Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction. Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer.
### Technical Details
Downloader:
The downloader is written in Microsoft .NET and has 28 out of 72 detections in VirusTotal at the time of writing.
Original File Name | startwe.exe
---|---
File Size | 381,952 bytes
MD5 | ae341ba5357eb8f9627898d0f740609b
SHA256 | d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b
Product Name | BitCoin Clipper
Product Version | 2.7.3.3
File Description | BitCoin Clipper by BTCHit.me
Date/ Time Stamp (GMT) | Saturday, 27 June 2020 05:34:06
Table 1: File metadata
When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain **download[.]btchit[.]me**. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.
![When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download\[.\]btchit\[.\]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files. ](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure1.png)
Figure 1: Malicious files hosted in an open directory listing
As this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. Note that there are references to “NetHitBot” and “BTCHit”.
Figure 2: BTCHit builder page
This domain was registered on 26 June 2020. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. During the investigation a new domain with the same builder page was brought online using the domain name **dviros[.]smabit[.]ru**, which at the time of writing, points to an IP address located in Hesse, Germany.
Once the HTTP connection is established, **control.exe**, **replacer.exe** and **network.exe** files (shown in Figure 1) from the open directory are downloaded to the users %TEMP% folder and executed as **net4contor.exe**, **net4replacer.exe,** and **net4network.exe** respectively. The overall process flow can be seen below.
Figure 3: Process diagram from VMware Carbon Black Cloud Enterprise EDR
### Supreme Botnet Mining Client
The **net4contor.exe** (named as **control.exe** in Figure 1) is a PE file written in Delphi that is protected by the Enigma Protector. Code hiding, anti-analysis, anti-sandbox, and import table modification are some of the features available with the commercially available Enigma Protector software protection tool. Notably, the embedded metadata, shown below, notes that the files were originally compiled with the name “netcommunity.exe”.
Original File Name | netcommunity.exe
---|---
File Size | 1,043,968 bytes
MD5 | 924bda3c9a8db75d80eca4a2eac3ff6e
SHA256 | 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583
Product Version | 6.6.6.6
Date / Time Stamp (GMT) | Tuesday, 1 January 2019 17:09:59
Table 2: File metadata
Once this process starts, it will write a copy of itself into the **ProgramData** folder using a randomly generated character string for the folder name, and a name of a running process as the filename. The folder name is written in the format of a Globally Unique Identifier (GUID), but with invalid random characters. This could be in an attempt to make the folder look official, as that folder does contain GUID folders, but using invalid characters to ensure it doesn’t conflict with an existing folder. It will additionally write an identifier for an Alternate Data Stream into the same location. In the example below, we will refer to the malware as armsvc.exe.
**C:\ProgramData\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe**
**C:\ProgramData\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe:zone.identifier**
The **net4contor.exe** executable immediately runs the scheduled task command shown below. This creates a new scheduled task which runs every 15 minutes as the currently logged on user account.
**"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "P286S3MREM427FXLQI" /TR "C:\ProgramData\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\armsvc.exe" /F**
Finally, as shown in the command line below, the executable will kill the **net4contor.exe** process and delete its file.
**"C:\Windows\System32\cmd.exe" /c taskkill /im net4contor.exe /f & erase C:\Users\<user>\AppData\Local\Temp\net4contor.exe & exit**
After deletion, the dropped C2 process starts and calls out to **dashboard[.]btchit[.]me** over TCP port 80 using standard Windows HTTP Service API calls (using WinHttpOpen(), WinHttpConnect(), WinHttpOpenRequest(), WinHttpSendRequest(), WinHttpReceiveResponse(), etc) in the following sequence shown below.
1 - POST unique identifiers of the victim system’s, CPU and GPU version to **dashboard[.]btchit[.]me/gate/update.php**
Figure 4: First 71 bytes of HTTP POST request
2 - Check if mutex exists, and, if found, exit
3 - If mutex is not found, send POST of unique identifier to check client registration to **dashboard[.]btchit[.]me/gate/connection.php**
4 - If the identifier is not found, send POST to **dashboard[.]btchit[.]me/gate/create.php**
5 - If the connection is successful, the following response code will be returned, which is base64 encoded for the string “success”: **c3VjY2Vzcw==**
6 - XMRig CPU and GPU mining configuration is then received
Figure 5: XMRig default configuration example
7 - The following process monitoring applications are checked and, if found, terminated to prevent viewing process activity that may be causing high CPU/GPU activity: **NetMonitor**, **Process Killer**, **KillProcess**, **System Explorer**, **Process Explorer**, **AnVir Task Manager** and **Process Hacker**. In addition, if **exe** is detected, the CPU Miner thread will suspend itself in order to hide CPU activities in order to remain undetected for as long as possible.
