Doeneirum-Stealer-Cyble

New information stealer targeting crypto-wallets

Doenerium Stealer masquerading as Windows Malicious Software Removal Tool

Cyble Research and Intelligence Labs (CRIL) spotted a malicious domain being used in a spear-phishing email campaign targeting Office365 users to steal credentials. The same domain was observed hosting multiple other malware variants, for example, a new stealer called “Doenerium stealer.”

Case 1:

The spear phishing email contains a link masquerading as a PDF attachment targeting Office365 users, as shown below.

Figure 1 – Malicious Link Embedded in Email

Once the user clicks on the link masquerading as a PDF attachment, it redirects them to the phishing page hxxps://neon[.]page/doc03565.

The attacker is running a phishing campaign to steal Microsoft Office 365 credentials. The following figure shows the phishing website used by the attacker.

Figure 2 – Phishing Websites used by the attacker

During the course of our research, we observed that the domain is malicious and hosting multiple malicious files. One such web page hxxps://neon[.]page/Microsoft-Windows-MSRT hosts a malicious stealer as a Microsoft Windows Malicious Software Removal Tool application.

Case 2:

Figure 3 – Website Hosting Stealer

There are two download links for the application, with both 32-bit and 64-bit versions available. However, both links host the same compressed folder with different names to appear genuine. The figure below shows the downloaded files.

Figure 4 – Malicious Files Hosted on the Website

The compressed folder contains a Windows executable and a Readme file. The file is named “Windows-KB890830-x64-V5.104.exe,” and the file’s icon is similar to the icon of Node JavaScript framework.

Figure 5 – Stealer File with Node JavaScript Icon

Further, we identified that the malicious file is an open-source stealer available on GitHub. The stealer is actively updating its capabilities and plans to add additional features such as Discord bot building, keylogging, Firefox stealer, etc. The figure below shows the GitHub page of the stealer.

Figure 6 – GitHub Page of Doenerium Stealer

The malicious file is unusually large and comes equipped with anti-sandbox and anti-analysis features, as well as the capability to establish persistence on the victim.

Technical Analysis

The file is a 64-bit Microsoft Visual C/C++ console-based Windows executable file with an unusually large file size of 102 MB.

The figure below shows the properties of the malicious”Windows-KB890830-x64-V5.104.exe” file.

Figure 7 – Doenerium Stealer Executable File Details

Upon investigating additional properties of the executable, we observed that the downloaded file is further masquerading as “Node.exe,” which is a Javascript framework, as shown below.

Figure 8 – Additional Properties of Doenerium Stealer

After execution, the malware performs malicious activities such as killing running processes, stealing data, monitoring clipboard data, monitoring system processes, etc. The following image shows the process tree of the Doenerium stealer.

Figure 9 – Process Tree of Doenerium Stealer

The malware then tries to perform privilege escalation using the RTLAdjustPrivilege() function, as shown below.

Figure 10 – Privilege Escalation Using RTLAdjustPrivilege()

After gaining access, the malware drops Node JavaScript Framework-related files in the Temp folder. These files are support files required to run the stealer in the background. The figure below shows the Node JS packages.

Figure 11 – Node JS-Related files dropped into the Temp Folder

Once the Node packages are dropped into the Temp folder, the malware checks for running processes to obstruct and prevent any analysis.

The malware then runs “cmd.exe” and executes the tasklist command to list currently running programs on the victim’s machine. The following command is used to list programs:

  • C:\Windows\system32\cmd.exe /d /s /c “tasklist”

The stealer contains a list of application names related to virtualization software and malware analysis tools. The malware checks and terminates these processes if they are found actively running on the victim’s machine. These applications are:

HttpdebuggeruiWiresharkFiddler
Vboxservicedf5servProcesshacker
VboxtrayvmtoolsdVmwaretray
ida64ollydbgPestudio
VmwareuservgauthserviceVmacthlp
x96dbgvmsrvcx32dbg
Vmusrvcprl_ccprl_tools
Xenserviceqemu-gajoeboxcontrol
ksdumperclientksdumperjoeboxserver

The malware kills these processes using the following command:

  • C:\Windows\system32\cmd.exe /d /s /c “taskkill /IM <Application Name> /F”

The figure below shows the malware using tasklist and taskkill commands to terminate any targeted applications.

Figure 12 – Stealer terminating applications

The stealer also has a list of PC names and hardware IDs to identify whether it is being run in a controlled environment. If the PC name and hardware ID are present in the list, then the stealer will terminate itself. The following are the two tables mentioning the PC names and hardware IDs.

PC Names:

WDAGUtilityAccountAbbyPeter Wilson
hmarcpatexJOHN-PC
kEecfMwgjFrankRDhJ0CNFevzX
8Nl0ColNQ5bqLisaJohn
georgePxmdUOpVyx8VizSM
w0fjuOVmCcP5AlmVwjj9bPqONjHVwexsS
3u2v9m8JuliaHEUeRzl
BEE7370C-8C0C-4DESKTOP-NAKFFMTWIN-5E07COS9ALR
B30F0242-1C6A-4DESKTOP-VRSQLAGQ9IATRKPRH
XC64ZBDESKTOP-D019GDMDESKTOP-WI8CLET
SERVER1LISA-PCJOHN-PC
DESKTOP-B0T93D6DESKTOP-1PYKP29DESKTOP-1Y2433R
WILEYPCWORK6C4E733F-C2D9-4
RALPHS-PCDESKTOP-WG3MYJSDESKTOP-7XC6GEZ
DESKTOP-5OV9S0OQarZhrdBpjORELEEPC
ARCHIBALDPCJULIA-PCd1bnJkfVlH

