White Snake is weaponized against Russian companies
Stealers are a significant occurrence in today’s threatscape and one of the most popular ways to obtain legitimate login credentials as initial access to corporate networks. In February 2023, the White Snake stealer first appeared on the darknet. It is actively advertised as an easy solution for launching targeted attacks and obtaining stored passwords as well as file copies, keystrokes, and remote access to the compromised device.
Specialists from BI.ZONE Cyber Threat Intelligence discovered a White Snake distribution campaign targeting Russian organizations. The stealer is distributed via phishing emails under the guise of some requirements from Roskomnadzor (Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media).
- A successful stealer attack can allow threat actors to gain access to multiple corporate resources, such as email and CRM.
- The ability to rent or purchase this type of malware can significantly reduce the skill level required to execute targeted attacks.
- The damage from a successful attack may not necessarily be immediate: attackers often resell the data collected by the stealers.
The victim would receive a phishing email with an archive that contained several files:
Требование РОСКОМНАДЗОР № 02-12143.odt (ROSKOMNADZOR requirement No. 02-12143.odt)
Attachment to the ROSKOMNADZOR requirement
РОСКОМНАДЗОР.png
The first file (fig. 1) is a phishing document that aims to lure the victim into opening the second file, which is the White Snake stealer.
The White Snake stealer appeared on popular dark forums in February 2023 and was positioned as a tool for implementing targeted attacks (fig. 2).
In addition to the underground forums, the stealer also has its own Telegram channel (fig. 3), which can be used to follow all its updates.
A monthly fee for the stealer is just $140, unlimited access can be purchased for $1,950. Payments are made in one of the cryptocurrencies (fig. 4).
After payment, the customer receives a builder for creating malware samples and access to the compromised devices control panel.
The builder (fig. 5) allows criminals to configure the stealer features (e.g., add a Telegram token to save the extracted data, select the data encryption method, define the set of extracted data, edit the icon of the executable file, etc.).
The control panel (fig. 6) enables the threat actors to monitor compromised devices, interact with them, and execute commands. In addition, the control panel allows access to all the data collected by the stealer.
After launching from the archive, the executable performs the following actions:
- creates a mutex (according to the configuration)
- if the feature is enabled, verifies that the startup is not in a virtual space
- if enabled, copies all files to the directory
C:\Users\[user]\AppData\Roaming\[config_folder_name]
, and executes the command below depending on the user’s permissions. If the user is an administrator, the command will be executed withHIGHEST
privileges. Otherwise it will be executed withLIMITED
privileges./C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "[task name]" /sc MINUTE /tr "[file path in the created folder]" /rl [launch permissions] /f && DEL /F /S /Q /A "[previous file path]" && START "" "[file path in the created folder]"
- initializes a Tor network node on a random port between 2000 and 7000
- initializes the module to retrieve user data and send it to the server
- if the feature is enabled, creates its copies on external media and in the autoloader (
C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
) for other system users - if the feature is enabled, initializes the keylogger module
When sending data to the C2 server, the executable collects the following information about the system:
- country and IP (using a request
http://ip-api.com/line?fields=query,country
) - operating system version
- username
- device name
- screen dimensions
- processor name
- video card name
- hard drive sizes
- total size of physical memory
- device manufacturer
- device model
- Base64 encoded screenshot
- list of running processes
- installed applications
The configurations for retrieving user data are contained in an XML file and feature the following data types:
- relative paths to Chromium-like browsers
- relative paths to Firefox-like browsers
- file masks to be collected
- registry sections to extract data from
Since the stealer can persist on a compromised system, attackers can gain access to it, record screen video, execute commands, and download additional malware.
The dark segment of the Internet offers more and more high-quality tools for targeted attacks that not only bypass legacy defenses, but also provide attackers with all the means to achieve their goals. As such malware is easy to buy and operate, the number of targeted attacks increases inevitably. In order to effectively protect against such threats, it is not enough to deploy cybersecurity solutions. It is also necessary to respond to incidents on time and investigate them.
