Evasive Malware Targeting Remote Desktop Files
Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.
Cyble Research and Intelligence Labs (CRIL) spotted a malware named ‘Vector Stealer’, capable of stealing .rdp files. Stealing RDP files can enable TAs (Threat Actors) to perform RDP hijacking as these files contain details about the RDP session, including information needed for remote access.
RDP hijacking enables TAs to gain unauthorized remote access to a victim’s system without credentials, allows for lateral movement, and creates opportunities for additional attacks.
VectorStealer surfaced in cybercrime forums in the second half of 2022. The Threat Actor (TA) behind this stealer mainly operates through a web panel and a Telegram channel.
The figure below shows the web panel of VectorStealer.
The TA has claimed the following on their web panel:
“The VectorStealer can recover sensitive information from all major browsers, including Firefox, Chrome, and Safari. It can also steal Discord tokens and sensitive files and gather basic information about the infected computer.”
This stealer payload is sold for USD 63 in BitCoin.
The figure below shows the payment details.
The stealer payload can be generated using the web panel. This web panel allows an attacker to create custom malware without having advanced programming skills.
Such web panels typically have a user-friendly interface and provide various options for customization, such as the ability to specify what actions the malware will perform and configure the malware’s behavior. This stealer can exfiltrate the sensitive information stolen from the victim’s system using SMTP, Discord, and Telegram.
The figure below shows the builder options.
Interestingly, on the same web panel, the TA is advertising KGB crypter and claims that this crypter can kill multiple antivirus solutions. The figure below shows the section of the KGB crypter presented on the VectorStealer panel.
Crypters are a tool used by threat actors (TAs) to evade detection by encrypting the malware code, making it difficult for antivirus software to identify and remove it.
The TAs behind the KGB Crypter use their own website to provide the service and claims that it is compatible with .Net and C++-based binaries. They also claim that multiple prominent malware families, such as Redline, Quasar RAT, Venom RAT, and Pandora RAT, are already using this crypter.
The creators of KGB Crypter claim to be of Russian origin and boast that over 1,000 users have registered on their site, indicating its popularity among TAs. The crypter is offered as a paid service for USD 145 per month. It is equipped with a metamorphic generator, which alters the code each time it is compiled, making it more challenging for antivirus software to detect.
Technical Analysis
Initial Infection
CRIL found a phishing email that was spreading vector stealer. This phishing email is themed around spare parts with an attachment named “POM-8501” and pretends to be coming from a supplier.
The Malicious Document (MalDoc) attachment in the spam email is shown below.
When the MalDoc attachment is opened, it prompts the user to enable the macro. Enabling macros would trigger the execution of malicious activities on the victim’s computer. The image below shows the malicious document (MalDoc).
Upon analyzing the MalDoc, we found that one of the OLE streams contains a VBA macro. Upon execution, the macro code de-obfuscates a PowerShell script and executes it using the Shell() function. The PowerShell script contains code to download the next stage payload from a remote server, save it as “ks.exe”, and executes it as shown below.
Payload Execution
The stealer binary (SHA256: ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb) downloaded and executed by MalDoc is a 32-Bit .NET-based executable.
The figure below shows the file details.
Persistence
Upon execution, the stealer creates a copy of itself into the %appdata% location and creates a task scheduler to establish persistence, as shown below.
After this, it spawns a new process that loads the next level payload that uses KoiVM. KoiVM is a virtualizing protector for .NET applications and is made to work with ConfuserEx. The KoiVM is designed to change the .NET opcodes into new ones that only a virtualizing agent can understand.
The figure below shows the Koi stream present in MetaData.
The KoiVM further loads the VectorStealer and starts performing the stealer activities. Upon analyzing the memory dumps, we found that VectorStealer targets applications such as
- Mail Clients: Outlook, ThunderBird, FoxMail
- Chat Applications: Discord, Telegram,
- Browsers: Opera, Vivaldi, Yandex, Brave, Chromium, Aloha Browser, Comodo Dragon, MapleStudio, ChromePlus, 360Browser, 7Star, CocCoc, Mozilla Firefox, Google Chrome.
