Monday, June 26, 2023

, , , , , , , ,

Threat hunting converting SIGMA to YARA

Malware threat hunting is the process of proactively searching for malicious activity. It is a critical part of any organization's security posture, as it can help to identify and mitigate threats that may have otherwise gone undetected.

Sigma rules and YARA rules are two powerful tools that can be used for detection and  malware threat hunting. Sigma rules are a type of open rule language that can be used to describe malicious activity.  

Many sigma rules can be converted into yara rules for use with the VT yara module to match data from our inhouse and external sandboxes and behavioral engines.  You can then use the VirusTotal IOC Stream ,  to view the YARA matches on new file analysis. 

Below are some examples of how to convert from SIGMA to YARA:


Example 1: Matching processes

Consider Sigma rule to detect base64 decode.

title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
modified: 2022/11/26
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image: '/usr/bin/base64'
        CommandLine|contains: '-d'
    condition: selection
falsepositives:
    - Legitimate activities
level: low

  

The sigma rule can be translated to a Yara rule similar to:

import "vt"

rule base64decode
{
  meta:
    sigma_source = "https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml"
    example1 = "f3e5c20b34731d6611e1a49def1c89d5c180db9bb465f8471ba84c1ad16b90e5"
    example2 = "ea502018cb3eeb56a930df29c7447857c6cca05d3431d2f575d2c62753bb81f1"
  condition:
    for any cmd in vt.behaviour.command_executions : (
        cmd icontains "base64 " and cmd icontains " -d"
    )
}  
  

Remember to test your rule to ensure it matches the desired samples.


Example 2: Matching DNS

In this example, we will generate YARA matches that produce similar results to the VirusTotal Intelligence query, with a search modifier.

Sigma rule from SigmaHQ to dectect common remote access domains:

title: DNS Query To Remote Access Software Domain
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
- id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
type: obsoletes
- id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
type: obsoletes
- id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
type: obsoletes
status: experimental
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
author: frack113, Connor Martin
date: 2022/07/11
modified: 2023/04/18
tags:
- attack.command_and_control
- attack.t1219
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith:
- '.getgo.com'
- '.logmein.com'
- '.ammyy.com'
- '.netsupportsoftware.com' # For NetSupport Manager RAT
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- '.net.anydesk.com'
- 'api.playanext.com'
- '.relay.splashtop.com'
- '.api.splashtop.com'
- 'app.atera.com'
- '.agentreporting.atera.com'
- '.pubsub.atera.com'
- 'logmeincdn.http.internapcdn.net'
- 'logmein-gateway.com'
- 'client.teamviewer.com'
  
The above sigma signature can be expressed as a Yara rule:
import "vt"
rule dns_remote_access
{
meta:
sigma_src = "https://github.com/SigmaHQ/sigma/blob/c05f864047ffbe793299499c79ec52920062159f/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml#L4"
condition:
  for any lookup in vt.behaviour.dns_lookups : (
    for any host in (".getgo.com",".logmein.com",".ammyy.com",".netsupportsoftware.com","remoteutilities.com","net.anydesk.com","relay.splashtop.com","api.splashtop.com","app.atea.com","agentreporting.atera.com","pubsub.atera.com","http.internapcdn.ne","logmein-gateway.com","client.teamviewer.com") : (
     lookup.hostname contains host
     ))
}

Example 3: Matching registry keys set

In this example we will search registry keys set. Using VT Intelligence you can search for strings within registry keys or values with a query like: behaviour_registry:SystemRestore\DisableConfig"
Consider the sigma rule:
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
status: experimental
description: Detects the modification of the registry to disable a system restore on the computer
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022/04/04
modified: 2022/09/09
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        EventType: Setvalue
        TargetObject|contains:
            - '\Policies\Microsoft\Windows NT\SystemRestore'
            - '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
        TargetObject|endswith:
            - DisableConfig
            - DisableSR
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high
  

The sigma rule as yara:

import "vt"

rule disable_restore
{
  meta:
    sigma_source = "https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml#L2"
    example1 = "08c2d3fec8cd9fcced634df7ad0f3db164ffe0cbfc263e2d8be026afca05bfcb"
  condition:
    for any reg in vt.behaviour.registry_keys_set : (
        ( reg.key contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore" 
         or reg.key contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore" )
        and 
          (reg.key contains "DisableSR"  or reg.key contains "DisableConfig")
        and (reg.value contains "1")
    )
}

Test your rule to ensure it matches desired samples:


Example 4: Matching files on disk

A sima rule from SigmaHQ to detect linux samples modifying /etc/profile.d

title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: experimental
description: Detects the creation of shell scripts under the "profile.d" path.
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023/06/02
tags:
    - attack.persistence
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|contains: '/etc/profile.d/'
        TargetFilename|endswith:
            - '.csh'
            - '.sh'
    condition: selection
falsepositives:
    - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
    - Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning
  

This could be searched with a VT intelligence query like: behaviour_files:"/etc/profile.d/" and (behaviour_files:".sh" or behaviour_files:*.csh) and (tag:elf or tag:shell)

import "vt"

rule suspicious_profile_folder
{
  meta:
    sigma_source = "https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
    example_hash1 = "e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0"
    example_hash2 = "447431333b2c2a72ac213a9fa2da8c2b09383ae75c3b31a88acfa79b8d43b8d8"
   author = "author: Joseliyo Sanchez, @Joseliyo_Jstnk"
  condition:
    for any dropped in vt.behaviour.files_dropped : (
      dropped.path contains "/etc/profile.d/"
      and (dropped.path endswith ".sh" or dropped.path endswith ".csh")
    )
    or
    for any file_path in vt.behaviour.files_written : (
      file_path contains "/etc/profile.d/"
      and (file_path endswith ".sh" or file_path endswith ".csh")
    )
}
  

As yara:

import "vt"

rule suspicious_profile_folder
{
  meta:
    sigma_source = "https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
    example_hash1 = "e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0"
    example_hash2 = "447431333b2c2a72ac213a9fa2da8c2b09383ae75c3b31a88acfa79b8d43b8d8"
   author = "author: Joseliyo Sanchez, @Joseliyo_Jstnk"
  condition:
    for any dropped in vt.behaviour.files_dropped : (
      dropped.path contains "/etc/profile.d/"
      and (dropped.path endswith ".sh" or dropped.path endswith ".csh")
    )
    or
    for any file_path in vt.behaviour.files_written : (
      file_path contains "/etc/profile.d/"
      and (file_path endswith ".sh" or file_path endswith ".csh")
    )
}


Summary of translating sigma to yara:

You may wish to review the sigma specification and review the sigma rules detected on VirusTotal for examples.

Any data contained in the file behavior object can be matched on.

The table below may help in guiding you to the correct keywords to use.

Sigma Taxonomy VirusTotal schema
  • file_access
    • TargetFilename
  • file_event
    • TargetFilename
  • sysmon
    • EventID 11 (FileCreate)
  • vt.behaviour.files_written[]
  • vt.behaviour.files_dropped[].path
  • registry_set
  • vt.behaviour.registry_keys_set[].key
  • vt.behaviour.registry_keys_set[].value
  • registry_delete
  • vt.behaviour.registry_keys_deleted[]
  • process_creation
  • ps_script
  • file_event
    • Image
  • vt.behaviour.command_executions[]
  • network_connection
    • DestinationHostname
  • dns_query
    • QueryName
  • dns
    • query
  • vt.behaviour.dns_lookups[].hostname
  • vt.behaviour.tls[].sni
  • vt.behaviour.memory_pattern_urls[]
  • vt.behaviour.memory_pattern_domains[]
  • file_delete
  • vt.behaviour.files_deleted[]


Malware threat hunting can be complex, by using Sigma rules and YARA rules, you can make the process more efficient and effective. Happy hunting.


