Cyble-Pennywise-Infostealer

PennyWise Stealer: An Evasive Infostealer leveraging YouTube to infect users

Multi-Threading Approach used For Rapid Exfiltration

During our routine Threat-Hunting exercise, Cyble Research Labs came across a new stealer named “PennyWise” shared by a researcher. The stealer appears to have been developed recently. Though this stealer is fresh, the Threat Actor(s) (TA) has already rolled an updated version, 1.3.4.

Our investigation indicates that the stealer is an emerging threat, and we have witnessed multiple samples of this stealer active in the wild. In its current iteration, this stealer can target over 30 browsers and cryptocurrency applications such as cold crypto wallets, crypto-browser extensions, etc.

The stealer is built using an unknown crypter which makes the debugging process tedious. It uses multithreading to steal user data and creates over 10 threads, enabling faster execution and stealing. The below figure shows the Pennywise stealer’s C&C panel.

Figure 1 – Command and Control Server

Initial Infection: Spreading via YouTube

The TA spreads this PennyWise stealer as free Bitcoin mining software. The TA has created a video on YouTube containing the link to download the malware. In this campaign, the users who look for Bitcoin mining software may become victims of Pennywise stealer.

Figure 2 – Hosting Malware Campaign on YouTube

When a user visits the link, the TA instructs them to download the malware hosted on the file hosting service. The malware file is zipped and password protected. To appear legitimate, the TA has shared a VirusTotal link of a clean file that is not related to the file available for download. The TA also tricks the users into disabling their antivirus for successful malware execution, as shown below.

Figure 3 – Manipulating User

The zip file contains an installer that drops the Pennywise stealer, executes it, and finally, the stealer exfiltrates the victim’s data to the C&C server. The figure below shows the network communication.

Figure 4 – Network Communication

As per our observations, the TA has created over 80 Videos on their YouTube channel for mass infection. We have also observed a few download links from the TA’s YouTube Channel that spread Pennywise stealer. The below figure shows the videos created for spreading malware via YouTube.

Figure 5 – Over 80 videos created on the TA’s YouTube Channel

Technical Analysis

The infection starts with the loader (SHA256: e43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0) which injects the Pennywise stealer into a legitimate .NET binary named “AppLaunch.exe” using a technique called “process hollowing”.

Figure 6 – Process Hollowing

The .NET binary  (SHA256: 3bbd6cdbc70a5517e5f39ed9dfad0897d5b200feecd73d666299876e35fa4c90) is injected into AppLaunch.exe which is the actual payload of Pennywise stealer. The Pennywise stealer has encoded strings that are decoded during the initial execution of malware. The figure below shows the function “Class84.method_0“, which is responsible for decoding these strings.

Figure 7 – Function for Decoding Strings

Upon execution, the stealer initializes the variables that support the stealing functionality. The values are decoded and assigned to these variables during run time, as shown in the below table.

NameValueDescription
string_01.3.4Stealer Version
string_10Flag
string_2CRYPTED:ygBdfUqyTjr827lyAL47dg==Encrypted TA name
string_39D16FBEF0D8A8F87529DE06A1C43C737Mutex name
string_40Flag
string_51Flag
string_67Integer Value
string_71Flag
string_80Flag
string_91Flag
string_100Flag
string_11— CreateChannel —String
string_121Flag
string_13CRYPTED:vuw8jLF2e/Ljzrqrw2oAEBJLqFB8KtttiM5T7ns 2bs4Dsnmons6Ixd82gskRZISFEncrypted C2 URL
dictionary_0Document:  RTF,  Doc,  Docx,  txt, jsonFiles stealer will be stealing

The stealer then creates a mutex named “9D16FBEF0D8A8F87529DE06A1C43C737” to ensure that only one instance of malware is running at any given time on the victims’ machine. The malware terminates its execution if the mutex is already present.

Figure 8 – Running a Single Instance

The malware then gets the path of the targeted browsers for stealing user data. It targets the following browsers:

  • 30+ Chrome-based browsers
  • 5+ Mozilla-based browsers
  • Opera
  • Microsoft Edge
Figure 9 – Targeted browsers

Once the browser path is obtained, the malware fetches username, machine name, system language, and timezone details from the victim’s system. In this case, the malware converts the timezone into Russian Standard Time (RST), as shown below.

Figure 10 – Converting date-time to Russian Standard Time

The malware then retrieves the system language code using the CultureInfo class and gets the graphic driver and processor names of the victim’s machine using a WMI query. After this, it creates a string in the below format to generate an MD5 hash.  

mutex_name-Username-Machine_Name-Loanguage_code-Processor_name-Graphics_Driver_Name”

The hash value will be used to name a folder created with hidden attributes in the AppData\Local directory and save the stolen data.

Figure 11 – Creating a folder with hidden attributes

The malware tries to identify the victim’s country using the CultureInfo class and terminates its execution if the victim is based outside the following locations.

  • Russia
  • Ukraine
  • Belarus
  • Kazakhstan

This could indicate that the TA is trying to avoid scrutiny by Law Enforcement Agencies in these particular countries.

Figure 12 – Preventing Execution in certain countries

The malware performs multiple Anti-Analysis and Anti-Detection checks to prevent the execution of the malware in a controlled environment. It uses Win32_ComputerSystem class to detect any virtual machine.

Then, it checks for the following Dynamic-Link Library (DLL) files to identify the presence of antivirus applications and sandbox environments.

  • SbieDll: Sandboxie
  • SxIn: 360 Total Security
  • Sf2: Avast Antivirus
  • Snxhk: Avast Antivirus
  • cmdvrt32: COMODO

It also checks the running processes in the victims’ machine and terminates its execution if the following processes are running.

  • processhacker
  • netstat
  • netmon
  • tcpview
  • wireshark
  • filemon
  • regmon
  • cain
  • httpanalyzerstdv7
  • fiddler
  • fiddler everywhere
  • httpdebuggersvc

After this, the malware decrypts string_2 and string_13 in Table 1, which are encrypted using the Rijndael algorithm. These strings possibly contain the TA’s user name and Command & Control (C&C) URL. 

Figure 13 – Decrypted Strings

The malware then creates a folder under the folder which was created initially in the Appdata\Local directory in the following format:

“UserName@MachineName_Loanguage_code_Year_Month_Date_Hour_Minute_Second@StealerVersion”

The malware uses multithreading to steal data from the victim’s system. Every individual thread is responsible for performing a different operation, such as stealing the victim’s files, harvesting Chromium/Mozilla browser data, stealing the browser’s cryptocurrency extension data, taking screenshots, stealing sessions of chat applications, etc.

The malware creates over 10 threads and executes them using Thread.Start() method.

Figure 14 – Use of multithreading by the TA

The malware only steals files smaller than 20KB and has RTF,  Doc,  Docx,  txt, and JSON extensions which are saved in a folder named “grabber.”

Using the Directory.Exists() method, the malware identifies whether a targeted browser is present in the victims’ machine and steals data if these browsers are found. The malware steals data from Chromium and Mozilla-based browsers using the following method:

  • The sensitive user data, such as login credentials and cookies, stored in Chromium-based browsers is present in an encrypted form.

The malware enumerates and gets the names of all files in the “Browser-name\User Data\” folder and checks for the “Local State” file, which stores the encrypted key. The CryptUnprotectData() function decrypts the encrypted key, which will now be used to decrypt the login data file containing all users’ credentials.

  • In Mozilla-based browsers, the malware targets certain SQLite files named “cookies.sqlite”, “key4.db,” etc., which store data such as encryption keys and master passwords for login.json. The login.json file will be decrypted using these keys containing user credentials. The stolen cookies from browsers are saved into a file named “[browser name_Default]_Cookies.txt”.
Figure 15 – Checking whether a targeted browser exists on the victim system

For stealing Discord tokens, the malware targets the following directories:

  • Discord\Local Storage\leveldb
  • Discord PTB\Local Storage\leveldb
  • Discord Canary\leveldb

The malware steals Telegram sessions by copying files from the “Telegram Desktop\tdata” folder.

It also fetches the list of running processes using the Process.GetProcesses method and writes the data, including Process Name, PID, and execution path, to the “Processes.txt” file.

Figure 16 – Fetching all running processes data

The malware takes a screenshot of the victim’s system and stores it as a file named “Screenshot.jpg.” It creates a file named “Information.txt” that saves data such as location, details of the victim’s system, hardware details, antivirus, stealer version, victim’s unique ID, and date.

The malware queries the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall to find the list of installed applications and write this data to a file named “Software.txt” in the following format:

  • Application
  • Version
  • Location

The stealer queries the registry to identify the location of cryptocurrencies such as Litecoin, Dash, and Bitcoin, as shown in the figure below. It obtains the path from registry data “strDataDir” in the HKEY_CURRENT_USER\Software\Blockchain_name\ Blockchain_name-Qt registry key.

Figure 17 – Querying Registry

It targets cold crypto-wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electreum, Atomic Wallet, Guarda, and Coinomi. To steal data from these wallets, the malware looks for wallet files in the directory shown in the figure below and copies them for exfiltration.

Figure 18 – Stealing data from cold crypto-wallets

This malware also targets crypto extensions of Chromium-based browsers for stealing data. The figure below shows the crypto extensions, along with their ID. It enumerates all files in the Browser_name\User Data folder and checks for the “Local Extension Settings” folder where extension-related data is stored. This folder finds the crypto browser extension using their extension ID.

Figure 19 – Stealing data from crypto browser extensions

The malware then compiles the count for harvested data, as shown in Figure 16. Additionally, it compresses the folder in which the stolen data was saved and exfiltrates it to “http[:]//185[.]246.116.237[:]5001/getfile“. This folder is then deleted, removing all traces.

Figure 20 – Exfiltration of data

Conclusion

Pennywise is an emerging stealer which is already making a name for itself. We have witnessed multiple samples of Pennywise out in the wild, indicating that Threat Actors may already be deploying it. Though there is not much information regarding its adoption by cybercriminals at the moment, in the future, we may see new variants of this stealer and observe further samples in the wild.

