Malware Analysis

Introduction/Background

During the research conducted by Cyberthint’s cyber threat intelligence analysts under the “cyber patrol” program, it was detected that a threat actor put this malicious software up named “WhiteSnake” for sale with the MaaS (Malware as a Service) model on a dark web forum platform.

What is WhiteSnake Stealer? / About WhiteSnake Stealer

WhiteSnake Stealer is a stealer malware sold on underground hacker/cybercrime forums, first observed in early February of 2023. It has been developed in .NET language and can run on Windows and Linux as a cross-platform.

The noteworthy point was that according to the threat actor’s announcement, the malicious software had cross-platform functionality.

According to the details in the sales announcement, It was observed that the WhiteSnake Stealer was offered for sale with a monthly MaaS fee of $120, an annual fee of $900, and a lifetime fee of $1,500.

Threat Identifiers

NameWhiteSnake
Threat TypeInfoStealer
DetectionsVirusTotal (58/70)
SymptomsIt operates covertly on the system it runs on and continues its malicious activities. It cannot be detected on the system unless it is caught by an antivirus or a detailed incident analysis is performed on it.
Distribition MethodsThrough macro-enabled email attachments, visited malicious websites, and software vulnerabilities, the malware can infect the devices of its victims.
DamageIt allows the threat actor to steal sensitive information such as browser passwords, cryptocurrency wallets and service accounts.

WhiteSnake Stealer Analysis and Findings

Static Analysis

File NameWhiteSnake.exe
File Size29196 bytes
File TypeExecutable
MD5716D01D18140EC5E18B1A15C17FB213F
SHA1B4F2063ADE43A0C6DDD15F3F34DBFDE348E3EECC
SHA256A4191E00CD9DFEDA78901EF9DAE317E23C73408E7B4C1EEEF8DE6A8C70FE9DB7

Initially, an attempt was made to identify the programming language used to develop the malware using the Detect It Easy tool, and it was determined that it was developed with C# from Microsoft’s .NET family.

After obtaining this information, static analysis continued using dnSpy, a .NET debugger and assembly editor.
When the malware is first executed, it creates a Mutex named “Iismnquexvzadgcnmtdldq” and uses it to ensure that it only runs once on the infected computer.

As we continue our static analysis, we discover that the obfuscated code of the malware uses a function named “Ietherdodlzpdpdaeslrdw” to de-obfuscate it.

The “Ietherdodlzpdpdaeslrdw” function shown in the above image is called to check whether the malware is running inside a virtual machine. If it is running on a physical machine, the de-obfuscation process is performed.

WhiteSnake Stealer uses the “AntiVM()” function to check if it is running in a virtual environment before executing its malicious activities. To perform this check, it uses the “SELECT * FROM Win32_ComputerSystem” WMI query. It then queries the manufacturer and model number obtained from the WMI query and terminates the process without performing any malicious activities if the information matches that of a virtual machine.

It runs a function called “Username()” to get the username. For doing this operation:
It reads the registry address “HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION”.

It runs a function called “Compname()” to get the hostname of the computer. For doing this, it reads the registry address “HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”.

The malware runs a function called “IPAddress()” to get the IP address of the infected device.

The malware executes a function called “MakeScreenshot()” to take a screenshot of the infected computer at the moment of infection.

After the “AntiVM()” function is executed and the code is de-obsufuced, the malware calls a function called “Create()” which executes the ProcessCommands() function.

We have identified that this function is used to collect sensitive data, including web browsers, FTP clients, messaging applications, and cryptocurrency wallets. In addition, functions such as “Username(), Compname(), IPAddress(), MakeScreeshot()” mentioned above are also called under this function to collect system information.
WhiteSnake then is converting the collected data into XML format using “XmlSerializer” and sending it to the C2 server.

Dynamic/Behavior/Network Activities/Analysis

During the dynamic analysis of the WhiteSnake Stealer malware’s network traffic, it was observed that the “IPAddress()” function sends an HTTP GET request to the “http://ip-api.com/line?fields=query” address to obtain the victim’s IP address.

When a request is sent to the relevant address, it gives us our IP address in raw form.

On the image below, it was detected that the malware, after collecting sensitive data, communicates with the address “api.telegram.com (149.154.167.220)” and sends it to a Telegram bot. Since the data sent is encrypted, it cannot be read directly as cleartext on the network.

Mitre ATT&CK TTPs for WhiteSnake Stealer

Credential AccessUnsecured CredentialsT1552
Credential AccessUnsecured Credentials: Credentials In FilesT1552.001
Credential AccessSteal Web Session CookieT1539
DiscoverySystem Network Configuration DiscoveryT1016
DiscoveryQuery RegistryT1012
DiscoverySystem Information DiscoveryT1082
DiscoverySoftware DiscoveryT1518
C&CWeb ServiceT1102

Indicators of Compromise

SHA-256 Hashes:
a4191e00cd9dfeda78901ef9dae317e23c73408e7b4c1eeef8de6a8c70fe9db7
df78f7993dc9aaee7666a06a6dae52ba0fc6e63e01376474fa96af360cf566de
0c6705665e94b4d7184fe34185d0ea2706c745ddb71bb45bb194c96ebe2d7869
b4c9d3abd4fe5b4be84884c933e8d9a6a80ce326e05432a7ecb8a7c28f393941
2a85f257acd4bb897e5d1c2c571fe7e3f2a76a668106ba5954f6b29a569a1094
89a32ed550874525400268772dac746682ba6dbb8c06206b2ad7861db893b834
609ef046dbfe0b6a6bf42abfa7c0e9371c370a2f00f71e185ef2a6e1184aa817

URLs:
https[:]//cdn[.]discordapp[.]com/attachments/1077715839513526352/1077716714613121074/build[.]bat

Rules/Signatures

WhiteSnake Stealer Yara Rule:

rule WhiteSnake
{
    meta:
        author = "Cyberthint"
        description = "Detects suspicious string 'WhiteSnake.Properties.Resources.resources' in a file"
    strings:
        $suspicious_string = "WhiteSnake.Properties.Resources.resources"
    condition:
        any of them
}

Recommendations

  • Do not open untrusted emails.
  • Do not visit untrusted websites.
  • Do not use torrent-sourced or cracked applications.
  • Use a reliable antivirus and keep it up to date.
  • Always keep your system up to date. If automatic updates are turned off, turn them on.

Author

Cyberthint

Cyberthint is an unified cyber threat intelligence platform. Everything you need is on a single platform! With Cyberthint, you can monitor and identify advanced threats and take early action.

Leave a comment

Your email address will not be published. Required fields are marked *