Cookie Stealer Leveraging Telegram for Data Exfiltration
Microsoft’s Visual Studio is a highly popular Integrated Development Environment (IDE) that empowers developers to create diverse applications. However, the software’s widespread usage has attracted the attention of cybercriminals, leading them to craft nefarious schemes aimed at deceiving and victimizing unsuspecting users.
In response to the continued popularity of Visual Studio among developers, cyber attackers have seized the opportunity to develop malicious software. As unsuspecting individuals search for legitimate development tools, they may inadvertently download this fraudulent installer, unwittingly exposing themselves to malicious files alongside the genuine Visual Studio software.
Cyble Research and Intelligence Labs (CRIL) recently uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.
Information stealers target software developers because they have valuable data and access to sensitive resources such as passwords and secret codes. Attackers can gain unauthorized access to various services and databases by stealing certain information. Developers often have high-level access, making it easy for malware to spread across the network.
These malicious installers can be delivered through various deceptive methods such as phishing websites, third-party websites, file-sharing platforms, social engineering tactics, misleading advertisements, etc.
The malicious installer file bearing the filename “VisualStudio.exe”, and can be identified by its SHA256 hash: 7e8f18c60e35472bf921d3b67fd427933bd150f57d6e83d1472b990a786976db. The figure below shows the trojanized installer file.
Accompanying the installer is an information-stealing malware named “MainProject.exe.” This GUI-based .NET executable file operates on a 32-bit system and is associated with the SHA256 hash: e8a449e692f1b21f1bc4d49d8b27068b03dd7e8df583d429266fdfb261ddeed5.
The figure below shows the executable file.
When the malicious “VisualStudio.exe” installer is executed, it not only installs the legitimate Visual Studio software but also triggers the execution of the information-stealing malware, “MainProject.exe”. In this deceptive method, unsuspecting users unwittingly install both the genuine development environment and the malicious information stealer simultaneously.
The figure below shows the process tree of the malicious Visual Studio installer.
Once executed, the information stealer proceeds to extract various system details. These details include the Machine name, username, processor bit version, operating system version, platform, and IP address.
The figure below shows the code to extract the data from the victim’s machine.
Upon successfully extracting the data, the information stealer creates a folder named “Temp” within the working directory, where the malware was executed. Additionally, the stealer generates a subfolder within the newly created “Temp” folder, naming it as “<System name>_<machine IP>_timestamp.”
Following the folder creation, the extracted data is stored in a file called “system.txt,” which resides within the newly generated subfolder inside the “Temp” directory. The figure below shows the code to create the ” Temp ” folder and the “system.txt” file.
After successfully extracting the system data, the information stealer proceeds to target cookies from a range of web browsers, including Google Chrome, Firefox, Opera, and Edge. Furthermore, the stealer specifically targets acquiring cookies containing information related to well-known social media websites. The figure below shows the routine to target various browsers.
To extract cookies from Google Chrome, the stealer initiates by listing the user profiles found in the Chrome path “C:\Users<user>\AppData\Local\Google\Chrome\User Data”. This is because the cookies and other relevant data are stored within the browser user profile directory.
The figure below illustrates the stealer in the process of listing Chrome profiles.
Once the stealer obtains a Chrome user profile from a targeted system, the stealer initiates the process of stealing cookies. These extracted cookies are then stored in a text file named “Chrome_<profile>_cookies.txt.” Furthermore, the stealer generates separate text files specifically for social media website cookies. All these files are subsequently placed in the temporary folder created by the stealer, as shown in the figure below.
After targeting Google Chrome, the stealer proceeds to target Mozilla Firefox. Firefox stores its cookie data in an SQLite database, which is located in the path “C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles”. Like in the case of Chrome, the stealer then saves the extracted cookies from Firefox in the form of text files within the Temp folder.
The figure below shows the code to steal cookies from Firefox.
The stealer now advances to the exfiltration stage by compressing the entire folder containing stolen text files into a zip file.
The figure below shows the code to compress the data into a zip file.
For exfiltration, the information stealer utilizes Telegram to transmit the zip file to a designated Telegram bot.
The code below shows the Telegram API to send the zip file to the TA.
After successful exfiltration, the stealer proceeds to execute the legitimate Visual Studio application “vs-professional.exe”, deletes the temporary folder containing stolen data, and abruptly terminates the stealer to hide its tracks.
The figure below shows the code starting the actual application and deleting the stolen data.
The widespread popularity of certain software renders them attractive targets for cybercriminals. When these criminals steal cookies and other data from a system, they gain access to sensitive information that can be used for malicious purposes.
By acquiring such cookies, TAs can gain unauthorized entry into a user’s social media accounts, enabling them to potentially extract personal information, send harmful messages, or engage in other malicious activities.
- Avoid downloading files from untrusted sources.
- Clear browsing history and reset passwords at regular intervals.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Execution||T1204.002||User Execution: Malicious File|
|Defense Evasion||T1564.001||Hide Artifacts: Hidden Files and Directories|
|Discovery||T1217||Browser Information Discovery|
|Exfiltration||T1567||Exfiltration Over Web Service|
Indicators Of Compromise