GOZ InfoStealer: Sending information over SMTP and using steganography

By

SonicWall RTDMI ™ engine has recently detected an .NET executable file inside an archive which steals user data and sends it over SMTP. An archive file that contains the malicious executable file is as shown below:

 

Unavailability of the archive file and Portable Executable (PE) file inside the archive in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs at the time of writing this blog indicates its uniqueness and limited distribution:

 

PE STATIC INFORMATION:

 

STEGANOGRAPHY:

The malware resource contains a Dynamic Link Library (DLL) and a PNG image. The PNG image hides encrypted bytes of malicious executable file:

 

The malware loads the Dynamic Link Library (DLL) from resource “Cassa2” and invokes the setter method of property “Kurdistan” passing PNG image resource name “zfbjJPBmDZhRPVAZHmFjAXgCGpORLXKUrCEQuBkjeKdBGUhzypUfQRHnNQWUqzUKeOmFxaFJ” as argument:

 

The DLL loads PNG image from resource and retrieves the hidden bytes. First 16 bytes represent the decryption key for remaining encrypted data. The DLL decrypts the encrypted data using the XOR key to get “ConfuserEx v1.0.0-custom” packed PE file. The DLL loads the PE file and invokes its entry point:

 

The malware resource contains an encrypted PE file, an encrypted DLL file and the configuration data. The malware reads the configuration data from resource “XML” into “%TEMP%\tmp56BE.tmp”:

 

The malware loads resource the “xNslXMz3”. First 16 bytes represent the key for remaining encrypted data. Rather than decrypting the encrypted data directly using the decryption key, malware performs XOR operations on key and encrypted data which are eventually neutralized by the final decryption logic. The final decryption logic decrypts the encrypted data using first 16 bytes as XOR key to get the InfoStealer executable file:

 

 

The malware loads the resource “UI2” and decrypts the data using previously mentioned decryption logic to get the DLL file. The malware loads the DLL file and invokes “Kirkuk” method by passing current executable path and InfoStealer bytes array as parameters.  The DLL does process hollowing to load the InfoStealer executable and then resumes the thread to execute it:

 

INFO-STEALER:

The malware keeps encrypted data in the form of unsigned integer arrays. The malware converts unsigned integer arrays into byte arrays to decrypt them using “Rijndael” algorithm. In the byte array, first 32 bytes represent the Initialization Vector (IV), next 16 bytes represent the key and remaining bytes represent the data to be decrypted:

 

PERSISTENCE:

The malware drops self-copy into %APPDATA%\dWSebmCtTDWu.exe and schedules it to run at Windows log on:

 

ANTI-SANDBOX:

The malware delays execution by calling “Sleep(1000)” API 15 times:

 

The malware ensures that only one malware process should be running at a time. If malware finds running instances of the same name, the malware terminates those processes:

 

DATA EX-FILTRATION:

The malware extracts login information from the listed browsers and adds the extracted information into a list:

Browsers List:

BrowsersCode snippet: steals and adds data into the list
Google Chromelist.AddRange(ond.ocz())
Mozilla Firefoxlist.AddRange(ond.ocq())
Internet Explorerlist.AddRange(ond.oca())
Apple Safarilist.AddRange(ond.oqw())
QQ Browserlist.AddRange(ond.oxr())
SeaMonkeylist.AddRange(ond.oqp())
Flocklist.AddRange(ond.tqf())
UCBrowserlist.AddRange(ond.oxk())
BlackHawklist.AddRange(ond.ofy())
CyberFoxlist.AddRange(ond.oyr())
KMeleonlist.AddRange(ond.oru())
IceCatlist.AddRange(ond.tnc())
IceDragonlist.AddRange(ond.tnj())
PaleMoonlist.AddRange(ond.tnx())
WaterFoxlist.AddRange(ond.tny())
Falkonlist.AddRange(ond.tcz())
Chromium based Browserslist.AddRange(ond.oqs(current.Item2, current.Item1))

Chromium Based Browsers:

BrowsersUser data location
Opera BrowserC:\Users\Deepak\AppData\Roaming\Opera Software\Opera Stable\Login Data
Yandex BrowserC:\Users\Deepak\AppData\Local\Yandex\YandexBrowser\User Data
360 BrowserC:\Users\Deepak\AppData\Local\360Chrome\Chrome\User Data
Iridium BrowserC:\Users\Deepak\AppData\Local\Iridium\User Data
Comodo DragonC:\Users\Deepak\AppData\Local\Comodo\Dragon\User Data
Cool NovoC:\Users\Deepak\AppData\Local\MapleStudio\ChromePlus\User Data
ChromiumC:\Users\Deepak\AppData\Local\Chromium\User Data
Torch BrowserC:\Users\Deepak\AppData\Local\Torch\User Data
7StarC:\Users\Deepak\AppData\Local\7Star\7Star\User Data
AmigoC:\Users\Deepak\AppData\Local\Amigo\User Data
BraveC:\Users\Deepak\AppData\Local\BraveSoftware\Brave-Browser\User Data
CentBrowserC:\Users\Deepak\AppData\Local\CentBrowser\User Data
ChedotC:\Users\Deepak\AppData\Local\Chedot\User Data
CoccocC:\Users\Deepak\AppData\Local\CocCoc\Browser\User Data
Elements BrowserC:\Users\Deepak\AppData\Local\Elements Browser\User Data
Epic PrivacyC:\Users\Deepak\AppData\Local\Epic Privacy Browser\User Data
KometaC:\Users\Deepak\AppData\Local\Kometa\User Data
OrbitumC:\Users\Deepak\AppData\Local\Orbitum\User Data
SputnikC:\Users\Deepak\AppData\Local\Sputnik\Sputnik\User Data
UranC:\Users\Deepak\AppData\Local\uCozMedia\Uran\User Data
VivaldiC:\Users\Deepak\AppData\Local\Vivaldi\User Data
CitrioC:\Users\Deepak\AppData\Local\CatalinaGroup\Citrio\User Data
Liebao BrowserC:\Users\Deepak\AppData\Local\liebao\User Data
Sleipnir 6C:\Users\Deepak\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP SurfC:\Users\Deepak\AppData\Local\QIP Surf\User Data
CoowonC:\Users\Deepak\AppData\Local\Coowon\Coowon\User Data

 

The malware steals data from below installed applications on victim’s machine:

  • Thunderbird
  • FoxmailPreview
  • Opera Mail
  • Foxmail
  • Opera Mail
  • IncrediMail
  • PocoMail
  • Eudora
  • The Bat!
  • Postbox
  • Claws Mail
  • Becky! Internet Mail
  • Trillian
  • OpenVPN
  • FileZilla
  • WS_FTP
  • WinSCP
  • CoreFTP
  • FTP Navigator
  • FlashFXP
  • SmartFTP
  • FTPGetter
  • JDownloader

The malware captures the clipboard data:

 

NETWORK:

The malware sends stolen computer information and application data through an email to “iwona.techmat@gmail.com”:

Email Body:

 

The malware keeps capturing and sending the clipboard data to the malware author through email:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.