- Cold Crypto Wallets: Exodus, Electrum
VectorStealer also queries the Registry keys of a few applications to steal the credentials.
The table below shows the registry keys queried by the Stealer for collecting victims’ sensitive information.
| Targeted Application | Registry Key | Description |
| Outlook | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\ | Registry Keys Stores passwords of Email, HTTP, SMTP, IMAP, and POP3. |
| Foxmail | SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command | To get the FoxMail’s installation directory. |
File Grabber
The stealer now grabs important sensitive files from the victim’s machine. Interestingly, this stealer also grabs .rdp files. Stealing .rdp files can also enable TAs to perform RDP (Remote Desktop Protocol) hijacking, as they contain information related to the RDP session.
The figure below shows the stealer enumerating a directory for grabbing files with extensions such as .txt, .doc, .docx, .pdf, and .rdp.
Finally, the stealer creates a folder in the AppData\Local\Temp directory. This folder contains multiple sub-folders that will store stolen data from respective applications.
The figure below shows the folders created by the stealer.
After collecting all the stolen data, it compresses the folder into a zip archive. The archive can then be exfiltrated using SMTP, Discord webhooks, or Telegram API. In this case, the stealer uses Telegram for exfiltration. It first sends a chat message to a Telegram bot controlled by TA. This message contains details of the victim’s system, including Username, Machine name, Operating System, IP address, and antivirus product.
To identify the antivirus product installed, it uses the WMI query, “SELECT * FROM AntiVirusProduct”. This stealer sends a GET request to “hxxps://ipinfo.io/ip” to fetch the victim’s IP address.
The figure below shows the contents of the chat message.
This stealer establishes a successful internet connection before interacting with any remote servers. It terminates itself if it fails to establish a connection. After successfully sending this chat message, it sends the zip file which contains the stolen data to the Telegram bot.
The figure below shows the POST request made by VectorStealer.
Conclusion
We believe that the TAs behind VectorStealer and KGB crypter is in some sort of association. The VectorStealer uses an unknown crypter and uses KoiVM for virtualization. Like other stealers, it targets browsers, email clients, crypto wallets, and chat applications.
VectorStealer specifically targets .rdp files and steals them, suggesting a potential interest in RDP hijacking to gain access to victims’ networks. TAs can leverage RDP files to carry out numerous attacks, including ransomware attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., typically contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Credential Access | T1555 T1539 T1552 | Credentials from Password Stores Steal Web Session Cookies Unsecured Credentials |
| Discovery | T1087 T1518 T1057 T1124 T1007 T1614 | Account Discovery Software Discovery Process Discovery System Time Discovery System Service Discovery System Location Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| hxxp[:]//185.246.220[.]65/2×2/img-078-410-00[.]exe hxxp[:]//185.246.220[.]65/2×2/PCqcxNVzIHq2raQ.exe | URL | Malicious URL |
| a6280d3f50d1b373d5fa5f45247ac08b 421569147d9734ed3a9277bd3fbeacd42f1552ca 2b3aaa175f97c142679b9d9e7e9b9a2b2d85bf3990b1f9276f0dc79b0aaab06e | MD5 SHA1 SHA256 | VectorStealer Loader |
| 939d6f6dd06eb826b27eda72f2ebe9c2 2ca7b12d8473867b6667a463aec7588a41ef9803 ca03561b59f1ba61afadfb577241e8c4f6ba56c7912ea62b6db9fb32a52b36bb | MD5 SHA1 SHA256 | VectorStealer Loader |
| ff06e0ddf65aafa2eb9a12fe38efbeb5 a2148b40c7dc3c5a198881ac403c98c9650b4374 b2d0305532b6f08f041cd109be667486c4a80deedb1394daad1e880a1d9a09d5 | MD5 SHA1 SHA256 | VectorStealer Payload |
| c859df0fe0665a8e4dc4047260b22ff5 1582f28572a3a0e025720f2b9663ff4c1198131a e1f8409d4599e86b42a8ac71c67b69b4d129509b6d9e3c06a668fecf71c768b8 | MD5 SHA1 SHA256 | VectorStealer Payload |
