New Info-stealer Disguised as Crack Being Distributed
The ASEC analysis team has previously uploaded posts about various malware types that are being distributed by disguising themselves as software cracks and installers. CryptBot, RedLine, and Vidar are major example cases. Recently, a single malware type of RedLine has disappeared (it is still being distributed as a dropper type) and a new infostealer malware is being actively distributed instead. Its distribution became in full swing starting from May 20th, globally categorized as “Recordbreaker Stealer.” Some analyses see it as a new version of Raccoon Stealer.
The malware is created when users search for cracks, serial numbers, installers, etc. of commercial software and access the webpage to download and decompress files.
It is mainly distributed in an abnormally large size with a huge amount of padding added. The padding is inserted between the last section and the certificate area.
As such, the size of file downloaded from a website is between 3 to 7MB, while the size of the malware created upon decompressing the file is between 300 to 700MB. The malware icons use installer images or those of popular software. In some cases, it may be distributed in a typical packing method by dropper or downloader.
When the malware is run, it downloads additional libraries depending on the command from C2 (settings value) to collect various sensitive information from the user PC and send it back to C2. The target information for stealing is decided by the C2 settings. Additional malware strains may also be installed. The following figure shows the network behaviors for the overall execution flow.
When it first accesses C2, the malware sends the user name, MachineGUID value, and hard-coded key values within the sample and receives the settings data. The data includes the list of information that will be stolen and the download URL for the libraries needed to collect information.
Initial samples had different domains for C2 and downloading libraries, but recent samples use the same URL for both. The C2s for the malware do not tend to last long. In fact, about 2 – 3 samples with new C2 domains are being distributed in a single day. The malware uses the “record” string as a value for User-Agent when communicating with the C2.
The targets for stealing in the settings data are mainly strings related to cryptocurrencies such as browser plugin wallets and open source wallets. It seems basic targets such as browser cookies, IDs, and passwords are chosen if the related libraries exist. The table below shows an example of the settings data for the analysis sample.
| libs_nss3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll libs_msvcp140:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll libs_vcruntime140:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll libs_mozglue:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll libs_freebl3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll libs_softokn3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings ews_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings libs_sqlite3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll ews_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings ews_ronin:fnjhmkhhmkbjkkabndcnnogagogbneec;Ronin;Local Extension Settings wlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar* wlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB* wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache* wlts_binance:Binance;26;Binance;*app-store.*;- wlts_coinomi:Coinomi;28;Coinomi\Coinomi\wallets;*;- wlts_electrum:Electrum;26;Electrum\wallets;*;- wlts_elecltc:Electrum-LTC;26;Electrum-LTC\wallets;*;- wlts_elecbch:ElectronCash;26;ElectronCash\wallets;*;- wlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB* wlts_green:BlockstreamGreen;28;Blockstream\Green;*;cache,gdk,*logs* wlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite* ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings ews_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings sstmnfo_System Info.txt:System Information: |Installed applications: | libs_nssdbm3:http://146.19.247[.28/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll wlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar* wlts_mymonero:MyMonero;26;MyMonero;*;*cache* wlts_xmr:Monero;5;Monero\\wallets;*.keys;- wlts_wasabi:Wasabi;26;WalletWasabi\\Client;*;*tor*,*log* ews_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings ews_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB ews_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings ews_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings ews_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings ews_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings ews_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB ews_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings ews_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings ews_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings ews_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings ews_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings ews_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings ews_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Extension Settings ews_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings ews_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings ews_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings ews_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings ews_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings ews_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings ews_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings ews_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings ews_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings ews_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings ews_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings ews_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings ews_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings ews_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings ews_goby:jnkelfanjkeadonecabehalmbgpfodjm;Goby;Local Extension Settings ews_ton_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Extension Settings scrnsht_Screenshot.jpeg:1 tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps* token:e1cf7053cd9066b051c048495a128811 |
Table 1. Full text for C2 response setting data
The sample steals basic system information, the list of installed programs, screenshots, data saved in browsers, and various cryptocurrency wallet information. The information that is stolen may vary depending on the C2’s response. For example, one type of C2 does not steal screenshots but commands the malware to steal all txt files within the desktop and subfolders of My Documents.
Since June 17th, the C2s have been responding with settings value that downloads and runs additional malware besides libraries that will be used to steal information. The currently installed malware is ClipBanker (74744fc068f935608dff34ecd0eb1f96). It stays in the system by being registered in the task scheduler and changes the cryptocurrency wallet address string in the clipboard to that of the attacker. The history of related samples implies that the malware additionally installed other malware strains during the initial distribution stage.
The process of stealing information and installing ClipBanker is similar to that of CryptBot distribution. CryptBot is also being actively distributed at the moment.
| ldr_1:http://94.158.244[.119/U4N9B5X5F5K2A0L4L4T5/84897964387342609301.bin|%TEMP%|exe |
Table 2. Settings value for installing additional malware
The following table shows a part of the attacker’s wallet address.
| BTC 19iQuuqoVQPAtRhzm4GvNuM3bj4Nm29ByX 32h53ccRQW6Vyw4rqR22xmip34WcC6pnFL bc1qnd4p4vh6zvq68s7m70dvuzejfq2rfmqdlzmmse ETH 0xF22ffD5be6efc35390dfD044B7156CC56C5d41f8 DASH Xb2miQJ1JjBJA6CTh1GYfDnzduSfRacTVg DOGE D7kjwr9bTZCd4u8ws7KLvKsv71ai53vppJ LTC LUYBs28KD92zYYjG28gWq9GFvvsWE6KoeN … |
Table 3. Wallet address for alteration
One characteristic of Record Stealer is that it uses strings with certain meanings when decrypting strings it uses. At the initial stage, it used “credit19” as a key. Samples that are distributed after May 28th use the string “edinayarossiya”.
The sample has a code that checks if the user’s default locale (language) is Russian, but the result does not make any difference for the behaviors.
Because malware distributed by being disguised as software cracks has diverse variants and is distributed in large amounts, users need to take caution. They should not download files from untrusted websites. Also, executables that are downloaded after multiple redirections are most likely to be malicious files. Moreover, if the file’s size increases to an abnormal degree after being decompressed, it might be the case discussed earlier in this post.
AhnLab products detect and block the malware type using the following aliases:
- Infostealer/Win.RecordStealer.R498039
- Infostealer/Win.RecordStealer.R500009
- Infostealer/Win.PassStealer.R496906
- Trojan/Win.ClipBanker.C5166957
and more
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
