In-depth Analysis of CStealer

In-depth Analysis of CStealer

Introduction:

Recently a malware sample caught our attention, which is classified as a stealer. Though it is a generic stealer that steals google chrome username and passwords, the unique thing about this stealer is the way of its C2 communication which uses mongo client for uploading the stolen data to the server. This blog will be our variant of analysis for this malware sample.

Static Analysis:

While opening the sample with pestudio, we can see that there are 35 detections for this sample which states that it contains attributes of a generic password stealer.

Figure 1 VirusTotal Detection
Figure 1 VirusTotal Detection

Upon further analysis, we took a look at the pdb path which contains the name of the database as cstealer.pdb by which it got its name as cstealer.

Figure 2 Debug Path for Cstealer
Figure 2 Debug Path for Cstealer

The strings give us a hint that the malware utilizes mongo c client for communication with the remote database and all the credentials may be hardcoded in the sample itself. Stolen data is encrypted using crypt32 API while sending it to the database.

Figure 3 Strings & Imports of malware
Figure 3 Strings & Imports of malware

By adding the Regex filter in IDA strings section, we got the C2 address and the chrome login data, which confirms that it steals passwords from the chrome browser.

Figure 4 C2 Address
Figure 4 C2 Address

Analyzing the sample in IDA, it can be said that it steals the password from the login database of chrome browser via performing a SQL query, 

SELECT action_url, username_value, password_value FROM logins 

 and later it stores the data in URL, log in & PASSWORD parameters respectively. Further, it connects with the remote mongo server to upload the data eventually.

Figure 5 Chrome Password Parameters
Figure 5 Chrome Password Parameters

By analyzing subroutine “sub_402230” we get a clear idea of how this stealer works.

1. Stealer connects with mongo client on the given URI.

2. It performs the SQL query mentioned above to steal the chrome data.

3. The data gets sectioned according to the columns or categories mentioned above.

4. The data is then encrypted using the crypt32 API, after which it checks if ‘ssl=true’ check is present in the URI if it is present TLS communication is performed else normal TCP communication is performed.

5. The data then gets pushed to the remote database simultaneously.

Figure 6 Offset aMongoStealer
Figure 6 Offset aMongoStealer
Figure 7 SQL Query for stealing data
Figure 7 SQL Query for stealing data
Figure 8 offset Passworddb
Figure 8 offset Passworddb

Network Analysis:

Here is the snapshot of the pcap file we generated while monitoring the network traffic,

Figure 9 Network Traffic
Figure 9 Network Traffic

It contains the payload, PC Name, User Name, and the mongo client version.

Xunison Protection

Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.

Xunsion Signature:

INFECTED: CSTEALER MONGO EXFILTRATION DETECTED AND BLOCKED

IOCs:-

Hash: 181482ec53907fdba47e83b76795b196 (Cstealer)

Domain: 18.220.85.117:27000

 

We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at security@xunison.com

 

Author: Mitesh Wani

Twitter: https://twitter.com/kalki_poison

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp
Share on pinterest
Pinterest
Share on email
Email