Dubbed information stealer spotted stealing sensitive Data
Phishing sites are becoming an increasingly attractive target for Threat Actors (TAs) to lure victims into stealing sensitive information, and downloading other malware, such as RAT, Ransomware, etc., to damage the victim’s machine. Generally, the link of these phishing pages arrives to users via SMS, Email, social networks, etc.
Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and discussing them.
Recently, CRIL identified a phishing site, “hxxp://anydesk[.]ml,” impersonating a genuine AnyDesk website. AnyDesk is a remote desktop application that offers remote access to other computers, file transfer, and other functionalities. The initial infection starts when the user clicks on the “Downloads” button present in the phishing site, which downloads a malware named “Anydesk.exe” file from the remote server.
The phishing site looks very similar to the genuine Anydesk website. The phishing site is well-designed, and the TAs behind this phishing campaign has implemented all tabs present on the website. When a user clicks on the “Order Now” button, it redirects the user to the subscription page, similar to the official Anydesk website, as shown in the below image.
The TA has also added the fake jobs opening on the phishing site in the Company -> Career section to appear genuine.
We have discovered that the downloaded Anydesk.exe file is a stealer dubbed “MITSU STEALER.” Our investigation also shows that the TA created the stealer based on the code in the GitHub repository. The detailed behavior of the stealer is explained in the Technical Details section.
Technical Details
The downloaded Anydesk.exe file is a 64-bit Microsoft Visual C/C++ GUI-based Windows executable with a file size of ~28MB. The figure below shows the static details of the malicious binary file.
The stealer was developed in python and then converted into an executable file. Upon execution, it drops the python supporting files (.pyd & .dll files), steals sensitive information, and deletes them after successful execution. The below figure shows the “.pyd” and “.dll” files dropped in the %temp% directory during execution.
The malware now enumerates the running processes in user’s machine and checks the process names related to the network analysis tool. If found, it kills the process before starting the infection on the user’s machine. The below figure shows the code snippet used to kill the processes related to Network analysis tools.
Then, the malware bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘MitsuTheGoat,’ as shown below.
After that, the stealer collects victims’ sensitive information, such as usernames, passwords, cookies, auto-fills, and user profiles from the installed browser’s directories. The stealer targets the following browsers to steal sensitive information:
- Google Chrome
- Microsoft Edge
- Opera GX Stable
- Opera Stable
- Mozilla Firefox
The malware uses the following SQL queries that extract sensitive information from the victims’ machine and store it in “cookies.json” and “passwords.json” under the %AppData% folder.
- SELECT host_key, name, encrypted_value FROM cookies
- SELECT action_url, username_value, password_value FROM logins
Additionally, the malware also collects the information from cryptocurrency wallets such as Coinbase, Binance and other wallets like Paypal, then sends all the stolen details to the following webhook URL by using the send_info() function:
- hxxps://discord[.]com/api/webhooks/999366329641467984/5-e6JL54mjiiJjSUh5ME3LOdQ0VIwhlpQ5WKcll_MpNKGTKBQJqvZCc6eXDMTafe7Tm-
Then, the malware collects Discord tokens in various system locations by reading and extracting “.log” and “.ldb” files. The figure below shows the routine to find Discord tokens stored across different browsers’ directories.
After collecting the Discord tokens, the malware tries to get the details using the following functions.
| getuserdata() | Uses the below URL to get user details, such as Username, user_id, avatar_id, email, and phone: hxxps[:]//discord[.]com/api/v6/users/@me |
| getip() | Gets the victim’s IP details using the URL hxxps[:]//api.ipify[.]org |
| getavatar() | Uses the below URL to get the avatar_url: hxxps[:]//cdn.discordapp[.]com/avatars/{uid}/{url}[.]gif |
| getenv() | Uses the below function to get the pc_name: os.getenv(“COMPUTERNAME”) |
| get_cc() | Steals the victim’s details using the following URL hxxps://discord[.]com/api/v6/users/@me/billing/payment-sources |
| get_badges() | It gets the all-discard badges |
| get_friends() | It uses the below URL to get the discord friend’s names hxxps://discord[.]com/api/v6/users/@me/relationships |
The below figure shows the functions used by the malware to get the Discord token information.
The malware now creates a JSON dump which contains the details of the token information collected above and sends them to a below Discord webhook URL:
- hxxps://discord[.]com/api/webhooks/999366329641467984/5-e6JL54mjiiJjSUh5ME3LOdQ0ViwhlpQ5WKcll_MpNKGTKBQJqvZCc6eXDMTafe7Tm-
The malware uses the below URL as avatar_url when generating a JSON dump.
- hxxps://media.discordapp[.]net/attachments/988835185300742258/997093134787944539/ansn[.]png
This URL downloads a PNG file named “ansn.png” which shows the malware name “MITSU STEALER” in the below figure.
Finally, the stealer tries to download a JavaScript file named “index.js” from hxxps[:]//raw.githubusercontent[.]com/mitsustlr/inject/main/index[.]js and replace it with the legitimate Discord-related file present in the following locations.
- %appdata%\Discord
- %appdata%\DiscordCanary
- %appdata%\DiscordPTB
- %appdata%\DiscordDevelopment
After replacing the file, the malware terminates the Discord application and restarts it, which further loads the replaced “index.js” file that performs other malicious activities. During our analysis, we found that the GitHub repository was not available to download the “index.js” file.
Conclusion
The remote desktop application has powerful functionalities and is widely used for professional and personal purposes. TAs often try to impersonate such remote desktop applications to appear genuine and lures the victim into downloading malware.
According to our research, the TA skillfully impersonated the Anydesk website and distributed MISTU Stealer to steal victims’ sensitive information. Users should be careful of such phishing sites and verify the source before downloading any application.
Our Recommendations
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| ​Initial Access | T1566 | ​Phishing |
| Execution | T1204 T1059 | User Execution Command and Scripting Interpreter |
| Persistence | T1574 | DLL Side-Loading |
| Privilege Escalation | T1055 | Process Injection |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 T1083 T1057 | System Information Discovery File and Directory Discovery Process Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 T1573 | Application Layer Protocol Encrypted Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| a47970f99928d7628ba3fff45c03807f eda41936d93347a920e891f8016dae4562fc29d5 77e2b24779faccc8154b475893633c97d26316a3211a16757f4ddcfcb797098c | MD5 SHA1 Sha256 | Anydesk.exe |
| 164[.]92[.]235[.]193 | IP | Malware distribution IP |
| hxxp://anydesk[.]ml | URL | Malware distribution site |
