting to this IP.
The NoMercy stealer is a very crude and simple information stealer in its initial stages. The TAs behind this stealer are actively modifying the stealer and adding additional capabilities.
The active infections are not very high in volume but are a good indicator of the trends of the TAs involved. One such emerging trend is adding clipper capabilities to the malware. Cyble Research Labs continuously monitors all new and existing malware to keep our readers aware and informed.
MITRE ATT&CK® Techniques
|Persistence||T1547||Boot or Logon AutoStart Execution|
Network Service Discovery
System Information Discovery
System Network Configuration
Discovery System Owner/User Discovery
|Command and Control||T1071||Application Layer Protocol|
Indicators of Compromise (IOCs)
|hxxp://six-clowns-sing-103-119-240-166.loca[.]lt/||URL||Command and Control|
|193.34.76[.]44||IP||Command and Control|