8 - Send an HTTP POST of the following config to **dashboard[.]btchit[.]me/gate/update.php**
Figure 6: Partially redacted configuration information
9 - Send an HTTP POST of the unique identifier and updates to **api[.]foxovsky[.]ru/v1/checkLicense.php**
One particular string found in the area of code pertaining to the C2 control is the “**ddos**” string, which infers that this client may have current or future functionality to download and install a DDoS module as part of targeted DDoS attacks.
Figure 7: Botnet client
The **net4replacer.exe** is a heavily obfuscated executable that is also protected by the Enigma Protector.
Original File Name | netcommunity.exe
---|---
File Size | 937,984 bytes
MD5 | 995b58eca15bea70798ac29f5b0cd368
SHA256 | 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8
Product Version | 6.6.6.6
Date / Time Stamp (GMT) | Saturday 27 June 2020 05:26:47
Table 3: File metadata
The primary responsibility of this process is to drop a copy of itself into the users Roaming folder as **svchost.exe**. A scheduled task will be created to run this svchost.exe process every minute. Finally the choice command self-destroys the net4replacer.exe process.
**"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\<user>\AppData\Local\Temp\net4replacer.exe" & schtasks /create /tn \rq5dhbgf\nquyb14p /tr C:\Users\<user>\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f**
### Poullight Stealer:
The **net4network.exe** executable (network.exe in Figure 1) is also protected with the Enigma Protector.
Original File Name | netcommunity.exe
---|---
File Size | 978,944 bytes
MD5 | ed81b7ab336d217d42136617f8f908af
SHA256 | 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7
Product Version | 6.6.6.6
Date / Time Stamp (GMT) | Wednesday 25 March 2020 03:49:15
Table 4: File metadata
This process crashes shortly after starting, which is the first, and only, visual indication to the end user that that malware may have attempted to run on the victim's computer.
Figure 8: Process crash popup message box
The **net4network.exe** process is essentially the Poullight Stealer, reported recently by [Yoroi](<https://yoroi.company/research/poulight-stealer-a-new-comprehensive-stealer-from-russia/>). This process steals the following information from the victim host, and writes numerous files to disk to record this data.
**File Name** | **File Type** | **Data collected**
---|---|---
System.txt | Text file | OS version, username, computer name, video card, CPU
Processlist.txt | Text file | Running processes
Copyboard.txt | Text file | Clipboard text
Screenshot.png | PNG file | Screenshot of desktop
Webcam.jpg | JPG file | Webcam image
Data.txt | Text file | Pidgin chat client logs
Cookies.txt | Text file | Google cookies
Additional clients that are used to steal from include: **Discord**, **FileZilla**, **NordVPN**, **Skype**, **Steam**, **Telegram**, **Pidgin**. It will also look for various cryptocurrency wallets which include: **Bytecoin**, **Dash**, **Ethereum**, **BitCoin**, **Monero**, and **BitCoin-Qt**.
In one of the files written is the following string.
**Stealer by Nixscare, buy here: @nixscare (telegram)**
This telegram account owner has a channel created under the alias shown below. This channel looks to have been active from mid-April 2020 until around mid-May.
Figure 9: Telegram channel by nixscare
This process makes a HTTP POST request to **gate[.]btchit[.]me/gate.php** followed by a HTTP GET request to **ru-uid-507352920[.]pp[.]ru** to download the file **example.exe**. This request fails with a 404 error, likely due to infrastructure changes. At the time of writing, this domain record location points to Makhachkala in the Republic of Dagestan, Russia.
At the time of writing, the site for Poullight Stealer is currently in a suspended state by the hosting provider.
Figure 10: Poullight Stealer site suspended
One further point to highlight is the Poullight configuration parameters. The original base64 encoded configuration is shown below in the fields of **cpdata**, **ulfile**, and **mutex**.
Figure 11: Base64 encoded configuration parameters
The configuration can be decoded to reveal the following:
Figure 12: Decoded configuration
One particular part of the above configuration that stands out is the string found within the **cpdata** tag. This tag contains the wallet address **12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y**. At the time of writing, this BTC address has a total of 4 transactions that occurred between 5 and 7 November 2019. Each transaction contains nested hashes, with some of the largest transactions including amounts for $1237.42, $3324.05 and $9233.48. The nested hashes and their associated transactions still show signs of recent activity, with an example shown below in USD.