Tuesday, June 20, 2023

, , , , ,

VirusTotal += Docguard

We are excited to announce our integration with DOCGuard for the analysis of Office documents, PDFs and other file types as a behavioral analysis engine.   This document analysis collaboration will allow the community to get the another opinion on the scanned documents. 

In their own words:
DOCGuard is a malware analysis service, whose main use case is to integrate with SEGs (Secure Email Gateways) and SOAR solutions.

 

The service performs a new kind of static analysis called structural analysis. The structural analysis dissembles the malwares and passes it to the core engines with respect to file structure components. By the aid of this approach, DOCGuard can precisely detect the malwares and extract the F/P free IOCs and may also identify obfuscation and encryption in the form of string encoding and document encryption.

 

The currently supported file types are Microsoft Office Files, PDFs, HTMLs, HTMs, LNKs, JScripts, ISOs, IMGs, VHDs, VCFs, and archives(.zip, .rar, .7z etc.). The detailed findings of the structural analysis are presented in an aggregated view in the GUI and can be downloaded as a JSON report and can also be gathered over API.



Going further, users can explore the behavior tab of the file scanned for more details. In the example below, we see a detected macro of a malicious Excel XLS file



In a malicious document, we can see memory pattern urls.
9cd785dbcceced90590f87734b8a3dbc066a26bd90d4e4db9a480889731b6d29



Additional examples:





We believe that our integration with DOCGuard is a valuable addition to our platform and we are excited to offer this new service to our community. If you have any questions, please do not hesitate to contact us.

Monday, June 19, 2023

Inside of the WASP's nest: deep dive into PyPI-hosted malware

In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse could lead to a large-scale Supply Chain attack.

During our monitoring we were able to identify dozens of suspicious packages, allegedly uploaded by threat actors trying to abuse PyPI. In some cases, attackers poisoned well-known legitimate Python libraries and reuploaded them leveraging typosquatting, such as "pylOpenSSL" mimicking pyOpenSSL. In other cases, they uploaded completely fake packages consisting only of malicious code, such as the scappy library.

Generally speaking, the main target of these attacks appears to be the victim's environment data with a focus on browser’s cookies. In some cases, malicious libraries implemented quite original features, like hijacking crypto wallet addresses in the victim’s clipboard.

In this post we will share insights on PyPi’s suspicious libraries as well as take a closer look at particular campaigns abusing it.

Statistic analysis

We observed that VirusTotal’s historical visibility on PyPi’s packages was far from ideal. Our monitoring system, aimed at fixing this blindspot, analyzed in a few days more packages than VirusTotal’s PyPi historical data.


We spotted an early batch of suspicious packages, detected by at least one AntiVirus vendor, and confirmed malicious after further detailed analysis. The following chart compares analyzed samples with suspicious ones (detected by at least one AntiVirus) . Please note that this chart uses raw data before additional analysis, meaning it includes both False Positives and False Negatives.

The manual analysis of dozens of malicious files gave us the impression that AntiVirus detection was initially low but it improved as details on malware abusing PyPI became publicly available, increasing awareness. This trend is visible in the following chart where every dot represents the daily average detection ratio for suspicious PyPi packages.


PyPi detected malware

Discord Token Grabber V2
SHA256 e4206fa12430f1650809fa6da38bd8f744b438cdae16e88bdd7d01d721b20ccd
File name osystemhtp-1.tar.gz
Package name osystemhtp
PyPI project hxxps://pypi[.]org/project/osystemhtp/
Date published 2023-01-01
Github repo Discord-Token-Grabber-V2

This is one of the most primitive variants we observed so far, consisting of around 130 lines of Python code. Its main goal is obtaining victim’s Discord account information, including authorization token, and Nitro subscription details. Data is exfiltrated using Discord’s webhook:


Exfiltrated information

The developer kindly left in the code a link to his github account, containing more detailed information, and the repository with exactly the same code found on PyPI:



Author signature

Other repositories from the same author include additional offensive Python tools, such as Fake Verification Bot.

Hazard Token Grabber V2
SHA256 79e0ed46f30b7b96e86ae356dee95a53343168d633e0d01c1b063981822bb529
File name asyncio3-1.tar.gz
Package name asyncio3
PyPI project hxxps://pypi[.]org/project/asyncio3/
Date published 2023-01-02
Github repo Hazard-V2-Token-Logger-Discord
Hazard-Token-Grabber-v2
Hazard-Token-Grabber-v2
etc

This is a quite popular and previously reported open source malware. There are a lot of Github repositories with cloned or slightly modified versions of original code. Like the previous malware family, this one is distributed without any obfuscation or code protection.

This sample shows how attackers abuse typosquatting. There is a legitimate asyncio module, as well as its legitimate backport asyncio37: the name of this malicious version is asyncio3.

A bit more advanced than the Discord Token Grabber, this malware exfiltrates more data including browser’s cookies and login credentials. It also avoidings execution in a debug environment.

Interestingly, in 6 (out of 9) of the PyPI modules containing this malware we found the same package metadata as in Discord Token Grabber, including “d@doop.fun” email address, indicating that these samples were probably deployed by the same threat actor:


Setup.py comparison of Hazard Token Grabber V2 and Discord token Grabber V2

These 6 samples contain the same JavaScript Discord injection (already unavailable):

hxxps://raw.githubusercontent[.]com/Rdimo/Discord-Injection/master/injection.js

The other 3 samples (more recent) use a different injection (still available):

hxxps://raw.githubusercontent[.]com/Smug246/luna-injection/main/injection.js
Chromium Stealer
SHA256 c2658086bca5bf59982823484cc84a9efe8b57cce1727880da973650dfb69037
File name minecraft-utilities-api-0.4.2.tar.gz
Package name minecraft-utilities-api
PyPI project hxxps://pypi[.]org/project/minecraft-utilities-api/
Date published 2023-04-16
Github repo ChromiumStealer
ChromiumStealer
ChromiumStealer

This is a quite simple open source malware distributed via PyPI without obfuscation. Its main purpose is to harvest Chromium-based browsers cookies and login credentials, as well as Discord user tokens.


Example of exfiltrated data from ChromiumStealer github repository

This malware allows attackers to set the method to exfiltrate victim’s data, either using Discord webhook or Telegram bot API.

W4SP Stealer + Hyperion obfuscator
SHA256 7a9cea1a364b13f5dfb0e458274daca3ea8b576fc5c3f5bbf2d3ed7881f1f94c
File name pylOpenSSL-20.0.3.tar.gz
Package name pylOpenSSL
PyPI project hxxps://pypi[.]org/project/pylOpenSSL/
Date published 2023-01-04
Github repo W4SP-Stealer-Sourcecode
Hyperion
Hyperion

This is one of the most common malware we observed in PyPI (reported here). It mimics pyOpenSSL's official python library. Attackers used the same description, same version and linked malicious PyPI project to the official pyOpenSSL Github repository.


