Cyber security news for all

More

    TroyStealer: A new information stealer targets Portuguese users

    There’s a new hacking technique that focuses on Portuguese users. Abuse.ch shared on twitter the variant, Troystealer. “There seems to be a new stealer in town called #TroyStealer, targeting Portuguese internet users.”

     

    As its name suggests, the information stealer is a Trojan specifically for collecting information from a system.

    Troystealer utilizes various methods to achieve its goal. One way of acquiring confidential information involves the inputting of users’ keystroke. It could also access web-browsers and breaches login data like usernames and  passwords, then sends it to another system by email.

    h/t: abuse.ch

    Figure 1: Email template TroyStealer (in the Portuguese language).

    Binary file

    Threat name: TroyStealer.exe

    MD5:DAB6194F16CEFDB400E3FB6C11A76861

    SHA1:C76A9FB1A2AE927BF9C950338BE5B391FED29CD7

    Imphash:F34D5F2D4577ED6D9CEEC516C1F5A744

    Created: Thu Jun 11 19:53:24 2020

    2

    Figure 2: Compilation and packing details of TroyStealer malware.

    The above shows the malware packed with (entropy 7.177) and created on the 11th of June via a .NET compiler.

    Before executing the PE file, observing some details such as specific call references used to decrypt/unpacking the binary and execute another instance in memory via Process Injection technique.

    3

    Figure 3: Process of unpacking the binary. 

    4

    Figure 4: Smart Assembly 6.9.0.114 – used to obfuscate the binary.

    In detail, the malware detects if it is running inside a VM and stops the execution. In contrast, the malware is executed, and a new process created and executed using the process injection technique. After that, the harvesting process commences. Modules for collecting details from the browser as well as that to receive mail credentials from outlook begins operation.”

     

    Filles accessed during the malware execution.

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataC:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniC:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\logins.json

     

    Deleted files during the malware execution

    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\cookies.sqliteC:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\places.sqliteC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.

     

    Getting security products, OS version, and Reg Keys

    IWbemServices::ExecQuery – root\cimv2 : SELECT Caption FROM Win32_OperatingSystemIWbemServices::ExecQuery – root\SecurityCenter2 : SELECT * FROM AntivirusProductKey opened: HKEY_CURRENT_USER\Software\PaltalkKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676.

    The malware has to ascertain the presence of an internet connection before sending victim’s details via email. After which it establishes an SMTP communication with the authenticated email server.

     

    The malware execution follows a series of steps to achieve its goal: getting the victim’s detail from browsers and email, getting HKEY_CURRENT_USER\Software\Paltalk passwords; deleting browser-specific files, getting security products installed on your laptop; obtaining Operating system version, getting Keystrokes, and finally send the information via email to attacker.

     

     

    Protective measures

    Malware infiltrates every form of gathering and security available. It can be customized to resemble any government agency, streaming services, banks, etc. Some proactive measures you should take to avoid access to your system include: updating your software and removing all old, outdated softwares, thoroughly scan through emails before clicking on them; install an antivirus in your system, pay close attention to emails that might relate to your bank, Covid-19 or your workplace; access only secured sites, etc.

    Recent Articles

    Manchester United have been blackmailed by cyber attackers

    The Premier League club Manchester United fell victim to a cyber attack according to the Daily Mail. The cyber criminals are apparently demanding ransom in...

    TikTok has fixed a serious security gap issue

    TikTok accounts paid a researcher a reward of 4000 dollars after he reported two vulnerabilities as part of a disclosure. A combination of both...

    Passwords should be changed for Fortinet VPNs

    Administrators should change the access for Fortinet VPNs in use. Log-in information for almost 50,000 VPN networks has appeared in various cyber blogs. A security...

    Twitter confirmed to bring back account verification

    Twitter is bringing back verifications for the account verification in the beginning of 2021. Certain users will then be given a control mark again,...

    350,000 Spotify users were hacked

    At the beginning of July this year, security researchers discovered an unsecured database that contained access and other information from 350,000 Spotify users. Spotify...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox