TroyStealer – A new info stealer targeting Portuguese Internet users

One of the most recent threats is the info stealer TroyStealer, first shared by on Twitter, and targeting Portuguese users.

The world of cybercrime is changing, and more and more malware variants have spread every day. To keep your system safe, one of the things you can do is following a cyber doctrine focused on the threats that lunk on the web.

One of the most recent threats is the info stealer TroyStealer, first shared by on Twitter, and targeting Portuguese users.

There seems to be a new stealer in town called #TroyStealer, targeting Portuguese internet users EXE: email address:domionhuby@gmail.comHas anyone seen this threat before?/cc @CNCSgovpt @sirpedrotavares— (@abuse_ch) June 12, 2020An information stealer (or info stealer) is a Trojan that is designed to gather information from a system. The malware gathers login information, like usernames and passwords stored on web-browsers, which it sends to another system via email. Another common form this malware is to log user keystrokes which may reveal sensitive information.


Figure 1: Email template TroyStealer (in the Portuguese language).

The message sent in the email template is related to problems with the victim’s bank account. When the problems are overcome, the victim will receive payment in your account.

The binary file

Threat name: TroyStealer.exeMD5: DAB6194F16CEFDB400E3FB6C11A76861SHA1: C76A9FB1A2AE927BF9C950338BE5B391FED29CD7Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744Created: Thu Jun 11 19:53:24 2020

At first glance, the info stealer malware is packed (entropy 7.177), and it was compiled on Thu Jun 11 19:53:24 2020 via a .NET compiler (Microsoft Visual C# v7.0).

Figure 2: Compilation and packing details of TroyStealer malware.

Before executing the PE file, some details can be observed such as specific call references used to decrypt/unpacking the binary and execute another instance in memory via Process Injection technique.

Figure 3: Process of unpacking the binary.

Figure 4: Smart Assembly – used to obfuscate the binary.

After unpacking it, we observed the binary was also obfuscated in a second-round with .NET Reactor(4.8-4.9).

Figure 5 depicts the high flow diagram of TroyStealer malware.

Figure 5: TroyStealer malware high flow diagram.

In detail, the malware detects if it is running inside a VM and stops the execution. In contrast, the malware is executed and a new process is created and executed using the process injection technique. After that, the harvesting process is initiated. Some modules of collecting details from the browser are started as well as another module to collect mail credentials from outlook.

In sum, the following steps are performed during the malware execution:

Obtaining victim’s details (credentials info from browser and email)Getting HKEY_CURRENT_USERSoftwarePaltalk passwordsDeleting browser specific filesGetting Security products installed on the deviceObtaining Operating system versionGetting KeystrokesSent information via email to the attackerFilles accessed during the malware execution

C:UsersuserAppDataRoamingMozillaFirefoxprofiles.iniC:UsersuserAppDataLocalGoogleChromeUser DataDefaultLogin DataC:UsersuserAppDataRoamingMozillaFirefoxprofiles.iniC:UsersuserAppDataRoamingMozillaFirefoxProfilesi8ia8vs.defaultlogins.json

Deleted files during the malware execution

C:UsersuserAppDataRoamingMozillaFirefoxProfilesi8ia8vs.defaultcookies.sqliteC:UsersuserAppDataRoamingMozillaFirefoxProfilesi8ia8vs.defaultplaces.sqliteC:UsersuserAppDataLocalGoogleChromeUser DataDefaultCookiesC:UsersuserAppDataLocalGoogleChromeUser DataDefaultWeb DataC:UsersuserAppDataLocalGoogleChromeUser DataDefaultHistory

Getting security products, OS version, and Reg Keys

IWbemServices::ExecQuery – rootcimv2 : SELECT Caption FROM Win32_OperatingSystemIWbemServices::ExecQuery – rootSecurityCenter2 : SELECT * FROM AntivirusProductKey opened: HKEY_CURRENT_USERSoftwarePaltalkKey opened: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook9375CFF0413111d3B88A00104B2A6676

Finally, the malware validates there is a valid Internet connection through a speed test website. If so, it establishes SMTP communication with the authenticated email server and sends the victim’s details via email.

Figure 6: Snippet of code with the email sent to the attacker inbox with the victim’s details.

Figure 7: Details sent to the attacker’s email addressed.

Final Thoughts

Malware is nowadays one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list presents some tips on how you can prevent a malware infection. It is not a complete list, just a few steps to protect yourself and your devices.

Get outdated software of your systemGet email savvy; take several minutes looking at the new email and not a few secondsBeware of fake tech support, emails related do bank transactions, invoices, COVID19, everything you think be strangeKeep Internet activity relevantLog out at the end of the dayOnly access secured  and trusted sites (not only websites with green lock – please think you are doing, as many phishing campaigns are abusing of free CA to create valid HTTPS certificates and to distribute malicious campaigns over it)Keep your operating system up to dateMake sure you are using an antivírusBeware of malvertisingTake-home messageBe proactive and start taking malware protection seriously!

Technical details about the malware, including Mitre Att&ck Matrix and Indicators of Compromise (IoCs) are available in the original post published here:

TroyStealer – A new info stealer targeting Portuguese Internet users
About the author Pedro Tavares

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog

The post TroyStealer – A new info stealer targeting Portuguese Internet users appeared first on Security Affairs.