Multi-Threading Approach used For Rapid Exfiltration
During our routine Threat-Hunting exercise, Cyble Research Labs came across a new stealer named “PennyWise” shared by a researcher. The stealer appears to have been developed recently. Though this stealer is fresh, the Threat Actor(s) (TA) has already rolled an updated version, 1.3.4.
Our investigation indicates that the stealer is an emerging threat, and we have witnessed multiple samples of this stealer active in the wild. In its current iteration, this stealer can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto-browser extensions, etc.
The stealer is built using an unknown crypter which makes the debugging process tedious. It uses multithreading to steal user data and creates over 10 threads, enabling faster execution and stealing. The below figure shows the Pennywise stealer’s C&C panel.
Initial Infection: Spreading via YouTube
The TA spreads this PennyWise stealer as free Bitcoin mining software. The TA has created a video on YouTube containing the link to download the malware. In this campaign, the users who look for Bitcoin mining software may become victims of Pennywise stealer.
When a user visits the link, the TA instructs them to download the malware hosted on the file hosting service. The malware file is zipped and password protected. To appear legitimate, the TA has shared a VirusTotal link of a clean file that is not related to the file available for download. The TA also tricks the users into disabling their antivirus for successful malware execution, as shown below.
The zip file contains an installer that drops the Pennywise stealer, executes it, and finally, the stealer exfiltrates the victim’s data to the C&C server. The figure below shows the network communication.
As per our observations, the TA has created over 80 Videos on their YouTube channel for mass infection. We have also observed a few download links from the TA’s YouTube Channel that spread Pennywise stealer. The below figure shows the videos created for spreading malware via YouTube.
The infection starts with the loader (SHA256: e43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0) which injects the Pennywise stealer into a legitimate .NET binary named “AppLaunch.exe” using a technique called “process hollowing”.
The .NET binary (SHA256: 3bbd6cdbc70a5517e5f39ed9dfad0897d5b200feecd73d666299876e35fa4c90) is injected into AppLaunch.exe which is the actual payload of Pennywise stealer. The Pennywise stealer has encoded strings that are decoded during the initial execution of malware. The figure below shows the function “Class84.method_0“, which is responsible for decoding these strings.
Upon execution, the stealer initializes the variables that support the stealing functionality. The values are decoded and assigned to these variables during run time, as shown in the below table.
|string_2||CRYPTED:ygBdfUqyTjr827lyAL47dg==||Encrypted TA name|
|string_11||— CreateChannel —||String|
|string_13||CRYPTED:vuw8jLF2e/Ljzrqrw2oAEBJLqFB8KtttiM5T7ns 2bs4Dsnmons6Ixd82gskRZISF||Encrypted C2 URL|
|dictionary_0||Document: RTF, Doc, Docx, txt, json||Files stealer will be stealing|
The stealer then creates a mutex named “9D16FBEF0D8A8F87529DE06A1C43C737” to ensure that only one instance of malware is running at any given time on the victims’ machine. The malware terminates its execution if the mutex is already present.
The malware then gets the path of the targeted browsers for stealing user data. It targets the following browsers:
- 30+ Chrome-based browsers
- 5+ Mozilla-based browsers
- Microsoft Edge
Once the browser path is obtained, the malware fetches username, machine name, system language, and timezone details from the victim’s system. In this case, the malware converts the timezone into Russian Standard Time (RST), as shown below.
The malware then retrieves the system language code using the CultureInfo class and gets the graphic driver and processor names of the victim’s machine using a WMI query. After this, it creates a string in the below format to generate an MD5 hash.
The hash value will be used to name a folder created with hidden attributes in the AppData\Local directory and save the stolen data.
The malware tries to identify the victim’s country using the CultureInfo class and terminates its execution if the victim is based outside the following locations.
This could indicate that the TA is trying to avoid scrutiny by Law Enforcement Agencies in these particular countries.
The malware performs multiple Anti-Analysis and Anti-Detection checks to prevent the execution of the malware in a controlled environment. It uses Win32_ComputerSystem class to detect any virtual machine.
Then, it checks for the following Dynamic-Link Library (DLL) files to identify the presence of antivirus applications and sandbox environments.
- SbieDll: Sandboxie
- SxIn: 360 Total Security
- Sf2: Avast Antivirus
- Snxhk: Avast Antivirus
- cmdvrt32: COMODO
It also checks the running processes in the victims’ machine and terminates its execution if the following processes are running.
- fiddler everywhere
After this, the malware decrypts string_2 and string_13 in Table 1, which are encrypted using the Rijndael algorithm. These strings possibly contain the TA’s user name and Command & Control (C&C) URL.
The malware then creates a folder under the folder which was created initially in the Appdata\Local directory in the following format:
The malware uses multithreading to steal data from the victim’s system. Every individual thread is responsible for performing a different operation, such as stealing the victim’s files, harvesting Chromium/Mozilla browser data, stealing the browser’s cryptocurrency extension data, taking screenshots, stealing sessions of chat applications, etc.
The malware creates over 10 threads and executes them using Thread.Start() method.
The malware only steals files smaller than 20KB and has RTF, Doc, Docx, txt, and JSON extensions which are saved in a folder named “grabber.”
Using the Directory.Exists() method, the malware identifies whether a targeted browser is present in the victims’ machine and steals data if these browsers are found. The malware steals data from Chromium and Mozilla-based browsers using the following method:
- The sensitive user data, such as login credentials and cookies, stored in Chromium-based browsers is present in an encrypted form.
The malware enumerates and gets the names of all files in the “Browser-name\User Data\” folder and checks for the “Local State” file, which stores the encrypted key. The CryptUnprotectData() function decrypts the encrypted key, which will now be used to decrypt the login data file containing all users’ credentials.
- In Mozilla-based browsers, the malware targets certain SQLite files named “cookies.sqlite”, “key4.db,” etc., which store data such as encryption keys and master passwords for login.json. The login.json file will be decrypted using these keys containing user credentials. The stolen cookies from browsers are saved into a file named “[browser name_Default]_Cookies.txt”.
For stealing Discord tokens, the malware targets the following directories:
- Discord\Local Storage\leveldb
- Discord PTB\Local Storage\leveldb
- Discord Canary\leveldb
The malware steals Telegram sessions by copying files from the “Telegram Desktop\tdata” folder.
It also fetches the list of running processes using the Process.GetProcesses method and writes the data, including Process Name, PID, and execution path, to the “Processes.txt” file.
The malware takes a screenshot of the victim’s system and stores it as a file named “Screenshot.jpg.” It creates a file named “Information.txt” that saves data such as location, details of the victim’s system, hardware details, antivirus, stealer version, victim’s unique ID, and date.
The malware queries the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall to find the list of installed applications and write this data to a file named “Software.txt” in the following format:
The stealer queries the registry to identify the location of cryptocurrencies such as Litecoin, Dash, and Bitcoin, as shown in the figure below. It obtains the path from registry data “strDataDir” in the HKEY_CURRENT_USER\Software\Blockchain_name\ Blockchain_name-Qt registry key.
It targets cold crypto-wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electreum, Atomic Wallet, Guarda, and Coinomi. To steal data from these wallets, the malware looks for wallet files in the directory shown in the figure below and copies them for exfiltration.
This malware also targets crypto extensions of Chromium-based browsers for stealing data. The figure below shows the crypto extensions, along with their ID. It enumerates all files in the Browser_name\User Data folder and checks for the “Local Extension Settings” folder where extension-related data is stored. This folder finds the crypto browser extension using their extension ID.
The malware then compiles the count for harvested data, as shown in Figure 16. Additionally, it compresses the folder in which the stolen data was saved and exfiltrates it to “http[:]//185[.]246.116.237[:]5001/getfile“. This folder is then deleted, removing all traces.
Pennywise is an emerging stealer which is already making a name for itself. We have witnessed multiple samples of Pennywise out in the wild, indicating that Threat Actors may already be deploying it. Though there is not much information regarding its adoption by cybercriminals at the moment, in the future, we may see new variants of this stealer and observe further samples in the wild.
- Avoid downloading pirated software from unverified sites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Keep updating your passwords after certain intervals.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1140 |
|Deobfuscate/Decode Files or Information |
Process Injection: Process Hollowing
|Credential Access||T1555 |
|Credentials from Password Stores |
Steal Web Session Cookies
Steal Application Access Token
|Software Discovery |
System Time Discovery
System Service Discovery
|Command and Control||T1071||Application Layer Protocol|
|Exfiltration||T1041||Exfiltration Over C2 Channel|
Indicators of Compromise (IOCs)