- Monitor network communications with
ip-api.com
from non-typical processes. - Pay attention to the newly created suspicious tasks in the scheduler and executables added to the startup.
- Monitor executable files created in subfolders
C:\Users\[user]\AppData\Roaming
.
rule WhiteSnake {
meta:
author = "BI.ZONE CTI"
date = "13/07/2023"
strings:
$xml_struct1 = "filename"
$xml_struct2 = "filedata"
$xml_struct3 = "filesize"
$xml_struct4 = "createdDate"
$xml_struct5 = "modifiedDate"
$xml_struct6 = "commands"
$xml_struct7 = "name"
$xml_struct8 = "args"
$xml_struct9 = "Commands"
$xml_struct10 = "report"
$xml_struct11 = "files"
$xml_struct12 = "information"
$xml_struct13 = "key"
$xml_struct14 = "value"
condition:
all of ($xml_struct*)
}
Tactic | Technique | Procedure |
---|---|---|
Initial Access |
Phishing: Spearphishing Attachment |
White Snake uses malicious attachments to gain initial access |
Execution |
User Execution: Malicious File |
A victim needs to open the malicious file to initiate the compromise process |
Command and Scripting Interpreter: Windows Command Shell |
White Snake uses the Windows command line to execute scripts |
|
Native API |
White Snake uses Windows APIs to intercept keystrokes, create screenshots, and decrypt user data |
|
Persistence |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
White Snake can create copies of itself in |
Scheduled Task/Job: Scheduled Task |
White Snake creates tasks in the scheduler to further anchor in the compromised system |
|
Defense Evasion |
Obfuscated Files or Information |
White Snake uses string encryption and name obfuscation methods |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
White Snake sets the executable file inside the directory |
|
Obfuscated Files or Information: Binary Padding |
The size of the White Snake executable file is about 1 GB |
|
Indicator Removal: File Deletion |
White Snake deletes itself after launching and copying the body to a new location |
|
Virtualization/Sandbox Evasion: System Checks |
White Snake performs checks on the compromised system to identify a virtual environment |
|
Credential Access |
Credentials from Password Stores: Credentials from Web Browsers |
White Snake gets credentials from Chromium and Firefox type browsers |
Credentials from Password Stores: Windows Credential Manager |
White Snake can retrieve data from the internal Windows password vault |
|
Input Capture: Keylogging |
White Snake can intercept user keystrokes |
|
Unsecured Credentials: Credentials In Files |
White Snake can access any files, including those containing authentication data |
|
Unsecured Credentials: Credentials in Registry |
White Snake can access any registry keys specified in the configuration |
|
Discovery |
System Information Discovery |
White Snake collects information about the compromised system, including username and computer information |
Software Discovery |
White Snake collects information about applications installed on the system |
|
System Time Discovery |
White Snake receives current clock information on the device |
|
Collection |
Archive Collected Data |
White Snake encrypts data using RSA before sending it to the server |
Audio Capture |
White Snake can use a microphone to capture sound |
|
Data from Local System |
White Snake can copy files from a compromised system |
|
Screen Capture |
White Snake can take screen captures |
|
Video Capture |
White Snake can use the camera to record videos |
|
Command and Control |
Application Layer Protocol: Web Protocols |
White Snake uses HTTP/HTTPS to transmit data |
Encrypted Channel: Asymmetric Cryptography |
White Snake uses RSA to encrypt transmitted data |
|
Proxy: Multi-hop Proxy |
White Snake uses Tor to transmit data |
|
Exfiltration |
Exfiltration Over C2 Channel |
White Snake transmits the collected data to the command and control server |
5f1136c386c7fc99395b608d8db8f8cab0c0f23356f6d33730d352b12b43c234
e786b4bb8a7eed06d42e37f62434d911c34c572a58a92aaf1171cbb84f864cdd
hxxp://167.86.115[.]218:9090
hxxp://185.189.159[.]121:8001
More indicators are available with BI.ZONE Threat Intelligence.