Cyble-NoMercy-Stealer

NoMercy Stealer Adding New Features

New Stealer Rapidly Evolving into Clipper Malware

During a routine threat-hunting exercise, Cyble Research Labs came across a post on Telegram selling an information stealer malware called “NoMercy stealer.” The malware developer is currently selling the stealer for 780 Indian rupees or 10 USD, indicating that the stealer is developed primarily for Indian Threat Actors (TA). The NoMercy stealer developer is also rapidly adding new capabilities.

The stealer is very primitive, and our observations indicate that it is at the initial stages of development. The NoMercy stealer initially checks for the system’s public IP using  hxxp://api.ipify[.]org.

After getting the public IP, the stealer registers itself with the Command-and-Control server (C&C). After registration, the stealer sends various system information to the C&C server.

The stealer then proceeds to continuously send screenshots, keystrokes, webcam photos, and device audio to the C&C server. The figure below shows the Telegram post made by the NoMercy developer.

Figure 1 – NoMercy Stealer Telegram  Post

The Threat Actors (TAs) behind this group are actively working on enhancing the capabilities of the stealer. During the course of our analysis, we noticed that the TAs had added new features to this stealer, including clipper and VPN client-stealer capabilities.

The TAs behind NoMercy are selling this new version of the stealer for 20$. The figure shows the post for NoMercy stealer version v1.1.0.

Figure 2 – NoMercy Stealer v1.1.0 Telegram Post

Technical Analysis

The sha-256 of the information stealer is 9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65.

This stealer is a 32-bit, console-based C# executable file. The file is a debug version of this stealer project. Figure 3 shows the basic file information.

Figure 3 – Static File Information

The NoMercy stealer has a hardcoded configuration embedded into the source code. The configuration contains the details such as C&C URL, file name for establishing persistence, version information, etc. The figure below shows the configuration details.

Figure 4 – Hardcoded Stealer Configuration

After initial execution, the information stealer copies itself into the start-up folder of the user’s machine. This results in the execution of the stealer at the time of the system restart.

The figure below shows the malicious file in the start-up folder named “WindowsKernalDrivers.exe.”

Figure 5 – Information Stealer Executable in Start-up folder

After establishing persistence, the stealer generates a unique UID using system artifacts such as the victim’s public IP and account name. The stealer gets the public IP of the victim from hxxp://api.ipify[.]org and appends the account name generated using the whoami command. The figure below shows the method GenerateUID() used to get the UID.

Figure 6 – Function to Generate UID of the Victim System

After generating UID, the stealer registers itself to the C&C server using the UID and stealer’s version information. The stealer then uses the format for its C&C communications using the method PostUID(). The TA thus gains information about the victim’s public IP, user account, and stealer version in the below format:

hxxp://six-clowns-sing-103-119-240-166.loca[.]lt/a?uid=[public IP]@[Current Username]&version=NoMercy-v1.0

Figure 7 – Function to Register Victim to C&C

After sending the victim data to the C&C server, the stealer collects various system information data points from the victim using cmd.exe. The information is extracted using various commands such as whoami, arp, ipconfig, etc. The figure below shows all these commands being used by the stealer.

Figure 8 – System Information Collected using cmd.exe

After getting the internal system information, the stealer queries and extracts additional system information from the infected system such as public IP, hardware ID, main memory, GPU, MAC address, private IP, OS version, details of any antivirus software installed, keyboard language, clipboard, running processes and CPU information.

The figure below shows the code used by the malware to collect additional system information.

Figure 9 – Other System Information Extracted by the NoMercy Stealer

After collecting the information, the stealer encodes the stolen data to a base64 string and sends the information to the C&C server.The stealer calls the PostCLIInfoCNC() and PostOtherInfoCNC() methodsfor sending the information to its C&C server, as shown below.

Figure 10 – Methods to Send Data to C&C Server

After sending all the victim’s information to its C&C server, the malware runs three separate threads for different operations, which are:

  1. Send screenshots
  2. Send microphone audio
  3. Send webcam snapshots
Figure 11 – NoMercy Stealer Execution

The malicious URL resolves to the IP address 193.34.76[.]44, which is highly active and hosts multiple malicious files. We have observed strains of various information stealers connecting to this IP.

Conclusion

The NoMercy stealer is a very crude and simple information stealer in its initial stages. The TAs behind this stealer are actively modifying the stealer and adding additional capabilities.

The active infections are not very high in volume but are a good indicator of the trends of the TAs involved. One such emerging trend is adding clipper capabilities to the malware. Cyble Research Labs continuously monitors all new and existing malware to keep our readers aware and informed.

MITRE ATT&CK® Techniques

TechniqueTechnique IDDescription
ExecutionT1204User Execution
PersistenceT1547Boot or Logon AutoStart Execution
DiscoveryT1087
T1046
T1012
T1518
T1082
T1016
T1033
Account Discovery
Network Service Discovery
Query Registry
Software Discovery
System Information Discovery
System Network Configuration
Discovery System Owner/User Discovery
CollectionT1119
T1115
T1056
T1113
T1125
Automated Collection
Clipboard Data
Input Capture
Screen Capture
Video Capture
Command and ControlT1071Application Layer Protocol

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
a101aebd7e97dba97311cde683a64a32
e010b078904516eeb6c471904d4adc190c6f53fe 9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65  
MD5
SHA-1
SHA-256
NoMercy Stealer
hxxp://six-clowns-sing-103-119-240-166.loca[.]lt/URLCommand and Control
193.34.76[.]44IPCommand and Control
Scroll to Top