A New Info Stealer Performing Clipper And Keylogger Activities
Cyble research labs discovered a new Infostealer named Prynt Stealer. The stealer is new on the cybercrime forums and comes with various capabilities. Along with stealing the victim’s data, this stealer can also perform financial thefts using a clipper and keylogging operations. Additionally, it can target 30+ Chromium-based browsers, 5+ Firefox-based browsers, and a range of VPN, FTP, Messaging, and Gaming apps. Furthermore, a builder may customize the functionality of this stealer.
The developer of the stealer recently claimed the recent versions of the stealer to be FUD (Fully Undetectable), as shown in Figure 2. We could also spot a few stealer logs available for free on the Telegram channel.
The embedded binary contains hardcoded strings which are encrypted using AES256 and Rijndael encryption algorithm. Prynt Stealer is a .Net-based malware. Figure 3 shows the file details.
The sample (SHA 256: 1283c477e094db7af7d912ba115c77c96223208c03841768378a10d1819422f2) has an obfuscated binary stored as a string, as shown in Figure 4.
The binary is encoded using the rot13 cipher. ROT13 (rotate by 13 places) replaces a letter with one after 13 positions from the current letter. The rot13 algorithm is applied on a Base64 encoded binary in this sample. The malware rather than dropping the payload executes it directly in the memory using AppDomain.CurrentDomain.Load() method.
The malware uses ServicePointManager class to establish an encrypted channel to interact with the server. There are a few hardcoded strings encrypted using the AES256 algorithm. All these strings are decrypted by calling Settings.aes256. Decrypt() method is assigned back to the same variables, as shown in the Figure below.
After this, the malware creates a hidden directory in the AppData folder, which will be named using the MD5 hash value. The Figure below shows the part of code in malware for creating and hiding a directory.
Then a subfolder is created inside the parent directory created above and is named using the format “username@computername_culture.” Malware will also create other folders inside this folder, such as Browsers, Grabber, etc. These folders will be used for saving the stolen data from respective sources.
The malware then identifies all the logical drives present in the victim’s system using the DriveInfo() class and checks for the presence of removable devices. Next, the malware adds the drive’s name and path to its target list for stealing data. After identifying the drive details, the malware steals the files from the targeted directories, as shown in Figure 8. The malware uses a multithreading approach for stealing the files fast from the victims’ machines. Prynt Stealer only steals the files whose size is less than 5120 bytes and should have the following extensions:
Document: pdf, rtf, doc, docx, xls, xlsx, ppt, pptx, indd, txt, json.
Database: db, db3, db4, kdb, kdbx, sql, sqlite, mdf, mdb, dsk, dbf, wallet, ini.
Source Code: c, cs, cpp, asm, sh, py, pyw, html, css, php, go, js, rb, pl, swift, java, kt, kts, ino.
Image: jpg, jpeg, png, bmp, psd, svg, ai.
After stealing files from the victim’s system, Prynt Stealer steals data from browsers.
Targeted browsers include:
- Chromium-based browsers
- MS Edge
- Firefox-based browsers
It first creates a folder named “Browsers” and then checks for the Browsers directories (refer to the Figure below) in the “AppData” folder using Directory.Exists() method. If it returns true, the malware starts stealing data from the respective location. The stealer can target nearly all chromium-based browsers, as can be seen in the Figure below. The Chromium browsers use multiple .sqlite files for storing users’ data.
It steals the master key from the “Local Sate” file, which is used for decrypting the sensitive information stored in the browsers.
The malware steals Credit Cards, Passwords, Cookies, Autofill, History, Downloads, and Bookmarks data from browsers, and saves the stolen data in respective text files created under the “Browsers\Browser_Name\” directory.
Files targeted by malware for stealing data:
- Web Data (for Autofill data)
- Login Data (for Login Credentials)
- History (for search history)
- Cookies (for browser Cookies)
While stealing the data from browsers, the malware also checks if keywords belonging to services such as Banking, Cryptocurrency, and Porn are present in the browser data using ScanData() method. The Figure below shows the services for which malware runs string search operations.
MS Edge Browsers:
The malware first checks for the directory “\AppData\Local\Microsoft\Edge\User Data,” which helps identify if an edge browser is installed on the victim’s system. After this, it enumerates all the files in the system and checks if the “Login Data” file is present. If so, then it steals the data from the browser, as can be seen in the Figure below. Finally, the ScanData() method is used again to steal the data from the Edge browser
Prynt stealer targets eight Firefox-based browsers which can be seen in Figure 13.
The malware only proceeds to steal data if the Profile folder is present under the “AppData\Browser_name” directory. Firefox Browser uses this folder for saving user data. The malware copies the “logins.json” file from the “Profile” folder to the initially created folder for saving stolen data. The “Logins.json” file is used for storing the Firefox login credentials. Following files are targeted by malware for stealing data, present under the “Profile” folder:
- Places.sqlite (for Bookmarks and History)
- cookies.sqlite (for browser cookies)
- logins.json (for Login Credentials)
After stealing data from browsers, the malware targets the following messaging applications:
The malware first creates a folder names Messenger which will be used for saving data from these applications.
After this, the malware checks for Discord tokens. It first searches for the following directories:
- Discord\\Local Storage\\leveldb
- discordptb\\Local Storage\\leveldb
- Discord Canary\\leveldb
It only proceeds if the above directory exists. If directories are present, malware checks for files ending with .ldb or .log and extracts Discord tokens from them using regular expression. Then it creates a folder named “Discord” and will write the stolen tokens to “Tokens.txt.”
