Evasive Malware Targeting Remote Desktop Files
Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.
Cyble Research and Intelligence Labs (CRIL) spotted a malware named ‘Vector Stealer’, capable of stealing .rdp files. Stealing RDP files can enable TAs (Threat Actors) to perform RDP hijacking as these files contain details about the RDP session, including information needed for remote access.
RDP hijacking enables TAs to gain unauthorized remote access to a victim’s system without credentials, allows for lateral movement, and creates opportunities for additional attacks.
VectorStealer surfaced in cybercrime forums in the second half of 2022. The Threat Actor (TA) behind this stealer mainly operates through a web panel and a Telegram channel.
The figure below shows the web panel of VectorStealer.
The TA has claimed the following on their web panel:
“The VectorStealer can recover sensitive information from all major browsers, including Firefox, Chrome, and Safari. It can also steal Discord tokens and sensitive files and gather basic information about the infected computer.”
This stealer payload is sold for USD 63 in BitCoin.
The figure below shows the payment details.
The stealer payload can be generated using the web panel. This web panel allows an attacker to create custom malware without having advanced programming skills.
Such web panels typically have a user-friendly interface and provide various options for customization, such as the ability to specify what actions the malware will perform and configure the malware’s behavior. This stealer can exfiltrate the sensitive information stolen from the victim’s system using SMTP, Discord, and Telegram.
The figure below shows the builder options.
Interestingly, on the same web panel, the TA is advertising KGB crypter and claims that this crypter can kill multiple antivirus solutions. The figure below shows the section of the KGB crypter presented on the VectorStealer panel.
Crypters are a tool used by threat actors (TAs) to evade detection by encrypting the malware code, making it difficult for antivirus software to identify and remove it.
The TAs behind the KGB Crypter use their own website to provide the service and claims that it is compatible with .Net and C++-based binaries. They also claim that multiple prominent malware families, such as Redline, Quasar RAT, Venom RAT, and Pandora RAT, are already using this crypter.
The creators of KGB Crypter claim to be of Russian origin and boast that over 1,000 users have registered on their site, indicating its popularity among TAs. The crypter is offered as a paid service for USD 145 per month. It is equipped with a metamorphic generator, which alters the code each time it is compiled, making it more challenging for antivirus software to detect.
CRIL found a phishing email that was spreading vector stealer. This phishing email is themed around spare parts with an attachment named “POM-8501” and pretends to be coming from a supplier.
The Malicious Document (MalDoc) attachment in the spam email is shown below.
When the MalDoc attachment is opened, it prompts the user to enable the macro. Enabling macros would trigger the execution of malicious activities on the victim’s computer. The image below shows the malicious document (MalDoc).
Upon analyzing the MalDoc, we found that one of the OLE streams contains a VBA macro. Upon execution, the macro code de-obfuscates a PowerShell script and executes it using the Shell() function. The PowerShell script contains code to download the next stage payload from a remote server, save it as “ks.exe”, and executes it as shown below.
The stealer binary (SHA256: ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb) downloaded and executed by MalDoc is a 32-Bit .NET-based executable.
The figure below shows the file details.
Upon execution, the stealer creates a copy of itself into the %appdata% location and creates a task scheduler to establish persistence, as shown below.
After this, it spawns a new process that loads the next level payload that uses KoiVM. KoiVM is a virtualizing protector for .NET applications and is made to work with ConfuserEx. The KoiVM is designed to change the .NET opcodes into new ones that only a virtualizing agent can understand.
The figure below shows the Koi stream present in MetaData.
The KoiVM further loads the VectorStealer and starts performing the stealer activities. Upon analyzing the memory dumps, we found that VectorStealer targets applications such as
- Mail Clients: Outlook, ThunderBird, FoxMail
- Chat Applications: Discord, Telegram,
- Browsers: Opera, Vivaldi, Yandex, Brave, Chromium, Aloha Browser, Comodo Dragon, MapleStudio, ChromePlus, 360Browser, 7Star, CocCoc, Mozilla Firefox, Google Chrome.
- Cold Crypto Wallets: Exodus, Electrum
VectorStealer also queries the Registry keys of a few applications to steal the credentials.
The table below shows the registry keys queried by the Stealer for collecting victims’ sensitive information.
|Targeted Application||Registry Key||Description|
|Outlook||HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\||Registry Keys Stores passwords of Email, HTTP, SMTP, IMAP, and POP3.|
|Foxmail||SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command||To get the FoxMail’s installation directory.|
The stealer now grabs important sensitive files from the victim’s machine. Interestingly, this stealer also grabs .rdp files. Stealing .rdp files can also enable TAs to perform RDP (Remote Desktop Protocol) hijacking, as they contain information related to the RDP session.
The figure below shows the stealer enumerating a directory for grabbing files with extensions such as .txt, .doc, .docx, .pdf, and .rdp.
Finally, the stealer creates a folder in the AppData\Local\Temp directory. This folder contains multiple sub-folders that will store stolen data from respective applications.
The figure below shows the folders created by the stealer.
After collecting all the stolen data, it compresses the folder into a zip archive. The archive can then be exfiltrated using SMTP, Discord webhooks, or Telegram API. In this case, the stealer uses Telegram for exfiltration. It first sends a chat message to a Telegram bot controlled by TA. This message contains details of the victim’s system, including Username, Machine name, Operating System, IP address, and antivirus product.
To identify the antivirus product installed, it uses the WMI query, “SELECT * FROM AntiVirusProduct”. This stealer sends a GET request to “hxxps://ipinfo.io/ip” to fetch the victim’s IP address.
The figure below shows the contents of the chat message.
This stealer establishes a successful internet connection before interacting with any remote servers. It terminates itself if it fails to establish a connection. After successfully sending this chat message, it sends the zip file which contains the stolen data to the Telegram bot.
The figure below shows the POST request made by VectorStealer.
We believe that the TAs behind VectorStealer and KGB crypter is in some sort of association. The VectorStealer uses an unknown crypter and uses KoiVM for virtualization. Like other stealers, it targets browsers, email clients, crypto wallets, and chat applications.
VectorStealer specifically targets .rdp files and steals them, suggesting a potential interest in RDP hijacking to gain access to victims’ networks. TAs can leverage RDP files to carry out numerous attacks, including ransomware attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., typically contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookies
|Account Discovery |
System Time Discovery
System Service Discovery
System Location Discovery
|Command and Control||T1071||Application Layer Protocol|
|Exfiltration||T1041||Exfiltration Over C&C Channel |
Indicators of Compromise (IoCs):
|hxxp[:]//185.246.220[.]65/2×2/img-078-410-00[.]exe hxxp[:]//185.246.220[.]65/2×2/PCqcxNVzIHq2raQ.exe||URL||Malicious URL|