Package description copy pasted from official library

Under the hood, it also contains legitimate cloned code from the official package, with malicious injection in the new file /src/OpenSSL/deps.py, which contains a highly obfuscated instance of W4SP Stealer (detailed technical descriptions of the W4SP Stealer could be found in a number of public reports):


deps.py is executed by the following code in __init__.py:


Malicious version of /src/OpenSSL/__init__.py vs legitimate one

This trojan’s harvests victim’s data, including browser’s cookies and credentials related to social media, gaming, billing services (including crypto wallets) and other subscription-based services (like Disney or Netflix):

'mail', '[coinbase](https://coinbase.com)', '[sellix](https://sellix.io)', '[gmail](https://gmail.com)', '[steam](https://steam.com)', '[discord](https://discord.com)', '[riotgames](https://riotgames.com)', '[youtube](https://youtube.com)', '[instagram](https://instagram.com)', '[tiktok](https://tiktok.com)', '[twitter](https://twitter.com)', '[facebook](https://facebook.com)', 'card', '[epicgames](https://epicgames.com)', '[spotify](https://spotify.com)', '[yahoo](https://yahoo.com)', '[roblox](https://roblox.com)', '[twitch](https://twitch.com)', '[minecraft](https://minecraft.net)', 'bank', '[paypal](https://paypal.com)', '[origin](https://origin.com)', '[amazon](https://amazon.com)', '[ebay](https://ebay.com)', '[aliexpress](https://aliexpress.com)', '[playstation](https://playstation.com)', '[hbo](https://hbo.com)', '[xbox](https://xbox.com)', 'buy', 'sell', '[binance](https://binance.com)', '[hotmail](https://hotmail.com)', '[outlook](https://outlook.com)', '[crunchyroll](https://crunchyroll.com)', '[telegram](https://telegram.com)', '[pornhub](https://pornhub.com)', '[disney](https://disney.com)', '[expressvpn](https://expressvpn.com)', 'crypto', '[uber](https://uber.com)', '[netflix](https://netflix.com)'

This malware also uses hardcoded masks to exfiltrating sensitive files from victims:

path2search = [ user + "/Desktop", user + "/Downloads", user + "/Documents" ]

key_wordsFolder = [ "account", "acount", "passw", "secret" ]

key_wordsFiles = ["passw", "mdp","motdepasse","mot_de_passe","login","secret", "account", "acount","paypal","banque","account","metamask","wallet","crypto","exodus","discord","2fa", "code","memo","compte","token","backup","secret" ]

All collected data is exfiltrated via Discord webhooks and uploaded to gofile.io.

In most of the cases we analyzed, including this specific pylOpenSSL package, the malware is obfuscated with Hyperion obfuscator making it harder to reverse. We also found the following multistage version, which uses downloaders to get the actual payload.

SHA256 49d758fedf934bba641d7cc9d25dc3d76d8af83d447c0ee2e5c91b9eb72ab5bb
File name fores-0.0.1.tar.gz
Package name fores
PyPI project hxxps://pypi[.]org/project/fores/
Date published 2023-04-20

This sample leverages a simple 1st-stager that downloads a Hyperion-obfuscated payload from the remote host hxxps://paste[.]fo/raw/dd6cd76eb5a0. Another sample (aio5 package with SHA256: 1253e5a13d98c80568684ffc8a36438b1b057a6aa72f561bfd83f81b348435dd) uses a base64-encoded downloader in setup.py.

We also found the following interesting sample that poisoned a legitimate package called colorama.

SHA256 6fc9c88346d1044863e370eade0abd24cb8769a1211fd8ed1d9a618c560c8745
File name colorsmecs-0.6.7.tar.gz
Package name colorsmecs
PyPI project hxxps://pypi[.]org/project/colorsmecs/
Date published 2023-01-02

Instead of including malicious files in the package there is a single line of base64 encoded code that downloads and executes the next stage.


Base64 encoded payload injected into legitimate library

The next stage was available behind these URLs, unavailable for a while:

hxxp://4.201.87[.]248/inject/tCxFLYLT6ViY9ZnP
hxxp://4.201.87[.]248/clip

Still there are some clues pointing to W4SP stealer in this case. Looking at the attack timeframe and pDNS data of 4.201.87[.]248, there is an interesting domain resolution of misogyny[.]wtf. Checking VirusTotal data on this domain, we found the URL hxxp://misogyny[.]wtf/inject/UsRjS959Rqm4sPG4& that responded (last 03-01-2023) HTML content that looks like a slightly modified response from the original W4SP source code:

Alpha.#0001
<br><br>
https://discord.gg/stRpdakhES
<br><br>
Wasp is happy
<br><br>
Because he grabbed you

This server response, along with the original W4SP version, could be used to fingerprint W4SP network infrastructure (as of today, 20.215.40[.]33 and 54.167.173[.]26 match the search criteria).

W4SP Stealer forks

We observed lots of samples sharing many similarities with W4SP Stealer, but in different dedicated repositories, most likely forks or reusing the same codebase.


W4SP family

milka, Fade Stealer, etc

This set of samples is pretty close to W4SP Stealer’s codebase, with the main differences being author’s signature and malware name.

SHA256 31869a1d54a27929a0336e9d94c7cab5796fc1b77fec9534a5281e097e3c3863
File name win23crypt-0.1.2.tar.gz
Package name win23crypt
PyPI project hxxps://pypi[.]org/project/win23crypt/
Date published 2023-04-20

This sample is called milka Stealer and uses typosquatting to mimic the win32crypt module. When diffing code, we observe how it simply changes author’s nickname from the original W4SP stealer, the new nickname points to related Github account:


Github account of the actor behind milka Stealer

SHA256 a8c36d0f92b48ff42ece41d1ae93238d3d179f3ab39440f19494157924500e49
File name captcha-py-1.0.tar.gz
Package name captcha-py
PyPI project hxxps://pypi[.]org/project/captcha-py/
Date published 2023-04-20

Another fork that simply duplicates W4SP code is Fade Stealer. The differences are minimal, only extending the list of filename keywords to steal:


Same for other W4SP Stealer clones named Tark Stealer and EVIL$ Stealer.

Creal Stealer and Z Stealer fork

Creal Stealer adds sandbox evasion before the main malware execution flow to W4SP Stealer.

SHA256 f009bb10120fcca80123548e34c3207d07323f31a9445da618d7ce464f5693ea
File name oauthAPImojang-0.2.4.tar.gz
Package name oauthAPImojang
PyPI project hxxps://pypi[.]org/project/oauthAPImojang/
Date published 2023-04-16
Github repo Creal-Stealer

It checks environment parameters such as username, PC name and MAC address of the infected machine. If they match values in a hardcoded list that could be found in Appendix, the malware terminates its execution.


W4SP Stealer vs Creal Stealer

The rest of the code is the same and implements the same functionality as W4SP Stealer with the only exception of variable names renamed with Leet spelling.

Interestingly, Creal Stealer’s Github repository contains a file with suggestions on what to do when infected and mitigations.

We spotted a Creal Stealer clone named Z Stealer:

SHA256 6928e5b729706fe954d92a55d003c49e5c0c5c010855b63db214a9e149826229
File name proxyscrapertool-0.0.2.tar.gz
Package name proxyscrapertool
PyPI project hxxps://pypi[.]org/project/proxyscrapertool/
Date published 2023-04-22

There are no code differences between this sample and Creal Stealer, except the malware name signature. We couldn’t find any public references to this family.

BlackCap Grabber and Kekwltd fork

There isn’t much public information on BlackCap Grabber, but it really stands out from all the previous analyzed families. Although there is a number of code overlaps with W4SP Stealer and its Github repo readme clearly stays it was forked from it, BlackCap Grabber implements many original features, including crypto wallet hijacking and Sandbox evasion.

SHA256 c67c8255aaafc8a7f3cb88123890d3538d300703f9e671533c23757148237e3c
File name totohateinenkleinencock-3.0.0-py3-none-any.whl
Package name totohateinenkleinencock
PyPI project hxxps://pypi[.]org/project/totohateinenkleinencock/
Date published 2023-04-19
Github repo BlackCap-Grabber

Like Creal Stealer, it contains a hardcoded list of environment parameters that could be also found in Appendix. Other than the previously mentioned, it also checks IP address and system UUID value fetched with "wmic csproduct get uuid". It terminates execution in the following cases:

  • There is one of the directories from the list ['D:\Tools', 'D:\OS2', 'D:\NT3X'].
  • Physical memory value is less than 3 Gb, checked with psutil.virtual_memory().
  • Disk size is less than 120 Gb, checked with psutil.disk_usage().
  • Number of logical CPUs is less than 2, checked with psutil.cpu_count().
  • "VMware" or "VBOX" values in registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum
  • Two more system registry branches HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\***\\DriverDesc 2 (ProviderName 2 - second check)

Some of these techniques were also implemented in Hazard Token Grabber.

For crypto wallet hijacking it permanently checks the content of the clipboard (via pyperclip module) and tries to find crypto wallets addresses using hardcoded regular expressions such as BTC, ETH, Xchain, Pchain, Cchain, Monero, Ada (Cardano) or Dash (check Appendix for details). Once the wallet address is found in a clipboard, it is immediately replaced by the hardcoded value of the attacker's crypto wallet address.

We found a fork of BlackCap made just to keep the attacker's signature. With code differences mostly related to variable naming, this malware contains multiple mentions of “kekwltd”, including the remote host - kekwltd[.]ru.

SHA256 11cbd02aa127c2413da55bcd355da38b53767fb129279baf9e2450ada3db3ca1
File name pythoncryptlibaryV2-1.0.0.tar.gz
Package name pythoncryptlibaryV2
PyPI project hxxps://pypi[.]org/project/pythoncryptlibaryV2/
Date published 2023-04-20

We spotted a high number of similar packages, most likely uploaded by the same actor behind “kekwltd”. Some of them follow the same module naming (pyfontslibrary, pyfontslibraryV1, etc) and most of the samples were uploaded from the same account.


Same author credentials of kekwltd samples

Unlike the original sample of BlackCap Grabber examined above that doesn't contain any attacker’s crypto wallets in its configuration (although having the capability for crypto wallet hijacking), this malware has a list of addresses in its hardcoded configuration:

'addresse_btc': 'bc1qfgzwcxx32kwjf9naw2zdnl00zlvz8cqr4sn0fj',
'addresse_eth': '0xde876b3b623a4c9e5266717fceee89b3dd0237ec',
'addresse_monero': '468h7xcjtieam26idzme1jtvqjyxxaf1an9qhpnjfshpy6qiu3cvxyr3s9t8zaz2xlh856m7ne8kx4ysqb4kajn2ahkydh2',
'addresse_ada': 'addr1qylpptmy52g032y2dfhu73qerny2mphnegemyggzaung53f7zzhkfg5slz5g56n0eazpj8xg4kr08j3nkgss9mex3fzs462m3v',
'addresse_dash': 'xpaql6jrd5jay1ymmuaqhbh9nyahsxahuv',

The BTC wallet received more than 13000$ in total over 197 transactions, still gets occasional activity:


Transaction history of attacker’s BTC wallet

Vespy Grabber + S1mpl3 0bf v2
SHA256 7083cab761b726f1385c42e830644a24e51b7364111905c97b74ee5847a476d9
File name processplatform-1.0.3.tar.gz
Package name processplatform
PyPI project hxxps://pypi[.]org/project/processplatform/
Date published 2023-04-11
Github repo Vespy Grabber 2.0 (allegedly)

This is quite a complicated case that illustrates how actors experiment their spreading methods and, allegedly, how PyPI reacts to malicious samples. Actually we were unable to confirm strong malicious behavior in this sample other than a number of suspicious clues, and at the moment of writing this package is still available in the repository.

Based on the Release history, the author uploaded 5 different versions of the same package to PyPI.


PyPI release history

The first version 1.0.0 doesn’t contain any code at all. The next release contains some sort of trampoline code that should execute the non-existing file “get_process.bat”. Both 1.0.2 and 1.0.3 versions contain a Windows executable payload and the last version introduced a payload script obfuscated with something called “S1mpl3 0bf v2”. We didn't find any public references to this tool.


We examined the 1.0.3 version as the most complicated one and as it turned out, it's also shedding some light on the latest release, as described below.

The first stage is a Windows executable "/bin/get_process.exe" that appears to be a PyInstaller bundle. After unpacking it, we have 3 possible entry points representing compiled python scripts (.pyc), two of them contain original directory paths from the machine the files were compiled, providing relevant clues:

  • Exposed username in pyi_rth_inspect.pyc:
    C:\Users\vespe\AppData\Local\Programs\Python\Python39\Lib\site-packages\PyInstaller\hooks\rthooks\pyi_rth_inspect.py
  • Vespy mention in get_process.pyc:
    VespyGrabber\get_process.py

The next stage is get_process.pyc. After decompilation, it looks pretty much the same as the obfuscated script from the version 1.0.4. The main idea of this obfuscator is hiding serialized code with Marshal and Pickle. To deobfuscate, we need to dump the serialized code, convert Marshal to pyc and then decompile it once again. Surprisingly, after all these steps we ended up with a script obfuscated in the same way, which means that we need to repeat the deobfuscation process again and again.


"Matryoshka" code obfuscated with "S1mpl3 0bf v2"

Somewhere on the 5th iteration of deobfuscation we finally got something different from Matryoshka code, which appears to be a simple downloader.


Downloader stage

cmdhost.exe represents yet another PyInstaller bundle which basically starts the new cycle of obfuscation iterations, also ending up in a downloader. Unfortunately, the remote file was not available at the time of the analysis:

hxxps://filebin[.]net/hd5ualwmo4iyeux2/WinRARx64.exe

All the previous analysis seems to indicate that the final payload is Vespy Grabber, although we cannot confirm.

Obfuscators - HyperBreak, Nuitka and more

Attackers use different tools to minimize detection and complicate malware analysis, like the previously mentioned Hyperion and S1mpl3 0bf v2 obfuscators. A more trivial approach with PyInstaller would be the use of tools like HyperBreak and Nuitka, which doesn’t necessarily imply maliciousness.

SHA256 66de0a72590ac5d8b17ee287cdf73dbe90317db65122d32515a4e96e31933545
File name xologrekjlqzxj-0.0.0.tar.gz
Package name xologrekjlqzxj
PyPI project hxxps://pypi[.]org/project/xologrekjlqzxj/
Date published 2023-04-15
Github repo HyperBreak

HyperBreak uses a mix of different types of encodings, encryptions algorithms and code serialization across a number of stages.

During analysis’ first stage we face a 96Kb long base64-encoded string. After decoding, it produces a slightly obfuscated script using replacement. This script implements an algorithm to decode base85-encoded Marshal-serialized code.

The third stage looks like this:


The following round of replacements could bring us more understanding of what’s going on here:


Once again, the obfuscator uses different encoding and encryption algorithms for the hardcoded next stage code. The final executed shows the obfuscator signature:


The next stage is hidden behind lots of junk Marshal execution calls. The actual call represents yet another Matryoshka puzzle with looped execution of serialized code chunks. After decompiling all of them we got the stage with a combination of base64, base32 and base16 encoded final payload. Reversing these algorithms provides the last stage, which is nothing more than dummy code with HyperBreak:


Note that this HyperBreak obfuscated module was shortly after removed from PyPI.

Yet another tool used by attackers to hide their code is Nuitka. This is a legitimate compiler which translates Python code to C and then uses a 3rd party C compiler (gcc, clang, MinGW, MSVC) to make a binary file. Reversing the Python code obfuscated with Nuitka could be a challenging task especially in case of Nuitka Commercial Package that offers "Protection vs. Reverse Engineering". That explains why some AV vendors deployed signatures to detect Nuitka obfuscator - engines:Nuitka.

We didn’t observe confirmed cases of Nuitka-obfuscated malware in the PyPI repository, only a couple of legitimate and dummy packages instead. The following VTI queries help hunting for malware samples obfuscated with Nuitka:

Conclusions

Although we found different malware samples in the PyPI repository, this post is only the result of a superficial analysis of suspicious content found on this platform. We hope our efforts to include all these samples in VirusTotal as soon as published will help detect and prevent malicious activity before they become part of any supply chain attack. In this direction, we will keep including similar repositories in VirusTotal. This also helps security analysts explore in VirusTotal Intelligence any suspicious package publicly hosted even after being removed.

Additionally, it seems clear that Github-hosted open source malware served for “educational purpose only” could be a significant problem. First of all, it allows malware families to quickly evolve and be forked from each other by different actors which don’t really need to make any effort to have fresh malware samples ready to go in a short period of time, as we saw happen with W4SP Stealer. If that doesn’t change, we expect to see more malware families cannibalizing each other. Second, these public repositories might attract the attention of users who might not be fully aware of being responsible for increasing cyber crime activity.

We also observed how the high popularity among attackers of code obfuscation tools such as Nuitka, Hyperion or HyperBreak is making it much harder to detect the malicious code and to filter out dangerous packages from PyPI repositories. Although we see a positive trend of the AntiVirus detection ratio on malware in PyPI, there’s still work to be done.

And of course kudos to all security companies and private researchers who publicly reported on malware in PyPI, making the environment of all Python developers a bit more safer.

Appendix I - IOCs

VirusTotal Collection

itw:files.pythonhosted.org fs:2022-12-29+ p:2+ - generic VTI query to list PyPI packages submitted after 2022-12-29 and detected by at least 2 AVs.

File hashes

1253e5a13d98c80568684ffc8a36438b1b057a6aa72f561bfd83f81b348435dd
3b590627024a825b77940b1c8576687a870e976caa09ccdf311cab3a0729f0c6
bd69699c79d63c141df519d7bd777b2ad106d49f67ddefb43c56f030a30b442f
da4cff87b00e06845f22237ba70dbbeb052ea12a0fee1c9cd156ea90ce9aa170
acd561f75f8d19e5995aec91a160d211a592875ab9105387ace9857eb24c1434
0e3f3ded3987b48c4d9b6e8ea76363f134b69625480f3d15c5ee3098834bce7a
6fc9c88346d1044863e370eade0abd24cb8769a1211fd8ed1d9a618c560c8745
a06720d9b3edf50384c225aba9603cb390f25d9992646d2948cbe3d9cd56f3ec
70fb1a8ac7abd4493bce39739aba26dba7e42ad79ce940ffd4867ceb55e87f8e
7acbe8c3ed298f8475232050c9da93ab157953e8a466274cc66bf244b32b7c4c
6b1104dd9ced710f032fe0a78f9c4c7f4aeeedfd2c570552cd7174d03549c6b1
8723c4503acd232995de47e5197528799f259c91bdbcbbba0d6ec4b9a76fe9ed
07fcbe358edc6d787c969dcabbc47d4e5a909a569bd37ab6c147025403e0f2f3
2e9a490edc54f98e4ba8e719368784446ac692684cb58086f0de3d0417d4ee6d
38a96da37268405db5d3ad3a4a6339c36186e2381f306968d00ba2c70296670f
c67c8255aaafc8a7f3cb88123890d3538d300703f9e671533c23757148237e3c
1637188b0925c21982f2399bb6b5bed48e67c88bf7519346a8dfe12f6af1b1db
7b57fa60656ac72b43172e78201ddf0b3c9d477ff737af9f9b7dd6c699b5d255
4f840c3b1e35563a5b212db66187cf189a4a38e68cbc4a2e7658ebfba5b90b16
8a87c1870da146622733afcde550eee7c2d03ebe554451b52e5b414e69a91200
c2658086bca5bf59982823484cc84a9efe8b57cce1727880da973650dfb69037
13267a18a67b4baf48ab7b430dccf6dd021d64e4fd66ccfb68f4a272aa8016ff
51a595e47a4c21b7d2230ae3584c7cc0d9454504289073205b7c8683ba173ef1
a316cd0645b99d1b1918969e04bcbe6885188cbf69f99ebdd87911bcd377d64b
0408338edbd249e2bab27d614a9e7213225b24935600c1ed03f8db314378b524
1333bf87293081ed4434ba347f228303f3eea62fc9da97e1d5e17d0229b720cb
f009bb10120fcca80123548e34c3207d07323f31a9445da618d7ce464f5693ea
7652f50d15a9c4525cb79d1344f4445be60e445f2f2687b743639c7ddfb9c492
2e784354c021c7c52e9b12d5468cf1332a8481c097218f91d61a2204394d4528
00c2f8c92ae21a2c214eb1cbb5c015c113b9eb8ec5c8aa79a2e26b2148da19be
ff26dd19273b2277308f0f2119aaaa9f0f2be714ece69c1f1fbb27afc24f9f0b
1534d05ff7165f7e1ab333c46077d4c94a6bf57a702ea8c0d07cd32e29994ffd
f35a6474c9da0a15423b270fb79cb76fdd1078fbcca944be71f281db373ac82f
a8c36d0f92b48ff42ece41d1ae93238d3d179f3ab39440f19494157924500e49
5672afeed9fee1cf2d537112b68807249372c8c17600cd018358fce55108edfb
981e6f5102a0262f1e7e864ab851a0052e90b467a5545680e8ef5c4d87ae1793
d7cb88fe50b0b4dc07a50cd70e71028ca53c46391860ae184210beee22f6fd5a
331cdc055db3138a511177e79b7e3b0e64b8896f0137fddec6100dfcb0dd6e7e
fdf78358407d523f74900ba62c156dd16025615fdfe33d6e29e0c58d64dcdb5e
3e67667b30716a62e4e8ed04f0794062e39858300f1e3b6db5ef1f0d459005e5
0d5b37cebd8a5a76a1bb9e97640cc0ecf7d33e177ed42167c21d42283338ef92
cdc63a95c936e42dac6089cdb6a44d25b6a23e4688218a8f6752a2f3b1b11f46
4c231b501c85d7c06b3f6ffe84036323f1f8829491708e73d598deff467edad9
79e0ed46f30b7b96e86ae356dee95a53343168d633e0d01c1b063981822bb529
0ef4b7f747f2a10fa638492d0094a401121af9680d08bbef4097c7af951a984e
1af8fd8078749bf2401feab9b246f20b008e216276dbf86dbfe58ca8460581f2
7b57d96760a26ecf1915b36717b7a6410c2da83c820e74ff10ac4aadd412dc0c
9930e1c331dd5016401ee0a2eea2a09ad78f434566e900b1d9d7be18d8f20a9f
0a6618944a3706d8d544a2bb20e76dafa8048e29012a768c2c1c60efa96fbde7
f7bea74a3544be6350311c848b2472584dfb19cc9eea38be7b0e9cbdac0ff6f2
37eed1b4ca11ed4c1514ec1452eb37535f85317b8f0c0582b47bd0cb067e82bf
f4ebf3a6cef405c97087557199da5b2d3a0e78c88c67d302c6d9c3904ade9ffd
967e3b1de6959067d1539ac8b3a615104d6939383a55241462682239c51193cf
a77af2e9e065f7b504fc767fbea9942034dd61291b48a1ab08e1433d104a57dc
23f5c22fb9ce2b269cf98ded4edc8a9eefc40e555e04abeb45b5e4d7ae1dfa69
670a653219ebe12dd9fb965108d9793f34abbc52a79cceb3b7a83343bf072b27
7d487f64bb0e16ade8d53396bbb9f6fc91904dba265d7cdba490d17461007aa8
b8e54abe50c9be744d9371038231c97396c06aeb1231f279555e6025f4695c37
cc3a3975745f213c24927df8cd583c78f8ef2b73cd8ea22e96b9da9ec10e543b
66de0a72590ac5d8b17ee287cdf73dbe90317db65122d32515a4e96e31933545
f20bfd5e91b9dbec31e0a43a3d8ccb7a765313a669322cf4907bed72b3d2c1c2
7a9cea1a364b13f5dfb0e458274daca3ea8b576fc5c3f5bbf2d3ed7881f1f94c
254b569c5cd9ebff88d53dd16e994d67e01d1266a2f8cc7ee293d7ff21727201
d50916f4677e4500494cc2f7375491fcc72c4699eff3aea4c7024385c2f15692
9528aef6880feddc2a051f6727e2f4392eea253dd94e876a307a52fbdb371f11
27021f269f1b0947e1be931659dfad0fbb41e154381536a447806f79d26b62f7
