Recently a malware sample caught our attention, which is classified as a stealer. Though it is a generic stealer that steals google chrome username and passwords, the unique thing about this stealer is the way of its C2 communication which uses mongo client for uploading the stolen data to the server. This blog will be our variant of analysis for this malware sample.
While opening the sample with pestudio, we can see that there are 35 detections for this sample which states that it contains attributes of a generic password stealer.
Upon further analysis, we took a look at the pdb path which contains the name of the database as cstealer.pdb by which it got its name as cstealer.
The strings give us a hint that the malware utilizes mongo c client for communication with the remote database and all the credentials may be hardcoded in the sample itself. Stolen data is encrypted using crypt32 API while sending it to the database.
By adding the Regex filter in IDA strings section, we got the C2 address and the chrome login data, which confirms that it steals passwords from the chrome browser.
Analyzing the sample in IDA, it can be said that it steals the password from the login database of chrome browser via performing a SQL query,
SELECT action_url, username_value, password_value FROM logins
and later it stores the data in URL, log in & PASSWORD parameters respectively. Further, it connects with the remote mongo server to upload the data eventually.
By analyzing subroutine “sub_402230” we get a clear idea of how this stealer works.
1. Stealer connects with mongo client on the given URI.
2. It performs the SQL query mentioned above to steal the chrome data.
3. The data gets sectioned according to the columns or categories mentioned above.
4. The data is then encrypted using the crypt32 API, after which it checks if ‘ssl=true’ check is present in the URI if it is present TLS communication is performed else normal TCP communication is performed.
5. The data then gets pushed to the remote database simultaneously.
Here is the snapshot of the pcap file we generated while monitoring the network traffic,
It contains the payload, PC Name, User Name, and the mongo client version.
Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.
INFECTED: CSTEALER MONGO EXFILTRATION DETECTED AND BLOCKED
Hash: 181482ec53907fdba47e83b76795b196 (Cstealer)
We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at firstname.lastname@example.org
Author: Mitesh Wani