Pidgin is a chat program that lets you log in to accounts on multiple chat networks simultaneously. It is compatible with the following chat networks: Jabber/XMPP, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, Lotus Sametime, SILC, SIMPLE, and Zephyr.
The malware first identifies if “.purple\\accounts.xml” is present in the AppData folder. This file stores the Pidgin login credentials. It steals the Login credentials and Protocol details and saves them into the accounts.txt file for exfiltration.
The malware calls Process.GetProcessByName() method for getting the running process name and path in the victims’ machine. The malware then checks if the Telegram string is present in the retrieved path. Finally, it gets the Telegram directory and steals data from there if it is present—the malware targets “tdata” folder for stealing telegram sessions.
Prynt Stealer targets the following gaming applications:
The malware identifies the Steam installation path by checking the registry key value at “HKEY_LOCAL_MACHINE\Software\Valve\Steam.” After this action, it enumerates the subkey present under “HKEY_LOCAL_MACHINE\Software\Valve\Steam\Apps” to get details of the application, as can be seen in the Figure below. The malware also targets the steam’s SSFN file, known as the authorization file, and copies it for exfiltration.
The malware looks for “Ubisoft Game Launcher” in the AppData folder, and if this folder is present, it copies all the files in it for exfiltration.
For Minecraft, the stealer checks if the “.minecraft” folder is present under the AppData directory. If it is present, it creates a folder named “Minecraft” under the “Gaming” folder to save the stolen data.
This stealer copies “launcher_profiles.json”, “servers.dat” and screenshots to “Minecraft ” folder for exfiltration. It also extracts mods and version details and saves them to respective text files created in “Minecraft” folder.
The malware targets the following crypto wallets:
Zcash, Armory, Bytecoin, Jaxx, Ethereum, AtomicWallet, Guarda, and Coinomi.
It creates a folder named “Wallets” and then enumerates a list of hardcoded wallets for identifying the crypto wallet used by the victim.
Stealer queries registry for identifying the location of Blockchains such as Litecoin, Dash, and Bitcoin as shown in Figure below. It obtains the path from registry data “strDataDir” in the HKEY_CURRENT_USER\Software\Blockchain_name\ Blockchain_name-Qt registry key.
Prynt stealer targets FileZilla, a free and open-source, cross-platform FTP application. It steals the data from “sitemanager.xml” and “recentservers.xml” and stores the data in the “Hosts.txt” file under the “FileZilla” folder for exfiltration.
Prynt Stealer targets the following VPN applications:
It copies the configuration file of ProtonVPN, OpenVPN and steals the user credentials from NordVPN configuration file.
After this action, the malware creates a folder named “Directories” and then obtains the structure of a directory and writes them to text files, as shown in the Figure below. The directories targeted by malware include the one targeted initially for copying data.
It creates a folder named “System” in which it will store the solen information regarding running processes, network details, and victim’s system screenshot, etc.
Prynt stealer uses Process.GetProcesses() method to identify all the running processes in the victim’s system and write them to the “Process.txt” file in the format:
- Process name
- Process ID
- Executable path
After this action, it gets the active windows using the process.MainWindowTitle() method and write the data into the “Windows.txt” file in the format:
- Process name
- Process ID
- Executable path
Now it takes a screenshot of the victim’s system and saves it as a “Desktop.jpg” file:
The stealer also extracts the network credentials using the command “chcp 65001 && netsh wlan show profile” and saves them into the “Savednetworks.txt” file. After this, using the command “/C chcp 65001 && netsh wlan show networks mode=bssid” it obtains the list of available networks and saves them into the “ScanningNetworks.txt” file.
Windows Product Key:
It steals the windows product key from the “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion,” decodes it, and then saves it to the “ProductKey.txt file.”
The malware creates a list and adds the overview of stolen data to it, as shown in the Figure below. Then it sends a chat message using the Telegram bot.
For identifying the public IP, it sends a request to hxxp[:]//icanhazip[.]com
For identifying the geolocation, it sends a request to hxxps[:]//api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
The malware compresses the folder where the stolen data is saved and exfiltrates it to the telegram bot. Furthermore, it uses a secure network connection for exfiltrating the stolen data to the remote server.
Our analysis found that specific modules in the sample are not executed by the malware, including the Anti-analysis, Keylogger, and Clipper. Threat Actors (TAs) also provide a builder for this stealer, which can be customized to control these functionalities. Taking the case of anti-analysis, it’s working on the hardcoded string present in malware. The Figure below shows the method responsible for executing anti-analysis functionalities. Similarly, other processes also depend on these hard-coded strings.
The Figure below shows the list in which TAs can store their crypto addresses. These entries are not populated, highlighting the fact that TA might not have opted for this functionality in the builder.
This stealer enables the keylogging feature only if the hardcoded specific applications are running in the system. The stolen data will be saved in “logs\keylogger” folder.
Prynt Stealer is a recent Infostealer strain. It has a ton of capabilities. Though there are pretty popular stealers in the cybercrime marketplaces, TAs do adopt new toolkits which aid them in updating their Tactics, Techniques, and Procedures. These types of malware provide an easy way for TAs to get into the corporate networks, as breaking into a network is not everyone’s cup of tea.
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1497.001||Virtualization/Sandbox Evasion: System Checks|
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookie
Steal Application Access Token
|Account Discovery |
System Time Discovery
System Service Discovery
System Location Discovery
|Command and Control||T1071||Application Layer Protocol|
|Exfiltration Over C2 Channel |
Exfiltration Over Web Service
Indicators of Compromise (IoCs):