Figure 13: Nested transactions
The tag **cpdata** infers that this is part of the clipboard data, which may be included as part of the BTC clipper functionality to siphon wallet addresses innocently copied/pasted by the victim.
Almost 300 samples on VirusTotal were found to include the **cpdata** tag, but one sample in particular contained the following name which could suggest a possible relationship between Poullight and Predator The Thief stealers.
Figure 14: Possible relationship between Predator The Thief stealer
The overall process activity from Cloud Enterprise EDR is shown below.
### **Remediation:**
**MITRE ATT&CK TIDs**
**TID** | **Tactic** | **Description**
---|---|---
T1047 | Execution | Windows Management Instrumentation
T1053 | Execution, Persistence, Privilege Escalation | Scheduled Task
T1096 | Defense Evasion | NTFS File Attributes
T1497 | Defense Evasion, Discovery | Virtualization/Sandbox Evasion
T1143 | Defense Evasion | Hidden Window
T1045 | Defense Evasion | Software Packing
T1081 | Credential Access | Credentials in Files
T1083 | Discovery | File and Directory Discovery
T1063 | Discovery | Security Software Discovery
T1012 | Discovery | Query Registry
T1010 | Discovery | Application Window Discovery
T1082 | Discovery | System Information Discovery
T1105 | Command and Control, Lateral Movement | Remote File Copy
T1119 | Collection | Automated Collection
T1005 | Collection | Data from Local System
T1071 | Command and Control | Standard Application Layer Protocol
**Indicators of Compromise (IOCs)**
**Indicator** | **Type** | **Context**
---|---|---
d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b | SHA 256 | Dropper
ae341ba5357eb8f9627898d0f740609b | MD5 | Dropper
5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 | SHA 256 | Net4contor.exe (Supreme Botnet Client)
924bda3c9a8db75d80eca4a2eac3ff6e | MD5 | net4contor.exe
87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 | SHA 256 | net4network.exe
ed81b7ab336d217d42136617f8f908af | MD5 | net4network.exe
6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 | SHA 256 | net4replacer.exe
995b58eca15bea70798ac29f5b0cd368 | MD5 | net4replacer.exe
80.87.193.46 | IP Address | TCP/80
download[.]btchit[.]me | Domain | Open Directory
dashboard[.]btchit[.]me | Domain | C2
btchit[.]me | Domain | Builder Page
dviros[.]smabit[.]ru | Domain | Builder Page
api[.]foxovsky[.]ru | Domain | C2
91.210.201.108 | IP Address | TCP/80
Ru-uid-507352920[.]pp[.]ru | Domain | C2
@nethitbot | Telegram Account | NetHit Builder
@nixscare | Telegram Account | Poullight Stealer
12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y | Wallet Address | Wallet Address
To learn more about the VMware Carbon Black Threat Analysis Unit (TAU), click [here](<https://www.carbonblack.com/threat-analysis-unit/>).
The post [TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves](<https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).
{"id": "CARBONBLACK:068C0984DE1682EFA36C84E68F50B1EB", "type": "carbonblack", "bulletinFamily": "blog", "title": "TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves", "description": "Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim\u2019s clipboard with wallet addresses that belong to the attacker. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction. Although clipper malware isn\u2019t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer.\n\n### Technical Details\n\nDownloader:\n\nThe downloader is written in Microsoft .NET and has 28 out of 72 detections in VirusTotal at the time of writing.\n\nOriginal File Name | startwe.exe \n---|--- \nFile Size | 381,952 bytes \nMD5 | ae341ba5357eb8f9627898d0f740609b \nSHA256 | d4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b \nProduct Name | BitCoin Clipper \nProduct Version | 2.7.3.3 \nFile Description | BitCoin Clipper by BTCHit.me \nDate/ Time Stamp (GMT) | Saturday, 27 June 2020 05:34:06 \n \nTable 1: File metadata\n\nWhen the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain **download[.]btchit[.]me**. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.\n\n![When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain download\\[.\\]btchit\\[.\\]me. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files. ](https://cdn.www.carbonblack.com/wp-content/uploads/Poullight_Figure1.png)\n\nFigure 1: Malicious files hosted in an open directory listing\n\nAs this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. Note that there are references to \u201cNetHitBot\u201d and \u201cBTCHit\u201d.\n\n\n\nFigure 2: BTCHit builder page\n\nThis domain was registered on 26 June 2020. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. During the investigation a new domain with the same builder page was brought online using the domain name **dviros[.]smabit[.]ru**, which at the time of writing, points to an IP address located in Hesse, Germany.\n\nOnce the HTTP connection is established, **control.exe**, **replacer.exe** and **network.exe** files (shown in Figure 1) from the open directory are downloaded to the users %TEMP% folder and executed as **net4contor.exe**, **net4replacer.exe,** and **net4network.exe** respectively. The overall process flow can be seen below.\n\n\n\nFigure 3: Process diagram from VMware Carbon Black Cloud Enterprise EDR\n\n### Supreme Botnet Mining Client\n\nThe **net4contor.exe** (named as **control.exe** in Figure 1) is a PE file written in Delphi that is protected by the Enigma Protector. Code hiding, anti-analysis, anti-sandbox, and import table modification are some of the features available with the commercially available Enigma Protector software protection tool. Notably, the embedded metadata, shown below, notes that the files were originally compiled with the name \u201cnetcommunity.exe\u201d.\n\nOriginal File Name | netcommunity.exe \n---|--- \nFile Size | 1,043,968 bytes \nMD5 | 924bda3c9a8db75d80eca4a2eac3ff6e \nSHA256 | 5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 \nProduct Version | 6.6.6.6 \nDate / Time Stamp (GMT) | Tuesday, 1 January 2019 17:09:59 \n \nTable 2: File metadata\n\nOnce this process starts, it will write a copy of itself into the **ProgramData** folder using a randomly generated character string for the folder name, and a name of a running process as the filename. The folder name is written in the format of a Globally Unique Identifier (GUID), but with invalid random characters. This could be in an attempt to make the folder look official, as that folder does contain GUID folders, but using invalid characters to ensure it doesn\u2019t conflict with an existing folder. It will additionally write an identifier for an Alternate Data Stream into the same location. In the example below, we will refer to the malware as armsvc.exe.\n\n**C:\\ProgramData\\\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\\armsvc.exe**\n\n**C:\\ProgramData\\\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\\armsvc.exe:zone.identifier**\n\nThe **net4contor.exe** executable immediately runs the scheduled task command shown below. This creates a new scheduled task which runs every 15 minutes as the currently logged on user account.\n\n**"C:\\Windows\\System32\\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "P286S3MREM427FXLQI" /TR "C:\\ProgramData\\\\{VPXG6NAV-YIZX-MBDC-O3FTAM8NPJOQ}\\armsvc.exe" /F**\n\nFinally, as shown in the command line below, the executable will kill the **net4contor.exe** process and delete its file.\n\n**"C:\\Windows\\System32\\cmd.exe" /c taskkill /im net4contor.exe /f & erase C:\\Users\\<user>\\AppData\\Local\\Temp\\net4contor.exe & exit**\n\nAfter deletion, the dropped C2 process starts and calls out to **dashboard[.]btchit[.]me** over TCP port 80 using standard Windows HTTP Service API calls (using WinHttpOpen(), WinHttpConnect(), WinHttpOpenRequest(), WinHttpSendRequest(), WinHttpReceiveResponse(), etc) in the following sequence shown below.\n\n1 - POST unique identifiers of the victim system\u2019s, CPU and GPU version to **dashboard[.]btchit[.]me/gate/update.php**\n\n\n\nFigure 4: First 71 bytes of HTTP POST request\n\n2 - Check if mutex exists, and, if found, exit\n\n3 - If mutex is not found, send POST of unique identifier to check client registration to **dashboard[.]btchit[.]me/gate/connection.php**\n\n4 - If the identifier is not found, send POST to **dashboard[.]btchit[.]me/gate/create.php**\n\n5 - If the connection is successful, the following response code will be returned, which is base64 encoded for the string \u201csuccess\u201d: **c3VjY2Vzcw==**\n\n6 - XMRig CPU and GPU mining configuration is then received\n\n\n\nFigure 5: XMRig default configuration example\n\n7 - The following process monitoring applications are checked and, if found, terminated to prevent viewing process activity that may be causing high CPU/GPU activity: **NetMonitor**, **Process Killer**, **KillProcess**, **System Explorer**, **Process Explorer**, **AnVir Task Manager** and **Process Hacker**. In addition, if **exe** is detected, the CPU Miner thread will suspend itself in order to hide CPU activities in order to remain undetected for as long as possible.\n\n8 - Send an HTTP POST of the following config to **dashboard[.]btchit[.]me/gate/update.php**\n\n\n\nFigure 6: Partially redacted configuration information\n\n9 - Send an HTTP POST of the unique identifier and updates to **api[.]foxovsky[.]ru/v1/checkLicense.php**\n\nOne particular string found in the area of code pertaining to the C2 control is the \u201c**ddos**\u201d string, which infers that this client may have current or future functionality to download and install a DDoS module as part of targeted DDoS attacks.\n\n\n\nFigure 7: Botnet client \n\nThe **net4replacer.exe** is a heavily obfuscated executable that is also protected by the Enigma Protector.\n\nOriginal File Name | netcommunity.exe \n---|--- \nFile Size | 937,984 bytes \nMD5 | 995b58eca15bea70798ac29f5b0cd368 \nSHA256 | 6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 \nProduct Version | 6.6.6.6 \nDate / Time Stamp (GMT) | Saturday 27 June 2020 05:26:47 \n \nTable 3: File metadata\n\nThe primary responsibility of this process is to drop a copy of itself into the users Roaming folder as **svchost.exe**. A scheduled task will be created to run this svchost.exe process every minute. Finally the choice command self-destroys the net4replacer.exe process.\n\n**"C:\\Windows\\System32\\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\\Users\\<user>\\AppData\\Local\\Temp\\net4replacer.exe" & schtasks /create /tn \\rq5dhbgf\\nquyb14p /tr C:\\Users\\<user>\\AppData\\Roaming\\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f**\n\n### Poullight Stealer:\n\nThe **net4network.exe** executable (network.exe in Figure 1) is also protected with the Enigma Protector.\n\nOriginal File Name | netcommunity.exe \n---|--- \nFile Size | 978,944 bytes \nMD5 | ed81b7ab336d217d42136617f8f908af \nSHA256 | 87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 \nProduct Version | 6.6.6.6 \nDate / Time Stamp (GMT) | Wednesday 25 March 2020 03:49:15 \n \nTable 4: File metadata\n\nThis process crashes shortly after starting, which is the first, and only, visual indication to the end user that that malware may have attempted to run on the victim's computer.\n\n\n\nFigure 8: Process crash popup message box\n\nThe **net4network.exe** process is essentially the Poullight Stealer, reported recently by [Yoroi](<https://yoroi.company/research/poulight-stealer-a-new-comprehensive-stealer-from-russia/>). This process steals the following information from the victim host, and writes numerous files to disk to record this data.\n\n**File Name** | **File Type** | **Data collected** \n---|---|--- \nSystem.txt | Text file | OS version, username, computer name, video card, CPU \nProcesslist.txt | Text file | Running processes \nCopyboard.txt | Text file | Clipboard text \nScreenshot.png | PNG file | Screenshot of desktop \nWebcam.jpg | JPG file | Webcam image \nData.txt | Text file | Pidgin chat client logs \nCookies.txt | Text file | Google cookies \n \nAdditional clients that are used to steal from include: **Discord**, **FileZilla**, **NordVPN**, **Skype**, **Steam**, **Telegram**, **Pidgin**. It will also look for various cryptocurrency wallets which include: **Bytecoin**, **Dash**, **Ethereum**, **BitCoin**, **Monero**, and **BitCoin-Qt**.\n\nIn one of the files written is the following string.\n\n**Stealer by Nixscare, buy here: @nixscare (telegram)**\n\nThis telegram account owner has a channel created under the alias shown below. This channel looks to have been active from mid-April 2020 until around mid-May.\n\n\n\nFigure 9: Telegram channel by nixscare\n\nThis process makes a HTTP POST request to **gate[.]btchit[.]me/gate.php** followed by a HTTP GET request to **ru-uid-507352920[.]pp[.]ru** to download the file **example.exe**. This request fails with a 404 error, likely due to infrastructure changes. At the time of writing, this domain record location points to Makhachkala in the Republic of Dagestan, Russia.\n\nAt the time of writing, the site for Poullight Stealer is currently in a suspended state by the hosting provider.\n\n\n\nFigure 10: Poullight Stealer site suspended \n\nOne further point to highlight is the Poullight configuration parameters. The original base64 encoded configuration is shown below in the fields of **cpdata**, **ulfile**, and **mutex**.