 

Our Recommendations 

  • Avoid downloading pirated software from unverified sites.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Keep updating your passwords after certain intervals.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.  
  • Enable Data Loss Prevention (DLP) Solutions on employees’ systems. 

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Technique Name  
Execution   T1204  User Execution  
Defense EvasionT1140
T1497
T1055.012
Deobfuscate/Decode Files or Information
Virtualization/Sandbox Evasion
Process Injection: Process Hollowing
Credential Access  T1555  
T1539  
T1552  
T1528  
Credentials from Password Stores  
Steal Web Session Cookies  
Unsecured Credentials  
Steal Application Access Token  
Collection  T1113  Screen Capture  
Discovery  T1518  
T1124  
T1007  
Software Discovery  
System Time Discovery  
System Service Discovery  
Command and Control  T1071  Application Layer Protocol  
Exfiltration  T1041    Exfiltration Over C2 Channel  

Indicators of Compromise (IOCs) 

Indicators  Indicator type  Description  
http[:]//185[.]246.116.237[:]5001/getfileURL  C2 URL  
eef01a6152c5a7ecd4e952e8086abdb3
fd3c1844af6af1552ff08e88c1553cc6565fe455
e43b83bf5f7ed17b0f24e3fb7e95f3e7eb644dbda1977e5d2f33e1d8f71f5da0
Md5
SHA-1  
SHA-256  
Loader
66502250f78c6f61e7725a3daa0f4220
8cfc5d40a8008e91464fd89a1d6cb3a7b3b7a282
05854ea1958ef0969a2c717ce6cb0c67cd3bcd327badac6aa7925d95a0b11232
Md5   
SHA-1
SHA-256  
Stealer Payload  
a1249d31ea72e00055286c94592bc0e3
8644ac0cc1a805f1682a0b0f65052a1835e599b1
01c83c32ab5c2f0fda5c04aee7b02dc30d59c91c1db70e168a6cc1215cc53ab7
Md5   
SHA-1
SHA-256  
Stealer Payload  
e062fedb25bbf55894711100c35130c1
b28568c19eaafd0e8212b81ea7b87340554e1340

c5e9d0aa26ca6255559708bcf957d79e3adb4d2b08146cd765182f7b834227f4
Md5   
SHA-1
  
SHA-256  
Stealer Payload  
f71d077c9889d005c8c71f3a2fe20fd0
2ba8275af7b7708a7f79bb442c980ec3d3c04b91
dcd2c2073c227e5b496ca0cb13e31d18b45899dca0de1633f2eeb25d264258de
Md5   
SHA-1
SHA-256  
Stealer Payload  
a6064cd1760ea08973b20bdc0e7ea699
c5f3342e9fcc159eef81a459d54eb7b6ce80feb1
bc709e3aea5732c3d07c7f59ea22f8a5c026e45558d0e2aa3fb35ac78f39d9f4
Md5   
SHA-1
SHA-256  
Stealer Payload  
c9ac6deb0ef78785d469033117411e3d
15622e8ec3ec4c29f09b3871678199599d285e43
0eb43cef2e674aa72b24cccd36b349ce0e4eb347c0fbf373bc53c97713e8e94f
Md5   
SHA-1
SHA-256  
Stealer Payload  
da9f8ec6d3337315435fa9d9d7868980
ebf6edd68e97bd13d4ed3e878c7bd11dfb5a628c
117d5155fe3659a816f10faf859ff68c6094457eb1902d6699df74fac309befd
Md5   
SHA-1
SHA-256  
Stealer Payload  
d72619b4ededa0f8cfe9554557bf2c7f
ee456a4b32eff2eddf14c6ae5385d977081308b4
4da90f77a26a16eee48cb73ca920e681974554be0d87a225e7ad9416adbf34c6
Md5   
SHA-1
SHA-256  
Stealer Payload  
215c203f7f3e3f63c5ae9e35d8625463
b6bfbbd9c49cc94e4fcab413f62a12bb23485cdf
bc51e019e91bbb8e704ee4b7027dab4f7168b3b4e947e83d43bf4c488aa2b612
Md5   
SHA-1
SHA-256  
Stealer Payload  
ece1ffba058735ab9521ee1ed5cf969c
35a06ba7f2cffaf5c2f97c7fe02d235c6317ebf2
6dbeb13c7efbd62561bf2fea3b1e3d36021e701b80a993e28498182d0884ce6f
Md5   
SHA-1  
SHA-256  
Stealer Payload  
f0807f8ec6349d726b19713ece98c57b
e341cd9abfca8e02bef0d0af94343949a23ce6c4
bf46b901e1899533629b751f28bd4adab3f11f0ddf8b509c9f90af25a1a73b5b
Md5   
SHA-1  
SHA-256  
Stealer Payload  
88facb451a849d37a272ab9a7a83a47c
27c66fa23f8af20be0234f95b35e64ccea7d73ae
5b11938d67a8a0c629bf4ec1f8b77c6ba0910546984d4d983f43a25d4e7b72ac
Md5   
SHA-1
SHA-256  
Stealer Payload  
Scroll to Top