AhnLab Security Emergency response Center (ASEC) released an analysis report on an Infostealer that is being distributed through YouTube.
As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer infection.
AhnLab EDR keeps logs of what information has been stolen by Infostealers and where it was sent, greatly aiding in the tracking process and preventing further harm. As covered in the previously released analysis report, this malware steals an assortment of data stored on a PC. A folder named 44 is randomly created in either the ApplicationData, LocalApplicationData, or the CommonApplicationData path, where the stolen information is then copied and compressed before being sent. Currently, a connection cannot be established to the destination URL.
Figure 1 shows the AhnLab EDR detection screen for the Infostealer that was distributed through YouTube which was mentioned earlier in this post. The various recorded data is summarized and organized in Figure 2. Based on the summarized process tree, the stolen data can be tracked through AhnLab EDR.
The search result shown in Figure 3 displays the timeline where the detection phrase from the process tree of Figure 2 was used. It can detect compressions that happen for the purpose of information stealing.
Figure 4 shows the detection screen that is displayed on AhnLab EDR about the txt files created by the Infostealer that contains the PC and process information. A process list is saved in process.txt while information.txt contains the extracted system information.
Figures 5 through 7 demonstrate the detection of the stolen system information being stored in information.txt.
Figure 8 shows a record of the Infostealer taking a screenshot.
As shown in Figure 9, every EDR behavior is recorded in AhnLab EDR, including the copying of files by a stealer. This enables users to search for such behaviors.
Beyond the information already discussed, AhnLab EDR provides additional details that aid in tracking stolen information and its destination. Due to the accessibility of malware on various platforms, it is important for users to refrain from downloading illegal programs and opening emails from untrusted senders. Even if proactive measures are taken against all threats, mistakes can still occur. AhnLab EDR is able to respond to threats that occur due to mistakes.
– Infostealer/Win.CALIBER.R513735 (2022.09.06.00)
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.