\n\n\n\nFigure 11: Base64 encoded configuration parameters\n\nThe configuration can be decoded to reveal the following:\n\n\n\nFigure 12: Decoded configuration\n\nOne particular part of the above configuration that stands out is the string found within the **cpdata** tag. This tag contains the wallet address **12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y**. At the time of writing, this BTC address has a total of 4 transactions that occurred between 5 and 7 November 2019. Each transaction contains nested hashes, with some of the largest transactions including amounts for $1237.42, $3324.05 and $9233.48. The nested hashes and their associated transactions still show signs of recent activity, with an example shown below in USD.\n\n\n\nFigure 13: Nested transactions\n\nThe tag **cpdata** infers that this is part of the clipboard data, which may be included as part of the BTC clipper functionality to siphon wallet addresses innocently copied/pasted by the victim.\n\nAlmost 300 samples on VirusTotal were found to include the **cpdata** tag, but one sample in particular contained the following name which could suggest a possible relationship between Poullight and Predator The Thief stealers.\n\n\n\nFigure 14: Possible relationship between Predator The Thief stealer\n\nThe overall process activity from Cloud Enterprise EDR is shown below.\n\n\n\n### **Remediation:**\n\n**MITRE ATT&CK TIDs**\n\n**TID** | **Tactic** | **Description** \n---|---|--- \nT1047 | Execution | Windows Management Instrumentation \nT1053 | Execution, Persistence, Privilege Escalation | Scheduled Task \nT1096 | Defense Evasion | NTFS File Attributes \nT1497 | Defense Evasion, Discovery | Virtualization/Sandbox Evasion \nT1143 | Defense Evasion | Hidden Window \nT1045 | Defense Evasion | Software Packing \nT1081 | Credential Access | Credentials in Files \nT1083 | Discovery | File and Directory Discovery \nT1063 | Discovery | Security Software Discovery \nT1012 | Discovery | Query Registry \nT1010 | Discovery | Application Window Discovery \nT1082 | Discovery | System Information Discovery \nT1105 | Command and Control, Lateral Movement | Remote File Copy \nT1119 | Collection | Automated Collection \nT1005 | Collection | Data from Local System \nT1071 | Command and Control | Standard Application Layer Protocol \n \n**Indicators of Compromise (IOCs)**\n\n**Indicator** | **Type** | **Context** \n---|---|--- \nd4864866becdce24241855de9af67c434007a9324b1b175a04020fd72e5e709b | SHA 256 | Dropper \nae341ba5357eb8f9627898d0f740609b | MD5 | Dropper \n5831a117790aebc381c863d1c59e38164ba9c95c13f560f6f0e6e499a4c0f583 | SHA 256 | Net4contor.exe (Supreme Botnet Client) \n924bda3c9a8db75d80eca4a2eac3ff6e | MD5 | net4contor.exe \n87698fa154be7f6563f1a653a02dd6a93e4fd62fa7bcee7ca3a1ed5366c5e7f7 | SHA 256 | net4network.exe \ned81b7ab336d217d42136617f8f908af | MD5 | net4network.exe \n6ee66ad45dcea6f6f02a7b43da0220908fcb1f80eb7f9d740f05acf64c410ed8 | SHA 256 | net4replacer.exe \n995b58eca15bea70798ac29f5b0cd368 | MD5 | net4replacer.exe \n80.87.193.46 | IP Address | TCP/80 \ndownload[.]btchit[.]me | Domain | Open Directory \ndashboard[.]btchit[.]me | Domain | C2 \nbtchit[.]me | Domain | Builder Page \ndviros[.]smabit[.]ru | Domain | Builder Page \napi[.]foxovsky[.]ru | Domain | C2 \n91.210.201.108 | IP Address | TCP/80 \nRu-uid-507352920[.]pp[.]ru | Domain | C2 \n@nethitbot | Telegram Account | NetHit Builder \n@nixscare | Telegram Account | Poullight Stealer \n12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y | Wallet Address | Wallet Address \n \nTo learn more about the VMware Carbon Black Threat Analysis Unit (TAU), click [here](<https://www.carbonblack.com/threat-analysis-unit/>).\n\nThe post [TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves](<https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "published": "2020-07-24T21:39:19", "modified": "2020-07-24T21:39:19", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/", "reporter": "Sheida Azimi", "references": [], "cvelist": [], "lastseen": "2020-08-07T08:03:37", "viewCount": 38, "enchantments": {"dependencies": {}, "score": {"value": -0.6, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.6}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645573012, "score": 1659827253, "epss": 1678993763}, "_internal": {"score_hash": "eb0ed56c61fe710ae8f91f8fe3fa8bf4"}}
TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves