Cyble-Analysis-Saintstealer-InfoStealer

Dissecting Saintstealer

Threat Actors leveraging known C&C server linked to other popular stealers

During our routine threat-hunting exercise, Cyble Research Labs came across a C# .NET-based information stealer developed by the Saint gang. The activities of Saintstealer can be traced back as far as November 2021. The file is not packed and has multiple functionalities to steal credentials and system information.

After execution, the stealer extracts username, passwords, credit card details, etc. The stealer also steals data from various locations across the system and compresses it in a password-protected zip file. Once these files are compressed, the stealer exfiltrates the data to a Telegram channel. The metadata related to the exfiltrated information is sent to a Command and Control (C&C) server – hxxp://f0591243.xsph[.]ru.

The C&C server initially refused the connection, but upon checking the IP (141.8.197[.]42) associated with the domain, we found multiple similar sub-domains hosted on this IP. Based on our analysis, we found that these domains were involved with other stealer’s activities.

This IP is associated with multiple stealer families such as Nixscare stealer, BloodyStealer, QuasarRAT, Predator stealer, EchelonStealer, etc. One such domain, hxxp://a00[redacted].xsph[.]ru/,  is active at the time of publication.

 Figure 1 shows the hosted files.

Figure 1 – Files Hosted on C&C

Apart from the C&C, we also investigated two other malicious domains, hxxp://notste[redacted].com.xsph[.]ru/ and hxxp://ilov[redacted].ru.xsph[.]ru/.

These domains show the possible login panel for the TAs and the link to the Telegram channel t.me/[redacted]team, possibly affiliated with the TAs, as shown in Figure 2.

Figure 2 – TAs Login Panel

Figure 3 shows the Telegram bot channel.

Figure 3 – TA’s Telegram Channel

From a technical standpoint, the stealer functions similarly to other stealers that we have observed and reported on. However, the impact of the threat depends on how Threat Actors (TA) deploy it. With the help of sophisticated delivery and operation mechanisms, the TA can inflict devastating results.

Technical Analysis

The stealer is a 32-bit C# .NET-based executable named saintgang.exe. The static file information is shown in Figure 4.

Figure 4 – Static Details of saintgang.exe

After execution, the stealer checks the running processes. If no process is running, the stealer terminates itself. Additionally, the programs check various anti-analysis techniques, as shown in Figure 5.

Figure 5 – Anti-Reversing Technique Used by the Stealer

AVMethod class has various checks to check whether there is a sandbox, Rdp, and execution platform of the infected machine.

If any of mentioned environments are detected, the stealer terminates its operations, as shown below.

Figure 6 – Stealer Checking Environment

Figure 7 shows the functions for checking the anti-malware solution. The stealer developer used SandBoxies() to check Sandboxie, a sandbox software, and IsRdpAvailable() to check the RDP connections.

Figure 7 – Stealer Checking for Rdp and Sandboxie

Additionally, GetModelsAndManufactures() functions extracts Windows management object which contains device manufacturer and model data. The program terminates if the manufacturer or model contains any of the following elements in the list.

  • virtual
  • vmbox
  • VMware
  • VirtualBox
  • box
  • ThinApp
  • VMXh
  • Innotek gmbh
  • tpvcgateway
  • tpautoconnsvc
  • vbox
  • KVM
  • red hat

Figure 8 shows the methods used to search for these virtual environments.

Figure 8 – Stealer Checking Virtual Environment

Once the checks are completed, the stealer runs various tasks for information stealing operations. We have listed the operations performed by the information stealer below:

  • Gr4bH4rdwar3(): Get hardware details
  • Scr33nsh0t(): Screenshot
  • Get Discord Token
  • Get Desktop Files
  • Get Chromium Passwords
  • Get Chromium AutoFills
  • Get Chromium Cookies
  • Get Chromium Credit Cards
  • Get NordVPN Accounts details
  • Get OpenVPN data
  • Get ProtonVPN data
  • Get Steam data
  • Get Vime details
  • Get Telegram details

Gr4bH4rdwar3() operation gets the hardware and environment details from the victim’s system. This information includes processor, graphic card, log date, username, operating system, Windows version, serial number, IP, country, location, time zone, keyboard, languages, RAM, and antivirus software.

Figure 9 shows these details.

Figure 9 – Stealer Extracting System Information

Scr33nsh0t() gets the screenshot of the infected system, as shown below.

Figure 10 – Stealer Routine for Capturing Screenshots

The stealer also steals Discord multi-factor authentication tokens from the infected system, as shown below.

Figure 11 – Stealer Routine for Discord Data Exfiltration

With the function DesktopFiles, the stealer then steals files with the extensions .txt, .doc, and .docx from the system folders Desktop and Documents, as shown in Figure 12.

Figure 12 – Stealer Extracting Desktop and Document Files

After stealing the files from the Desktop and Document folders, the stealer looks for login passwords, cookies, auto-fill information, and credit card information from various browsers. The Stealer has a list of targeted websites, and the targeted data of those websites is hardcoded into it. The list of targeted websites is given below:

  • qiwi.com
  • payoneer.com
  • pay.google.com
  • paypal.com
  • yoomoney.ru
  • blockchain.com
  • minergate.com
  • binance.com
  • btc.com
  • lolz.guru
  • bhf.la
  • xss.is
  • vk.com
  • instagram.com
  • funpay.ru
  • steamcommunity.com
  • ubisoft.com
  • origin.com
  • wargaming.net
  • epicgames.com
  • warface.com
  • roblox.com
  • blizzard.com
  • spotify.com
  • vimeworld

The Stealer looks for the following details on these sites:

  • mail
  • password
  • user
  • login
  • address
  • number
  • phone
  • credit card

Figure 13 shows the details of the targeted websites and extracted details.

Figure 13 -Targeted Websites and Data

The following table contains targeted browsers for the above data and website information.

ChromeComodo DragonIridium BrowserCocCocSputnikCoowon
OperaCoolNovo7StarElements BrowseruCozMediaLiebao Browser
Opera GXSRWare IronAmigoEpic Privacy BrowserVivaldiQIP Surf
YandexTorch BrowserCentBrowserKometaSleipnir 6Edge
360 BrowserBrave BrowserChedotOrbitumCitrio 

Figure 14 shows the routine to extract credentials from the victim system.

Figure 14 – Stealer Routine for Browser Data Extraction

The stealer detects and extracts VPN information from the infected system. It targets NordVPN, OpenVPN, and ProtonVPN. Figure 15 shows the routine of extracting the NordVPN information.

Figure 15 – Stealer Routine for NordVPN Data Extraction

If Steam is installed on the victim device, the Stealer looks for the Steam Sentry File (SSFN) and config file and extracts them. Figure 16 shows the routine for extracting Steam account information.

Figure 16 – Stealer Routine for Steam Data Extraction

The stealer also targets VimeWorld, a Minecraft game server. The stealer has a routine to extract the configuration and credentials of the VimeWorld client installed onto the infected system. Figure 17 shows the routine to extract the VimeWorld data.

Figure 17 – Stealer Routine for VimeWorld Data Extraction

Lastly, the stealer extracts Telegram data from the infected system. It also extracts data from \\Telegram Desktop\\tdata as shown below.

Figure 18 – Stealer Routine for Telegram Data Extraction

After collecting all this information, the stealer compresses it into an encrypted zip file. The following files are added into the zip file:

  • Passwords.txt
  • Autofills.txt
  • CreditCards.txt
  • Sorted/FilteredPasswords.txt
  • Sorted/FilteredAutofills.txt
  • Others/Discord/Tokens.txt
  • Others/Roblox/Tokens.txt
  • Others/VimeWorld/config
  • Information.txt
  • Screnshot.jpg
  • Others/VPN/NordVPN/Accounts.txt
  • Others/VPN/OpenVPN/
  • Others/VPN/ProtonVPN/
  • Cookies/Chromium[” + keyValuePair.Key + “].txt
  • Cookies/Gecko[” + keyValuePair.Key + “].txt
  • Others/Telegram/
  • Others/Steam/

After collecting and compressing this information, the stealer creates a zip file named HardwareInfo.Ser1alNumb3r()+.zip and sends it as a Telegram attachment. Figure 19 shows this routine.

Figure 19 –  Stealer Routine for Sending Stolen Data to the Telegram Chat

Apart from the Send() function, the stealer sends additional information to the URL hxxp://f0591243.xsph[.]ru as well, with the count of the stolen data. The data includes the number of passwords, cookies, auto-fills, credit cards, hardware IDs, and build numbers. Figure 20 shows the routine SendFile().

Figure 20 – Stealer Routine for Sending Metadata to C&C

Conclusion

Information stealers can be harmful to individuals as well as large organizations. If even unsophisticated stealers like Saintstealer gain infrastructural access, it could have devastating effects on the cyberinfrastructure of the targeted organization.

Cyble has observed several data breaches in high-profile organizations due to such threats. Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.

Our Recommendations: 

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
  • Block URLs that could spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. 

MITRE ATT&CK® Techniques  

Tactic Technique ID Technique Name 
Privilege EscalationT1543Create or Modify System Process
Credential Access T1555
T1539 
T1552 
T1528 
Credentials from Password Stores
Steal Web Session Cookie 
Unsecured Credentials 
Steal Application Access Token 
Collection T1113 Screen Capture 
Discovery T1518 
T1124
T1007 
T1083
T1046
Software Discovery 
System Time Discovery 
System Service Discovery
File and Directory Discovery
Network Service Scanning
Command and Control T1071 Application Layer Protocol 
Exfiltration T1041 Exfiltration Over C&C Channel 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
cf4ea5be206fbee310c36d0fd6e33714
b0d092887b1c41a7aaa7f99476cec3c51f28823c a6f5342f31a4f7e5b787f369dbb416f2b7117ceb291b55389ef97a08a6494fb4
Md5
SHA-1  SHA-256  
Saintgang.exe
hxxp://f0591243.xsph[.]ruURLC&C
141.8.197[.]42URLC&C
Scroll to Top