Cyble-Blogs-Mitsu-Stealer

Mitsu Stealer distributed via AnyDesk Phishing Site

Dubbed information stealer spotted stealing sensitive Data

Phishing sites are becoming an increasingly attractive target for Threat Actors (TAs) to lure victims into stealing sensitive information, and downloading other malware, such as RAT, Ransomware, etc., to damage the victim’s machine. Generally, the link of these phishing pages arrives to users via SMS, Email, social networks, etc.

Cyble Research and Intelligence Labs (CRIL) has also been regularly monitoring various phishing campaigns and discussing them.

Recently, CRIL identified a phishing site, “hxxp://anydesk[.]ml,” impersonating a genuine AnyDesk website. AnyDesk is a remote desktop application that offers remote access to other computers, file transfer, and other functionalities. The initial infection starts when the user clicks on the “Downloads” button present in the phishing site, which downloads a malware named “Anydesk.exe” file from the remote server.

Figure 1 – Phishing site impersonating AnyDesk and downloading malware

The phishing site looks very similar to the genuine Anydesk website. The phishing site is well-designed, and the TAs behind this phishing campaign has implemented all tabs present on the website. When a user clicks on the “Order Now” button, it redirects the user to the subscription page, similar to the official Anydesk website, as shown in the below image.

Figure 2 – Fake subscription page

The TA has also added the fake jobs opening on the phishing site in the Company -> Career section to appear genuine.

Figure 3 – Fake job opening posted on phishing site

We have discovered that the downloaded Anydesk.exe file is a stealer dubbed “MITSU STEALER.” Our investigation also shows that the TA created the stealer based on the code in the GitHub repository. The detailed behavior of the stealer is explained in the Technical Details section.

Technical Details

The downloaded Anydesk.exe file is a 64-bit Microsoft Visual C/C++ GUI-based Windows executable with a file size of ~28MB. The figure below shows the static details of the malicious binary file.

Figure 4 – Static file details of Mitsu Stealer

The stealer was developed in python and then converted into an executable file. Upon execution, it drops the python supporting files (.pyd & .dll files), steals sensitive information, and deletes them after successful execution. The below figure shows the “.pyd” and “.dll” files dropped in the %temp% directory during execution.

Figure 5 – Python supporting files dropped at %temp% folder

The malware now enumerates the running processes in user’s machine and checks the process names related to the network analysis tool. If found, it kills the process before starting the infection on the user’s machine. The below figure shows the code snippet used to kill the processes related to Network analysis tools.

Figure 6 – Kill process

Then, the malware bypasses the BetterDiscord by replacing the string ‘api/webhooks’ with ‘MitsuTheGoat,’ as shown below.

Figure 7 – Bypassing BetterDiscord

After that, the stealer collects victims’ sensitive information, such as usernames, passwords, cookies, auto-fills, and user profiles from the installed browser’s directories. The stealer targets the following browsers to steal sensitive information:

  • Google Chrome
  • Microsoft Edge
  • Opera GX Stable
  • Opera Stable
  • Mozilla Firefox

The malware uses the following SQL queries that extract sensitive information from the victims’ machine and store it in “cookies.json” and “passwords.json” under the %AppData% folder.

  • SELECT host_key, name, encrypted_value FROM cookies
  • SELECT action_url, username_value, password_value FROM logins

Additionally, the malware also collects the information from cryptocurrency wallets such as Coinbase, Binance and other wallets like Paypal, then sends all the stolen details to the following webhook URL by using the send_info() function:

  • hxxps://discord[.]com/api/webhooks/999366329641467984/5-e6JL54mjiiJjSUh5ME3LOdQ0VIwhlpQ5WKcll_MpNKGTKBQJqvZCc6eXDMTafe7Tm-

Then, the malware collects Discord tokens in various system locations by reading and extracting “.log” and “.ldb” files. The figure below shows the routine to find Discord tokens stored across different browsers’ directories.

Figure 8 – Routine to steal discord tokens

After collecting the Discord tokens, the malware tries to get the details using the following functions.

getuserdata()Uses the below URL to get user details, such as
Username, user_id, avatar_id, email, and phone: hxxps[:]//discord[.]com/api/v6/users/@me
getip()Gets the victim’s IP details using the URL hxxps[:]//api.ipify[.]org
getavatar()Uses the below URL to get the avatar_url: hxxps[:]//cdn.discordapp[.]com/avatars/{uid}/{url}[.]gif
getenv()Uses the below function to get the pc_name: os.getenv(“COMPUTERNAME”)
get_cc()Steals the victim’s details using the following URL hxxps://discord[.]com/api/v6/users/@me/billing/payment-sources
get_badges()It gets the all-discard badges
get_friends()It uses the below URL to get the discord friend’s names hxxps://discord[.]com/api/v6/users/@me/relationships

The below figure shows the functions used by the malware to get the Discord token information.

Figure 9 – Extracting discord token details

The malware now creates a JSON dump which contains the details of the token information collected above and sends them to a below Discord webhook URL:

  • hxxps://discord[.]com/api/webhooks/999366329641467984/5-e6JL54mjiiJjSUh5ME3LOdQ0ViwhlpQ5WKcll_MpNKGTKBQJqvZCc6eXDMTafe7Tm-
Figure 10 – Webhook URL

The malware uses the below URL as avatar_url when generating a JSON dump.

  • hxxps://media.discordapp[.]net/attachments/988835185300742258/997093134787944539/ansn[.]png

This URL downloads a PNG file named “ansn.png” which shows the malware name “MITSU STEALER” in the below figure.

Figure 11 – MITSU STEALER png image

Finally, the stealer tries to download a JavaScript file named “index.js” from hxxps[:]//raw.githubusercontent[.]com/mitsustlr/inject/main/index[.]js and replace it with the legitimate Discord-related file present in the following locations.

  • %appdata%\Discord
  • %appdata%\DiscordCanary
  • %appdata%\DiscordPTB
  • %appdata%\DiscordDevelopment

After replacing the file, the malware terminates the Discord application and restarts it, which further loads the replaced “index.js” file that performs other malicious activities. During our analysis, we found that the GitHub repository was not available to download the “index.js” file.

Conclusion

The remote desktop application has powerful functionalities and is widely used for professional and personal purposes. TAs often try to impersonate such remote desktop applications to appear genuine and lures the victim into downloading malware.

According to our research, the TA skillfully impersonated the Anydesk website and distributed MISTU Stealer to steal victims’ sensitive information. Users should be careful of such phishing sites and verify the source before downloading any application.

Our Recommendations

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1566​Phishing
ExecutionT1204
T1059
User Execution
Command and Scripting Interpreter
PersistenceT1574DLL Side-Loading
Privilege EscalationT1055Process Injection
Defense EvasionT1497Virtualization/Sandbox Evasion
Credential AccessT1003OS Credential Dumping
DiscoveryT1082
T1083
T1057
System Information Discovery
File and Directory Discovery
Process Discovery
CollectionT1005Data from Local System
Command and ControlT1071
T1573
Application Layer Protocol
Encrypted Channel

Indicators of Compromise (IOCs)

IndicatorsIndicator
Type
Description
a47970f99928d7628ba3fff45c03807f
eda41936d93347a920e891f8016dae4562fc29d5
77e2b24779faccc8154b475893633c97d26316a3211a16757f4ddcfcb797098c
MD5
SHA1
Sha256
Anydesk.exe
164[.]92[.]235[.]193IPMalware distribution IP
hxxp://anydesk[.]mlURLMalware distribution site

Scroll to Top