Hardware IDs:

7AB5C494-39F5-4941-9163-47F54D6D5016032E02B4-0499-05C3-0806-3C0700080009
03DE0294-0480-05DE-1A06-35070008000911111111-2222-3333-4444-555555555555
6F3CA5EC-BEC9-4A4D-8274-11168F640058ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548
4C4C4544-0050-3710-8058-CAC04F59344A00000000-0000-0000-0000-AC1F6BD04972
00000000-0000-0000-0000-0000000000005BD24D56-789F-8468-7CDC-CAA7222CC121
49434D53-0200-9065-2500-65902500E43949434D53-0200-9036-2500-36902500F022
777D84B3-88D1-451C-93E4-D235177420A749434D53-0200-9036-2500-369025000C65
B1112042-52E8-E25B-3655-6A4F54155DBF00000000-0000-0000-0000-AC1F6BD048FE
EB16924B-FB6D-4FA1-8666-17B91F62FB37A15A930C-8251-9645-AF63-E45AD728C20C
67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3C7D23342-A5D4-68A1-59AC-CF40F735B363
63203342-0EB0-AA1A-4DF5-3FB37DBB067044B94D56-65AB-DC02-86A0-98143A7423BF
6608003F-ECE4-494E-B07E-1C4615D1D93CD9142042-8F51-5EFF-D5F8-EE9AE3D1602A
49434D53-0200-9036-2500-369025003AF08B4E8278-525C-7343-B825-280AEBCD3BCB
4D4DDC94-E06C-44F4-95FE-33A1ADA5AC2779AF5279-16CF-4094-9758-F88A616D81B4

After terminating the targeted processes, the malware drops itself as “Updater.exe”to the Start-up entry to establish persistence. The figure below shows the malware in the Start-up folder.

Figure 13 – Start-Up Entry to establish persistence

The stealer then starts an information-stealing operation in the infected system. The malware steals clipboard data if the data has cryptocurrency wallet addresses and replaces it with the attacker’s wallet address.

The stealer uses regex to find the wallet addresses in the clipboard. The figure below shows the routine to get clipboard data to carry out clipper operations.

Figure 14 – Routine for Clipper operation

After checking for clipboard data, the stealer looks for crypto wallet data in the system and steals it. The below figure shows the routine to find wallet data in the victim’s system.

Figure 15 – Routine to steal wallet data

The stealer looks for Discord tokens in various system locations. Figure 16 shows the routine to find Discord tokens stored across different browsers of the victim’s system.

Figure 16 – Routine to steal Discord Tokens

The malware also collects victims’ sensitive information, such as usernames, passwords, cookies, history, bookmarks, and user profiles from the installed browsers. The stealer targets the following browsers:

  • Google Chrome
  • Opera Stable
  • Brave Browser
  • Yandex
  • Microsoft Edge

The figure below shows the information targeted by the stealer that is present in the victim’s system.

Figure 17 – Routine to steal browser data

After stealing browser information, the malware steals system information such as CPU, Wi-Fi connections, RAM, Operating System version, host name, PC name, and processors. It then sends this information to the Command and Control (C&C) server. The figure below shows the routine to steal system information.

Figure 18 – Routine to steal System Information

Finally, the stolen artifacts are stored at the C:\Users\<Users>\AppData\Local folder location so that the malware can send it to the C&C server. The figure below shows the information collected by the stealer.

Figure 19 – Doenerium Stealer Collecting Information for exfiltration

After all the data is collected and stored in a specific “Local” folder, the malware compresses the data in a zip file and sends the zip file to the Discord webhook. The figure below shows the routine to send data to the C&C server.

Figure 20 – Routine to Create Zip File and Discord communication.

Conclusion

As a consequence of the rise in digital transactions and cryptocurrency usage, malware authors are continuously creating new stealers. The increasing use of digital currency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to commit financial fraud and stage other attacks.

There is a recent trend wherein the malware authors create GitHub pages, hosting malware builders. These open-source malware builders are upgraded with new features by TAs and are sold in cybercrime forums and markets.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204.002User Execution: Malicious File
PersistenceT1547.001Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1055Process Injection
Defense EvasionT1036Masquerading
Defense EvasionT1497Virtualization/Sandbox Evasion
DiscoveryT1057Process Discovery
Command and ControlT1071Application Layer Protocol

 Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
9b4864d3de5fd251843d09bec1252befMD5Malicious node.exe
afaffc4c8c314249a0ce8017fcf9a549b2ac8337SHA1Malicious node.exe
609cccf310e725ba4ff4d74edffa0c33d4640f3c391dbbac4e1d00dd3f9c249eSHA256Malicious node.exe
f8ea2163d80aca793eefd7b2797f01e4MD5Malicious Zip
83ffbd5f4f4c2d1b681741d9f751105c4177fafdSHA1Malicious Zip
1b005dd76abc86ada724297b6698d3cbbe77f0bceb8fee41d9303114d689f609SHA256Malicious Zip
hxxps://neon[.]page/Microsoft-Windows-MSRTURLMalicious Domain
hxxps://neon[.]page/doc0365URLMalicious Link
Jaye8059.myportfolio[.]comDomainPhishing Webpage

Scroll to Top