GOZ InfoStealer: Sending information over SMTP and using steganography

December 2, 2019

SonicWall RTDMI ™ engine has recently detected an .NET executable file inside an archive which steals user data and sends it over SMTP. An archive file that contains the malicious executable file is as shown below:

 

Unavailability of the archive file and Portable Executable (PE) file inside the archive in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:

 

PE STATIC INFORMATION:

 

STEGANOGRAPHY:

The malware resource contains a Dynamic Link Library (DLL) and a PNG image. The PNG image hides encrypted bytes of malicious executable file:

 

The malware loads the Dynamic Link Library (DLL) from resource “Cassa2” and invokes the setter method of property “Kurdistan” passing PNG image resource name “zfbjJPBmDZhRPVAZHmFjAXgCGpORLXKUrCEQuBkjeKdBGUhzypUfQRHnNQWUqzUKeOmFxaFJ” as argument:

 

The DLL loads PNG image from resource and retrieves the hidden bytes. First 16 bytes represent the decryption key for remaining encrypted data. The DLL decrypts the encrypted data using the XOR key to get “ConfuserEx v1.0.0-custom” packed PE file. The DLL loads the PE file and invokes its entry point:

 

The malware resource contains an encrypted PE file, an encrypted DLL file and the configuration data. The malware reads the configuration data from resource “XML” into “%TEMP%\tmp56BE.tmp”:

 

The malware loads resource the “xNslXMz3”. First 16 bytes represent the key for remaining encrypted data. Rather than decrypting the encrypted data directly using the decryption key, malware performs XOR operations on key and encrypted data which are eventually neutralized by the final decryption logic. The final decryption logic decrypts the encrypted data using first 16 bytes as XOR key to get the InfoStealer executable file:

 

 

The malware loads the resource “UI2” and decrypts the data using previously mentioned decryption logic to get the DLL file. The malware loads the DLL file and invokes “Kirkuk” method by passing current executable path and InfoStealer bytes array as parameters.  The DLL does process hollowing to load the InfoStealer executable and then resumes the thread to execute it:

 

INFO-STEALER:

The malware keeps encrypted data in the form of unsigned integer arrays. The malware converts unsigned integer arrays into byte arrays to decrypt them using “Rijndael” algorithm. In the byte array, first 32 bytes represent the Initialization Vector (IV), next 16 bytes represent the key and remaining bytes represent the data to be decrypted:

 

PERSISTENCE:

The malware drops self-copy into %APPDATA%\dWSebmCtTDWu.exe and schedules it to run at Windows log on:

 

ANTI-SANDBOX:

The malware delays execution by calling “Sleep(1000)” API 15 times:

 

The malware ensures that only one malware process should be running at a time. If malware finds running instances of the same name, the malware terminates those processes:

 

DATA EX-FILTRATION:

The malware extracts login information from the listed browsers and adds the extracted information into a list:

Browsers List:

Browsers Code snippet: steals and adds data into the list
Google Chrome list.AddRange(ond.ocz())
Mozilla Firefox list.AddRange(ond.ocq())
Internet Explorer list.AddRange(ond.oca())
Apple Safari list.AddRange(ond.oqw())
QQ Browser list.AddRange(ond.oxr())
SeaMonkey list.AddRange(ond.oqp())
Flock list.AddRange(ond.tqf())
UCBrowser list.AddRange(ond.oxk())
BlackHawk list.AddRange(ond.ofy())
CyberFox list.AddRange(ond.oyr())
KMeleon list.AddRange(ond.oru())
IceCat list.AddRange(ond.tnc())
IceDragon list.AddRange(ond.tnj())
PaleMoon list.AddRange(ond.tnx())
WaterFox list.AddRange(ond.tny())
Falkon list.AddRange(ond.tcz())
Chromium based Browsers list.AddRange(ond.oqs(current.Item2, current.Item1))

Chromium Based Browsers:

Browsers User data location
Opera Browser C:\Users\Deepak\AppData\Roaming\Opera Software\Opera Stable\Login Data
Yandex Browser C:\Users\Deepak\AppData\Local\Yandex\YandexBrowser\User Data
360 Browser C:\Users\Deepak\AppData\Local\360Chrome\Chrome\User Data
Iridium Browser C:\Users\Deepak\AppData\Local\Iridium\User Data
Comodo Dragon C:\Users\Deepak\AppData\Local\Comodo\Dragon\User Data
Cool Novo C:\Users\Deepak\AppData\Local\MapleStudio\ChromePlus\User Data
Chromium C:\Users\Deepak\AppData\Local\Chromium\User Data
Torch Browser C:\Users\Deepak\AppData\Local\Torch\User Data
7Star C:\Users\Deepak\AppData\Local\7Star\7Star\User Data
Amigo C:\Users\Deepak\AppData\Local\Amigo\User Data
Brave C:\Users\Deepak\AppData\Local\BraveSoftware\Brave-Browser\User Data
CentBrowser C:\Users\Deepak\AppData\Local\CentBrowser\User Data
Chedot C:\Users\Deepak\AppData\Local\Chedot\User Data
Coccoc C:\Users\Deepak\AppData\Local\CocCoc\Browser\User Data
Elements Browser C:\Users\Deepak\AppData\Local\Elements Browser\User Data
Epic Privacy C:\Users\Deepak\AppData\Local\Epic Privacy Browser\User Data
Kometa C:\Users\Deepak\AppData\Local\Kometa\User Data
Orbitum C:\Users\Deepak\AppData\Local\Orbitum\User Data
Sputnik C:\Users\Deepak\AppData\Local\Sputnik\Sputnik\User Data
Uran C:\Users\Deepak\AppData\Local\uCozMedia\Uran\User Data
Vivaldi C:\Users\Deepak\AppData\Local\Vivaldi\User Data
Citrio C:\Users\Deepak\AppData\Local\CatalinaGroup\Citrio\User Data
Liebao Browser C:\Users\Deepak\AppData\Local\liebao\User Data
Sleipnir 6 C:\Users\Deepak\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf C:\Users\Deepak\AppData\Local\QIP Surf\User Data
Coowon C:\Users\Deepak\AppData\Local\Coowon\Coowon\User Data

 

The malware steals data from below installed applications on victim’s machine:

  • Thunderbird
  • FoxmailPreview
  • Opera Mail
  • Foxmail
  • Opera Mail
  • IncrediMail
  • PocoMail
  • Eudora
  • The Bat!
  • Postbox
  • Claws Mail
  • Becky! Internet Mail
  • Trillian
  • OpenVPN
  • FileZilla
  • WS_FTP
  • WinSCP
  • CoreFTP
  • FTP Navigator
  • FlashFXP
  • SmartFTP
  • FTPGetter
  • JDownloader

The malware captures the clipboard data:

 

NETWORK:

The malware sends stolen computer information and application data through an email to “iwona.techmat@gmail.com”:

Email Body:

 

The malware keeps capturing and sending the clipboard data to the malware author through email:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file: