Threat Actors leveraging known C&C server linked to other popular stealers
During our routine threat-hunting exercise, Cyble Research Labs came across a C# .NET-based information stealer developed by the Saint gang. The activities of Saintstealer can be traced back as far as November 2021. The file is not packed and has multiple functionalities to steal credentials and system information.
After execution, the stealer extracts username, passwords, credit card details, etc. The stealer also steals data from various locations across the system and compresses it in a password-protected zip file. Once these files are compressed, the stealer exfiltrates the data to a Telegram channel. The metadata related to the exfiltrated information is sent to a Command and Control (C&C) server – hxxp://f0591243.xsph[.]ru.
The C&C server initially refused the connection, but upon checking the IP (141.8.197[.]42) associated with the domain, we found multiple similar sub-domains hosted on this IP. Based on our analysis, we found that these domains were involved with other stealer’s activities.
This IP is associated with multiple stealer families such as Nixscare stealer, BloodyStealer, QuasarRAT, Predator stealer, EchelonStealer, etc. One such domain, hxxp://a00[redacted].xsph[.]ru/, is active at the time of publication.
Figure 1 shows the hosted files.
Apart from the C&C, we also investigated two other malicious domains, hxxp://notste[redacted].com.xsph[.]ru/ and hxxp://ilov[redacted].ru.xsph[.]ru/.
These domains show the possible login panel for the TAs and the link to the Telegram channel t.me/[redacted]team, possibly affiliated with the TAs, as shown in Figure 2.
Figure 3 shows the Telegram bot channel.
From a technical standpoint, the stealer functions similarly to other stealers that we have observed and reported on. However, the impact of the threat depends on how Threat Actors (TA) deploy it. With the help of sophisticated delivery and operation mechanisms, the TA can inflict devastating results.
Technical Analysis
The stealer is a 32-bit C# .NET-based executable named saintgang.exe. The static file information is shown in Figure 4.
After execution, the stealer checks the running processes. If no process is running, the stealer terminates itself. Additionally, the programs check various anti-analysis techniques, as shown in Figure 5.
AVMethod class has various checks to check whether there is a sandbox, Rdp, and execution platform of the infected machine.
If any of mentioned environments are detected, the stealer terminates its operations, as shown below.
Figure 7 shows the functions for checking the anti-malware solution. The stealer developer used SandBoxies() to check Sandboxie, a sandbox software, and IsRdpAvailable() to check the RDP connections.
Additionally, GetModelsAndManufactures() functions extracts Windows management object which contains device manufacturer and model data. The program terminates if the manufacturer or model contains any of the following elements in the list.
- virtual
- vmbox
- VMware
- VirtualBox
- box
- ThinApp
- VMXh
- Innotek gmbh
- tpvcgateway
- tpautoconnsvc
- vbox
- KVM
- red hat
Figure 8 shows the methods used to search for these virtual environments.
Once the checks are completed, the stealer runs various tasks for information stealing operations. We have listed the operations performed by the information stealer below:
- Gr4bH4rdwar3(): Get hardware details
- Scr33nsh0t(): Screenshot
- Get Discord Token
- Get Desktop Files
- Get Chromium Passwords
- Get Chromium AutoFills
- Get Chromium Cookies
- Get Chromium Credit Cards
- Get NordVPN Accounts details
- Get OpenVPN data
- Get ProtonVPN data
- Get Steam data
- Get Vime details
- Get Telegram details
Gr4bH4rdwar3() operation gets the hardware and environment details from the victim’s system. This information includes processor, graphic card, log date, username, operating system, Windows version, serial number, IP, country, location, time zone, keyboard, languages, RAM, and antivirus software.
Figure 9 shows these details.
Scr33nsh0t() gets the screenshot of the infected system, as shown below.
The stealer also steals Discord multi-factor authentication tokens from the infected system, as shown below.
With the function DesktopFiles, the stealer then steals files with the extensions .txt, .doc, and .docx from the system folders Desktop and Documents, as shown in Figure 12.
After stealing the files from the Desktop and Document folders, the stealer looks for login passwords, cookies, auto-fill information, and credit card information from various browsers. The Stealer has a list of targeted websites, and the targeted data of those websites is hardcoded into it. The list of targeted websites is given below:
- qiwi.com
- payoneer.com
- pay.google.com
- paypal.com
- yoomoney.ru
- blockchain.com
- minergate.com
- binance.com
- btc.com
- lolz.guru
- bhf.la
- xss.is
- vk.com
- instagram.com
- funpay.ru
- steamcommunity.com
- ubisoft.com
- origin.com
- wargaming.net
- epicgames.com
- warface.com
- roblox.com
- blizzard.com
- spotify.com
- vimeworld
The Stealer looks for the following details on these sites:
- password
- user
- login
- address
- number
- phone
- credit card
Figure 13 shows the details of the targeted websites and extracted details.
The following table contains targeted browsers for the above data and website information.
| Chrome | Comodo Dragon | Iridium Browser | CocCoc | Sputnik | Coowon |
| Opera | CoolNovo | 7Star | Elements Browser | uCozMedia | Liebao Browser |
| Opera GX | SRWare Iron | Amigo | Epic Privacy Browser | Vivaldi | QIP Surf |
| Yandex | Torch Browser | CentBrowser | Kometa | Sleipnir 6 | Edge |
| 360 Browser | Brave Browser | Chedot | Orbitum | Citrio |
Figure 14 shows the routine to extract credentials from the victim system.
The stealer detects and extracts VPN information from the infected system. It targets NordVPN, OpenVPN, and ProtonVPN. Figure 15 shows the routine of extracting the NordVPN information.
If Steam is installed on the victim device, the Stealer looks for the Steam Sentry File (SSFN) and config file and extracts them. Figure 16 shows the routine for extracting Steam account information.
The stealer also targets VimeWorld, a Minecraft game server. The stealer has a routine to extract the configuration and credentials of the VimeWorld client installed onto the infected system. Figure 17 shows the routine to extract the VimeWorld data.
Lastly, the stealer extracts Telegram data from the infected system. It also extracts data from \\Telegram Desktop\\tdata as shown below.
After collecting all this information, the stealer compresses it into an encrypted zip file. The following files are added into the zip file:
- Passwords.txt
- Autofills.txt
- CreditCards.txt
- Sorted/FilteredPasswords.txt
- Sorted/FilteredAutofills.txt
- Others/Discord/Tokens.txt
- Others/Roblox/Tokens.txt
- Others/VimeWorld/config
- Information.txt
- Screnshot.jpg
- Others/VPN/NordVPN/Accounts.txt
- Others/VPN/OpenVPN/
- Others/VPN/ProtonVPN/
- Cookies/Chromium[” + keyValuePair.Key + “].txt
- Cookies/Gecko[” + keyValuePair.Key + “].txt
- Others/Telegram/
- Others/Steam/
After collecting and compressing this information, the stealer creates a zip file named HardwareInfo.Ser1alNumb3r()+.zip and sends it as a Telegram attachment. Figure 19 shows this routine.
Apart from the Send() function, the stealer sends additional information to the URL hxxp://f0591243.xsph[.]ru as well, with the count of the stolen data. The data includes the number of passwords, cookies, auto-fills, credit cards, hardware IDs, and build numbers. Figure 20 shows the routine SendFile().
Conclusion
Information stealers can be harmful to individuals as well as large organizations. If even unsophisticated stealers like Saintstealer gain infrastructural access, it could have devastating effects on the cyberinfrastructure of the targeted organization.
Cyble has observed several data breaches in high-profile organizations due to such threats. Organizations and individuals should thus continue to follow industry best cybersecurity practices to secure themselves and their firms.
Our Recommendations:Â
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques Â
| Tactic | Technique ID | Technique Name |
| Privilege Escalation | T1543 | Create or Modify System Process |
| Credential Access | T1555 T1539 T1552 T1528 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token |
| Collection | T1113 | Screen Capture |
| Discovery | T1518 T1124 T1007 T1083 T1046 | Software Discovery System Time Discovery System Service Discovery File and Directory Discovery Network Service Scanning |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
Indicators of Compromise (IoCs):  Â
| Indicators | Indicator type | Description |
| cf4ea5be206fbee310c36d0fd6e33714 b0d092887b1c41a7aaa7f99476cec3c51f28823c a6f5342f31a4f7e5b787f369dbb416f2b7117ceb291b55389ef97a08a6494fb4 | Md5 SHA-1Â SHA-256Â Â | Saintgang.exe |
| hxxp://f0591243.xsph[.]ru | URL | C&C |
| 141.8.197[.]42 | URL | C&C |