89b29c0abf0846f9bd27d5a3d08febed0375dd47948fab35efc525c17de64b1e
97119b3587d993c05f4a0588f93d3d15b6e07c54774b0f0ef9e1310eaf4f9d2f
83e02e23b5de492f6eebd06232d36a56aa0845b61ed6f1a5c15c32cd8bfef8de
ec403548822661e4e60a04d261ae2b439c3f5bb8d56ff995c7cf26fc73a6becc
92968023e558d9247c73b369ea0e515d930e8da1dee62b98d9a160b745391d82
b286327c7e81b0ba718d929115cc5613206bab7a08eec1e7ca2b92e5c333d0c4
9cd94f420e7a4d667f7ec9289cda23d944ccc3834146e13d6f7e84148b4f49b9
11cbd02aa127c2413da55bcd355da38b53767fb129279baf9e2450ada3db3ca1
90fd48e73f33c0524219cfa64aa19ce74342c42598f770b8ba4742488d645d7a
9a6103b0c8f7f4b1d078648dbacbb09972c79de358653f365743b0f1bb1e10d4
b38e9340a1f40bdecb52aafd8fb34af6e875a47315778f0fa58379046fa7e50b
2d41ab43d8155686e6902d8144fe6a73de198580dbc8eb1a13df028e76abb6be
0f3209087cbc7efe7a945d8d99aa27a50bf575c7b2c101ef2da11d8119a8e7b5
a6a37e0087ea086907a502aabdd3d7a414d84486de99918bfc6b0f99978ffee2
b09e77353091992a1ff868b93644888588924e06f552947b208e2de07ea91a5c
c6008361680d5302f7b1e10aad45694783a69faf27fd82cfa8c6c4cdcca2f697
881507c09b9e4aedc9ed9a21d42ec9ea4d782e2ee31db38d9a369da628822cb4
552e7ba823ff64c41c6a354c3b092379def65c481046ff2a10a6b9badab4a603
f2840ffef2cfda88708f69f46398d3707e9206d5f868997d977bc4cd2d0017fd
174222c21bfaf1f0869bba8addd73f5fd98a24930d251cd7ecb1290f77b04118
ead58bf7fecde2d3f6f960dc8983201d68213acc56a3d1cd04961737566966c4
d4c855fe4ff0059e6ad45dd8d721941e17f611dc870835d8deef1e6e8b6d6ab1
ebec1d90dc3ef5b122c9f721751f10df1ef30e0b6c3fde5b0bae32f56b5f7115
29de5f55e0a26f6b92daae3fd5e74cffd23c78e33218c0b6a4a9bd01c22fcc1d
c77f43a8979c200718e0b09f5493aeaeca25355606b074e7d3b42a798b149d2f
9df22ca15029dc7dc430d057be3583371c50dcd79b0e76c88d0542dba7096de5
df45fde91e6ea84737f5c720fda97c7ad926bf76f527677ef9c721f77bf4eef1
a0359032323b2c0acd90818cbaa0cdf40957ee809146f27280392da882c989a3
d05de6247c42593d940a72c40f537dc4bc00c80c2d44c53609aaf4b5f50d1c15
efdc9825e05c94ea55962043888c440a2bdbc93492a4afd4e4502fc3666494c9
93cf2d2c5c750c831ad2a679a31817cdbcb8f5ee35580aaf341e4e95ff2c59ec
69acaff51162259f1a0d460699187c4b9c15912a8adb114a9229986241cdb9e7
95324f3cbe8750665c2bccac3317d0f9e4659f5fe23c8651291d3f99a728b1ea
9a15526f85e5a82d3e11f195766bf05bb8bd0163a5dc8078e1c3f55fe0fe6488
7ca735f79bb00808127f33a89af9b35a5b6a35606d6390b1ed141d5737048bf8
3d069d8ae63b94c2487925558f8fc2f56623399dc9cc3790cf6116dc711444ca
793c66e4374f530da6a4093389753896df36d057df3d9b7e5bc6f4470f01b7ac
31869a1d54a27929a0336e9d94c7cab5796fc1b77fec9534a5281e097e3c3863
df261d89e563cb0f678922a692e82e6c601e282929afcb3b88318ffa49b27191
125ae9c8e8067a60c283b8b9d1b6738246167a300a3a2af58598cb4329b715c9
2736e9e695cd610163eebdbc5ff103936f899ac678fca82c7214336e674d68a3
7dea73ca5e4ff66434811be743e36aedc9736078ee162e9f47c2ec1ded39b140
c20d9cb3816163f435f4f27f5076fd289bb4f3a6b067c6838c1d02db82431847
dc45466dd6a3b2fee3d8ec47e61ee8e6432af87f6210082ea33c67a81322d49a
b5382245e5ac29d4e9392ca824b858a1db1d4c3d68d541a48b4efbc7665ce3d9
49d758fedf934bba641d7cc9d25dc3d76d8af83d447c0ee2e5c91b9eb72ab5bb
8ddfdc3cc0f88e415eac1ede1b430f428262560058a96299ae132d069c149ba3
7604311d7098563e0982e2daa2e15d57a70a6d05532f54402775b353bfaf7ff3
0ff0715989cb945d95935c26579a735622aece251b3e0e5217b996d981a81c03
f0c870784ceaec1d059504b97f3d554ffd1b9b0960d635dc3346d96eb168f6a4
1d102ce85d3968f4e6d5dc28526a2d0a8045481e32f091459f41b3b3f34367b3
792f21cdcb7b485bfd4239882604030c27179e1f367faa83bc57a03bba6631e6
4ad3662a7f2f70c8d0f986c77dc4336f76ba72f516e21875a9f69a4111071112
653e1172c66b669b287f04e9eced5d37e328da15f3c905fcc7a29aef222596a8
3043e9324f5e3349711c556af91a95d8ed7c2b3a649637206253271b26e16d51
c645d30c56df2f53fe6080f88d53ed4bd17d053353cabda591911e0a1c05decf
af850f9a57de3ac25aaff2a674ad053d80bcdfaf579a86742920fcef83e849af
a0d323010d7e2753a224d8acc2f6fa1f477121eebe772bef069d44894c151cff
1a0b44fac629a1ce1ed98f1850c2dfee0ce7676e5817ed72d17f9df12a71bebc
3cdefe3a72d0813d3bf7d042483cbaaf0513f96779c33e3c3206fb6864def4cd
3383b3715194ee598978d6cee8a4bc44fb441525ff3311057520e22b89935145
8285dab0ab3f2cd9be680602a99228405c0949bc2f4afd92774c90245d8c80ea
d7ff0c11d77e6d8317c82b7b81cb8cc8d66ff390715623dfc1e6e06926c674ac
95f650e3aada536c3a6fe3ab484733b29bd57c78aa451d32f1517b1949dfb031
98c498bde0e27843dafc8a9653419f8d21d08e55decd6e6ea8fe6b6028b38a61
e4206fa12430f1650809fa6da38bd8f744b438cdae16e88bdd7d01d721b20ccd
c06f24c5270f27f6f66102b35a6d1886c8d064cad43ec3b1e250d7816446d743
611899859a00243586c3f464f6547c0997deec79ea76d6a3f6033f864de49ae9
b25a11a0e75b4df08ac05550df4e489ecc0c79f70251a756b03ec16e8000644e
1c394990bac4154d8cd1c9fdff73a836c65a67b7f4ef106d29c50ecbbd6a93e2
7083cab761b726f1385c42e830644a24e51b7364111905c97b74ee5847a476d9
7aa136d0c90ac7541d0a86b1426e0ad7f121c4339fe6706448078e8ed01bccab
138567254cf5f870a35fea32bddac6433340546b0ccef8ce7e379a29df826ba2
18e80ce6cb5d7c8c33d78cb9f5964907db4254b18d960f6eb9ed17db97b67b01
03b78488e98669d68825c31629e279a570d5b611ef2ec47149fd3768e4009528
97a17941823984afbe549f2e34fac8d6fc1eb8c9127378e1f22742243f80169e
6928e5b729706fe954d92a55d003c49e5c0c5c010855b63db214a9e149826229
9ba178054f28d8426c3d54ed424ca0e60d82625be726cee063d548ceb010cd59

