New Infostealer ‘ColdStealer’ Being Distributed
The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer. The malware disguises itself as a software download for cracks and tools, a distribution method that was mentioned multiple times in previous ASEC blog posts.
There are two cases for this type of malware distribution:
1. Distributing a single type of malware such as CryptBot or RedLine
2. Dropper-type malware decompressing and executing various internal malware strains
ColdStealer was distributed with the second method. For more information, check the following blog post.
The downloader malware exists within the dropper malware. When the downloader is run, it downloads ColdStealer from the C2 server. The following figure shows the process.
Figure 1. Infection process of ColdStealer
ColdStealer has a structure of multiple packing layers. It currently uses the .NET obfuscation packing method, yet it was initially possible to obtain the original version that was built using process hollowing and .NET load packing method.
As its name suggests, ColdStealer is an infostealer, a simple type of malware that collects various user information and sends it to C2. It is configured in .NET, and as it has simple features, its size is a mere 80KB. As the namespace of the sample that appears to have the original source’s build is “ColdStealer,” the malware was named as such.
Figure 2. ColdStealer
When the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of files in the memory. To do so, it used a source code made public on GitHub. After collecting the information, it sends memory streams to C2. Doing so will allow the malware to bypass detection as there are no traces of files and execution.
Figure 3. Uses ZIP streams when collecting information
The infostealer has six main features.
- Stealing browser information
- Stealing cryptocurrency wallet information
- Stealing files
- Stealing FTP server information
- Stealing system information
- Sending exception (error) information
- Stealing browser information
Targets are multiple Chromium-based browsers, Opera, and FireFox. The list of targeted Chromium-based browsers is as follows:
| Battle.net, Chromium, Google Chrome, Google Chrome (x86), MapleStudio ChromePlus, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements, Epic, uCozMedia Uran, Sleipnir5, Citrio, Coowon, Liebao, QIP Surf, Orbitum, Comodo Dragon, Amigo, Torch, Yandex Browser, Comodo, 360Browser, Maxthon3, K-Melon, Sputnik, Nichrome, CocCoc, Uran, Chromodo, Atom, BraveSoftware, Microsoft Edge, Nvidia, Steam, CryptoTab |
Table 1. List of targets (Chromium-based browsers)
Figure 4. Code for collecting information of Chromium browsers
The code is configured to support browsers to their latest versions. The malware collects IDs, passwords, cookies, and web data files saved in the browser. Extension programs are also inquired, meaning the programs on the list are targeted for collecting as well. The list was found to include sensitive programs related to cryptocurrency wallets or user verification.
| Metamask, YoroiWallet, Tronlink, NiftyWallet, MathWallet, Coinbase, BinanceChain, BraveWallet, GuardaWallet, EqualWallet, JaxxLiberty, BitAppWallet, iWallet, Wombat, AtomicWallet, MewCx, GuildWallet, SaturnWallet, RoninWallet, PhantomWallet, Arweave, Auro, Celo, Clover, Coin98, Crypto.com, Cyano, Cyano PRO, Dune, Fractal, Gero, Harmony, Hiro, Iconex, Kardia Chain, Keplr, KHC, Lamden, Liquality, Maiar, Mew CEX, Mobox, NeoLine, Nami, Oasis, Polymesh, Rabby, Solflare, Sollet, Solong, Temple, Terra Station, TezBox, Theta, XDeFi, ZebeDee, Authenticator CC |
Table 2. List of browser extension programs for collecting
Instead of stealing entire files, the malware is configured to parse the files internally and send only the necessary information. Yet as it did not take account of Unicode encoding, an error occurs when it tries to parse files with information related to browsers (SQLite format) in Windows that has Korean as the system language.
Figure 5. SQLite parsing error
When the parsing is successful, the browser access record is saved in “Domain.text” while account IDs and passwords are saved in “Passwords.text”.
Figure 6. Collected browser passwords (example)
- Stealing files
Files in the desktop and subdirectories of the user account are targeted. The malware collects any files that have a “wallet” string or extensions .txt and .dat.
Figure 7. Code for collecting files
- Stealing FTP server information
Collects the list of servers and passwords saved in FileZilla, the most common FTP program.
Figure 8. Code for collecting FTP server information
- Stealing system information
Collects various system information including Windows version, language, CPU type, clipboard data, execute permission, etc.
Figure 9. Code for collecting system information
- Stealing cryptocurrency wallet information
Collects information of wallet programs saved in Roaming directory, Local directory, registry, etc.
| ZCash, Armory, Bytecoin, JaxxClassic, JaxxLiberty, Exodus, Ethereum, Electrum, Electrum-LTC, Electrum-BCH, Atomic, Guarda, Wasabi, Daedalus, Coinomi, Litecoin, Dash, Bitcoin, monero-core, Binance |
Table 3. Wallet programs targeted for collection
- Collecting and sending error information
Records and sends every error (exception) that occurred while the program was running. As the SQLite parsing error in Windows with the Korean language setting is also recorded and sent, the patched version might be distributed soon.
Figure 10. Code for collecting errors
After every process for collecting information is complete, the information is sent to C2. The URL for sending (C2 URL) is hard-coded in a particular location. The malware uses the HTTP POST method.
Figure 11. C2 URL
As shown above, ColdStealer is an infostealer with a very simple form that can cause severe secondary damage by leaking major system information upon infection. Hence users need to take caution.
The following is the IOC info related to ColdStealer.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