Remote payloads, JS injections, etc

hxxp://18.204.35[.]132/inject/89ruK8S9QUt74L69
hxxp://3.86.190[.]205/inject/QrvxFGKvsSJ5E5bx
hxxp://4.201.87[.]248/clip
hxxp://4.201.87[.]248/inject/tCxFLYLT6ViY9ZnP
hxxps://filebin[.]net/4hy09hbr6oyubq1x/cmdhost.exe
hxxps://filebin[.]net/hd5ualwmo4iyeux2/WinRARx64.exe
hxxps://paste.bingner[.]com/paste/7jksd/raw
hxxps://paste.bingner[.]com/paste/az4fb/raw
hxxps://paste.bingner[.]com/paste/h82ox/raw
hxxps://paste.bingner[.]com/paste/n7eue/raw
hxxps://paste[.]fo/raw/dd6cd76eb5a0
hxxps://pst.klgrth[.]io/paste/7bupb/raw
hxxps://pst.klgrth[.]io/paste/bcexv/raw
hxxps://pst.klgrth[.]io/paste/exqte/raw
hxxps://pst.klgrth[.]io/paste/rprsw/raw
hxxps://pst.klgrth[.]io/paste/u97gf/raw
hxxps://pst.klgrth[.]io/paste/vto2a/raw
hxxps://rentry[.]co/6er54/raw
hxxps://www[.]ciqertools[.]xyz/discock/nigger
hxxps://www[.]giganigga[.]me/idk.html
hxxps://www[.]giganigga[.]me/idk2.html
hxxps://raw.githubusercontent[.]com/Rdimo/Discord-Injection/master/injection.js
hxxps://raw.githubusercontent[.]com/Smug246/luna-injection/main/injection.js

Some of the W4SP mapped infrastructure

3.86.190[.]205
4.201.87[.]248
18.204.35[.]132
20.215.40[.]33
20.224.2[.]213
35.222.237[.]25
45.81.39[.]216
54.167.173[.]26
89.38.135[.]115
95.215.8[.]170

Appendix II - Creal Stealer hardcoded blacklists

Username

'WDAGUtilityAccount', '3W1GJT', 'QZSBJVWM', '5ISYH9SH', 'Abby', 'hmarc', 'patex', 'RDhJ0CNFevzX', 'kEecfMwgj', 'Frank', '8Nl0ColNQ5bq', 'Lisa', 'John', 'george', 'PxmdUOpVyx', '8VizSM', 'w0fjuOVmCcP5A', 'lmVwjj9b', 'PqONjHVwexsS', '3u2v9m8', 'Julia', 'HEUeRzl', 'fred', 'server', 'BvJChRPnsxn', 'Harry Johnson', 'SqgFOf3G', 'Lucas', 'mike', 'PateX', 'h7dk1xPr', 'Louise', 'User01', 'test', 'RGzcBUyrznReg'

PC name

'BEE7370C-8C0C-4', 'DESKTOP-NAKFFMT', 'WIN-5E07COS9ALR', 'B30F0242-1C6A-4', 'DESKTOP-VRSQLAG', 'Q9IATRKPRH', 'XC64ZB', 'DESKTOP-D019GDM', 'DESKTOP-WI8CLET', 'SERVER1', 'LISA-PC', 'JOHN-PC', 'DESKTOP-B0T93D6', 'DESKTOP-1PYKP29', 'DESKTOP-1Y2433R', 'WILEYPC', 'WORK', '6C4E733F-C2D9-4', 'RALPHS-PC', 'DESKTOP-WG3MYJS', 'DESKTOP-7XC6GEZ', 'DESKTOP-5OV9S0O', 'QarZhrdBpj', 'ORELEEPC', 'ARCHIBALDPC', 'JULIA-PC', 'd1bnJkfVlH', 'NETTYPC', 'DESKTOP-BUGIO', 'DESKTOP-CBGPFEE', 'SERVER-PC', 'TIQIYLA9TW5M', 'DESKTOP-KALVINO', 'COMPNAME_4047', 'DESKTOP-19OLLTD', 'DESKTOP-DE369SE', 'EA8C2E2A-D017-4', 'AIDANPC', 'LUCAS-PC', 'MARCI-PC', 'ACEPC', 'MIKE-PC', 'DESKTOP-IAPKN1P', 'DESKTOP-NTU7VUO', 'LOUISE-PC', 'T00917', 'test42'

MAC address

'00:15:5d:00:07:34', '00:e0:4c:b8:7a:58', '00:0c:29:2c:c1:21', '00:25:90:65:39:e4', 'c8:9f:1d:b6:58:e4', '00:25:90:36:65:0c', '00:15:5d:00:00:f3', '2e:b8:24:4d:f7:de', '00:15:5d:13:6d:0c', '00:50:56:a0:dd:00', '00:15:5d:13:66:ca', '56:e8:92:2e:76:0d', 'ac:1f:6b:d0:48:fe', '00:e0:4c:94:1f:20', '00:15:5d:00:05:d5', '00:e0:4c:4b:4a:40', '42:01:0a:8a:00:22', '00:1b:21:13:15:20', '00:15:5d:00:06:43', '00:15:5d:1e:01:c8', '00:50:56:b3:38:68', '60:02:92:3d:f1:69', '00:e0:4c:7b:7b:86', '00:e0:4c:46:cf:01', '42:85:07:f4:83:d0', '56:b0:6f:ca:0a:e7', '12:1b:9e:3c:a6:2c', '00:15:5d:00:1c:9a', '00:15:5d:00:1a:b9', 'b6:ed:9d:27:f4:fa', '00:15:5d:00:01:81', '4e:79:c0:d9:af:c3', '00:15:5d:b6:e0:cc', '00:15:5d:00:02:26', '00:50:56:b3:05:b4', '1c:99:57:1c:ad:e4', '08:00:27:3a:28:73', '00:15:5d:00:00:c3', '00:50:56:a0:45:03', '12:8a:5c:2a:65:d1', '00:25:90:36:f0:3b', '00:1b:21:13:21:26', '42:01:0a:8a:00:22', '00:1b:21:13:32:51', 'a6:24:aa:ae:e6:12', '08:00:27:45:13:10', '00:1b:21:13:26:44', '3c:ec:ef:43:fe:de', 'd4:81:d7:ed:25:54', '00:25:90:36:65:38', '00:03:47:63:8b:de', '00:15:5d:00:05:8d', '00:0c:29:52:52:50', '00:50:56:b3:42:33', '3c:ec:ef:44:01:0c', '06:75:91:59:3e:02', '42:01:0a:8a:00:33', 'ea:f6:f1:a2:33:76', 'ac:1f:6b:d0:4d:98', '1e:6c:34:93:68:64', '00:50:56:a0:61:aa', '42:01:0a:96:00:22', '00:50:56:b3:21:29', '00:15:5d:00:00:b3', '96:2b:e9:43:96:76', 'b4:a9:5a:b1:c6:fd', 'd4:81:d7:87:05:ab', 'ac:1f:6b:d0:49:86', '52:54:00:8b:a6:08', '00:0c:29:05:d8:6e', '00:23:cd:ff:94:f0', '00:e0:4c:d6:86:77', '3c:ec:ef:44:01:aa', '00:15:5d:23:4c:a3', '00:1b:21:13:33:55', '00:15:5d:00:00:a4', '16:ef:22:04:af:76', '00:15:5d:23:4c:ad', '1a:6c:62:60:3b:f4', '00:15:5d:00:00:1d', '00:50:56:a0:cd:a8', '00:50:56:b3:fa:23', '52:54:00:a0:41:92', '00:50:56:b3:f6:57', '00:e0:4c:56:42:97', 'ca:4d:4b:ca:18:cc', 'f6:a5:41:31:b2:78', 'd6:03:e4:ab:77:8e', '00:50:56:ae:b2:b0', '00:50:56:b3:94:cb', '42:01:0a:8e:00:22', '00:50:56:b3:4c:bf', '00:50:56:b3:09:9e', '00:50:56:b3:38:88', '00:50:56:a0:d0:fa', '00:50:56:b3:91:c8', '3e:c1:fd:f1:bf:71', '00:50:56:a0:6d:86', '00:50:56:a0:af:75', '00:50:56:b3:dd:03', 'c2:ee:af:fd:29:21', '00:50:56:b3:ee:e1', '00:50:56:a0:84:88', '00:1b:21:13:32:20', '3c:ec:ef:44:00:d0', '00:50:56:ae:e5:d5', '00:50:56:97:f6:c8', '52:54:00:ab:de:59', '00:50:56:b3:9e:9e', '00:50:56:a0:39:18', '32:11:4d:d0:4a:9e', '00:50:56:b3:d0:a7', '94:de:80:de:1a:35', '00:50:56:ae:5d:ea', '00:50:56:b3:14:59', 'ea:02:75:3c:90:9f', '00:e0:4c:44:76:54', 'ac:1f:6b:d0:4d:e4', '52:54:00:3b:78:24', '00:50:56:b3:50:de', '7e:05:a3:62:9c:4d', '52:54:00:b3:e4:71', '90:48:9a:9d:d5:24', '00:50:56:b3:3b:a6', '92:4c:a8:23:fc:2e', '5a:e2:a6:a4:44:db', '00:50:56:ae:6f:54', '42:01:0a:96:00:33', '00:50:56:97:a1:f8', '5e:86:e4:3d:0d:f6', '00:50:56:b3:ea:ee', '3e:53:81:b7:01:13', '00:50:56:97:ec:f2', '00:e0:4c:b3:5a:2a', '12:f8:87:ab:13:ec', '00:50:56:a0:38:06', '2e:62:e8:47:14:49', '00:0d:3a:d2:4f:1f', '60:02:92:66:10:79', '00:50:56:a0:d7:38', 'be:00:e5:c5:0c:e5', '00:50:56:a0:59:10', '00:50:56:a0:06:8d', '00:e0:4c:cb:62:08', '4e:81:81:8e:22:4e', ''

Appendix III - BlackCap Grabber hardcoded blacklists

Username

"WDAGUtilityAccount", "BvJChRPnsxn", "Harry Johnson", "SqgFOf3G", "RGzcBUyrznReg", "h7dk1xPr","Robert", "Abby", "Peter Wilson", "hmarc", "patex", "JOHN-PC", "RDhJ0CNFevzX", "kEecfMwgj", "Frank", "8Nl0ColNQ5bq", "Lisa", "John", "george", "PxmdUOpVyx", "8VizSM", "w0fjuOVmCcP5A", "lmVwjj9b", "PqONjHVwexsS", "3u2v9m8", "Julia", "HEUeRzl"

PC name

"DESKTOP-CDLNVOQ", "BEE7370C-8C0C-4", "DESKTOP-NAKFFMT", "WIN-5E07COS9ALR", "B30F0242-1C6A-4", "DESKTOP-VRSQLAG", "Q9IATRKPRH", "XC64ZB", "DESKTOP-D019GDM", "DESKTOP-WI8CLET", "SERVER1", "LISA-PC", "JOHN-PC", "DESKTOP-B0T93D6", "DESKTOP-1PYKP29", "DESKTOP-1Y2433R", "WILEYPC", "WORK", "6C4E733F-C2D9-4", "RALPHS-PC", "DESKTOP-WG3MYJS", "DESKTOP-7XC6GEZ", "DESKTOP-5OV9S0O", "QarZhrdBpj", "ORELEEPC", "ARCHIBALDPC", "JULIA-PC", "d1bnJkfVlH", "DESKTOP-B0T93D6"

System UUID

"7AB5C494-39F5-4941-9163-47F54D6D5016",
"032E02B4-0499-05C3-0806-3C0700080009",
"03DE0294-0480-05DE-1A06-350700080009",
"11111111-2222-3333-4444-555555555555",
"6F3CA5EC-BEC9-4A4D-8274-11168F640058",
"ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548",
"4C4C4544-0050-3710-8058-CAC04F59344A",
"00000000-0000-0000-0000-AC1F6BD04972",
"79AF5279-16CF-4094-9758-F88A616D81B4",
"5BD24D56-789F-8468-7CDC-CAA7222CC121",
"49434D53-0200-9065-2500-65902500E439",
"49434D53-0200-9036-2500-36902500F022",
"777D84B3-88D1-451C-93E4-D235177420A7",
"49434D53-0200-9036-2500-369025000C65",
"B1112042-52E8-E25B-3655-6A4F54155DBF",
"00000000-0000-0000-0000-AC1F6BD048FE",
"EB16924B-FB6D-4FA1-8666-17B91F62FB37",
"A15A930C-8251-9645-AF63-E45AD728C20C",
"67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3",
"C7D23342-A5D4-68A1-59AC-CF40F735B363",
"63203342-0EB0-AA1A-4DF5-3FB37DBB0670",
"44B94D56-65AB-DC02-86A0-98143A7423BF",
"6608003F-ECE4-494E-B07E-1C4615D1D93C",
"D9142042-8F51-5EFF-D5F8-EE9AE3D1602A",
"49434D53-0200-9036-2500-369025003AF0",
"8B4E8278-525C-7343-B825-280AEBCD3BCB",
"4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27",
"BB64E044-87BA-C847-BC0A-C797D1A16A50",
"2E6FB594-9D55-4424-8E74-CE25A25E36B0",
"42A82042-3F13-512F-5E3D-6BF4FFFD8518"

IP address

'88.132.231.71', '78.139.8.50', '20.99.160.173', '88.153.199.169', '84.147.62.12', '194.154.78.160', '92.211.109.160', '195.74.76.222', '188.105.91.116', '34.105.183.68', '92.211.55.199', '79.104.209.33', '95.25.204.90', '34.145.89.174', '109.74.154.90', '109.145.173.169', '34.141.146.114', '212.119.227.151', '195.239.51.59', '192.40.57.234', '64.124.12.162', '34.142.74.220', '188.105.91.173', '109.74.154.91', '34.105.72.241', '109.74.154.92', '213.33.142.50', '109.74.154.91', '93.216.75.209', '192.87.28.103', '88.132.226.203', '195.181.175.105', '88.132.225.100', '92.211.192.144', '34.83.46.130', '188.105.91.143', '34.85.243.241', '34.141.245.25', '178.239.165.70', '84.147.54.113', '193.128.114.45', '95.25.81.24', '92.211.52.62', '88.132.227.238', '35.199.6.13', '80.211.0.97', '34.85.253.170', '23.128.248.46', '35.229.69.227', '34.138.96.23', '192.211.110.74', '35.237.47.12', '87.166.50.213', '34.253.248.228', '212.119.227.167', '193.225.193.201', '34.145.195.58', '34.105.0.27', '195.239.51.3', '35.192.93.107'

Appendix IV - BlackCap Grabber’s regular expressions to catch crypto wallets

BTC

'^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$'

ETH

'^0x[a-fA-F0-9]{40}$'

Xchain

'^([X]|[a-km-zA-HJ-NP-Z1-9]{36,72})-[a-zA-Z]{1,83}1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{38}$'

Pchain

'^([P]|[a-km-zA-HJ-NP-Z1-9]{36,72})-[a-zA-Z]{1,83}1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{38}$'

Cchain

'^([C]|[a-km-zA-HJ-NP-Z1-9]{36,72})-[a-zA-Z]{1,83}1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{38}$'

Monero

'/4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$/g'

Ada (Cardano)

'addr1[a-z0-9]+'

Dash

'/X[1-9A-HJ-NP-Za-km-z]{33}$/g'