Phishing sites being used to spread Information Stealer malware
Threat Actors (TAs) employ sophisticated techniques to create phishing websites that are designed to appear legitimate and attractive to users. These deceptive sites are carefully crafted to trick unsuspecting users into downloading and executing malware, which can result in stealing the victim’s sensitive data. In previous instances, Cyble Research and Intelligence Labs (CRIL) has exposed numerous phishing websites that have been used to steal sensitive data by utilizing a range of malware types, such as stealers, RATs, and bots.
CRIL has recently discovered phishing websites that imitate popular crypto-wallets and online file converters, specifically targeting Windows users. These malicious sites have been designed to deceive users into downloading information stealer malware, jeopardizing their confidential data. The newly discovered stealer malware can steal victims’ sensitive browser data, including saved credentials, cookies, user profiles, and cryptocurrency wallets. Furthermore, the malicious software takes screenshots of the system and sends them to the TAs.
The below figure shows the phishing sites created by TA for downloading the stealer malware.
In both cases of phishing websites, the user’s interaction with the website, specifically clicking on certain controls, initiates the infection process. These websites host the “ImBetter Stealer” malware. It is identified by its Program Database (PDB) filename of “ImBetter.pdb”, which is why it has been aptly named “ImBetter Stealer”. This analysis explores the technical aspects of the “ImBetter Stealer.
Technical Analysis:
The ImBetter Stealer malware binary is a 32-bit GUI-based executable with SHA256 as 8747ce656fe657e621a82c17fe6640145c4e4f2d8f90e255cda0a68e6f341c22 further details are shared in the figure below.
After execution, the stealer checks the infected system’s Language Code Identifier (LCID) code to determine the system language and region. If the system belongs to any of the following lists of regions, the stealer terminates itself, indicating that the threat actors are likely Russian speakers.
- Russian
- Kazakh
- Tatar
- Bashkir
- Belarusian
- Yakut
- Russian – Moldova
The figure below shows the code to check LCID.
If the victim’s system region does not belong to any of the previously mentioned regions, the stealer will capture a screenshot of the infected system and store it in the C:\Users\Public folder with the image name “Scr-urtydcfgads.png”. Later, this screenshot is sent to the Command and Control (C&C) server.
After capturing the screen, the stealer then creates a socket connection to the command and control (C&C) IP. The code snippet below demonstrates the creation of a socket connection to the C&C server.
After creating the socket connection to the C&C server, the stealer then obtains various system information from the infected system, such as the hardware ID, GPU details, system RAM size, CPU details, screen details, and name of the stealer executable, etc. The stealer steals each system information separately and stores it as a key-value pair string in memory. This string is then encoded with Base64 format and sent to the C&C server over a socket created in the earlier stage. The below image shows network communication of ImBetter stealer that exfiltrates system details from the victims’ machine.
After extracting the system information, the stealer then checks for browser applications installed in the system. Following are the browsers targeted by the ImBetter Stealer:
| AcWebBrowser | Baidu Spark | BlackHawk | Brave | CentBrowser |
| Google Chrome | CoolNovo | Comodo Dragon | Edge | Go! |
| Epic Browser | Opera Stable | Rockmelt | Sleipnir | SRWare Iron |
| Titan Browser | Torch | Vivaldi | Yandex | Flock |
The stealer then focuses on harvesting sensitive data from the infected system. By observing the targeted browsers, we can confidently infer that the stealer specifically targets Chromium-based web browsers. These browsers usually store sensitive information, such as login credentials, cookies, user profiles, and crypto wallet extensions, in the AppData/Local folder path.
Login Data:
The stealer iterates through a hardcoded list of browser Login Data paths, and if the path exists, it steals the Login Data file from the respective browser. It also creates a key-value pair string in the format “password: {Browser Name}Pw: {Hardware-ID},” which is then encoded with Base64 format and sent to the C&C server along with the login data file.
The figure below shows the exfiltrated Login Data file along with the key-value pair.
Cookies:
After stealing the Login Data file, the stealer iterates through a hardcoded list of browser cookie paths. The stealer steals the cookies file from the relevant path if the path exists. Similarly, the stealer creates a key-value pair string in the format “Cookie: {Browser Name}Cookies: {Hardware-ID}“, which is then encoded with Base64 format and sent to the C&C server along with Cookies files.
The below figure shows the stealer targeting cookies files from the victim’s machine.
User Profile:
The stealer now steals user profiles from the infected system and sends them to the C&C server. The profile information is stored in a JSON file called the Local State, located in the browser’s user data directory. The info_cache key in the JSON dictionary contains the list of known profiles, with the keys corresponding to the profile names.
The figure below shows the routine for stealing user profiles from the infected system.
Crypto Wallet Extension:
Stealer then targets wallet extensions in the browser by iterating through hardcoded wallet addresses and checking them in the installed browser directory.
The figure below shows code checking for the wallets in the system.
Stealer targets multiple crypto wallets; the table below shows all the targeted wallets:
| Metamask | nkbihfbeogaeaoehlefnkodbefgpgknn |
| BinanceChain | fhbohimaelbohpjbbldcngcnapndodjp |
| Bitapp | fihkakfobkmkjojpchpfgcmhfjnmnfpi |
| Coin98 | aeachknmefphepccionboohckonoeemg |
| DAppPlay | lodccjjbdhfakaekdiahmedfbieldgik |
| Equal | blnieiiffboillknjnepogjhkgnoapac |
| Guild | nanjmdknhkinifnkgdcggcfnhdaammmj |
| ICONex | flpiciilemghbmfalicajoolhkkenfel |
| Math | afbcbjpbpfadlkmhmclhkeeodmamcflc |
| Mobox | fcckkdbjnoikooededlapcalpionmalo |
| Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
| TronLink | ibnejdfjmmkpcnlpebklmnkoeoihofec |
| XinPay | bocpokimicclpaiekenaeelehdjllofo |
| Ton | nphplpgoakhhjchkkhmiggakijnkhfnd |
| Sollet | fhmfendgdocmcbmfikdcogofphimnkno |
| Slope | pocmplpaccanhmnllbbkpgfliimjljgo |
| Starcoin | mfhbebgoclkghebffdldpobeajmbecfk |
| Hiro Wallet | ldinpeekobnhjjdofggfgjlcehhmanlj |
| MetaWallet | bkklifkecemccedpkhcebagjpehhabfb |
| Swash | cmndjbecilbocjfkibfbifhngkdmjgog |
| Finnie | cjmkndjhnagcfbpiemnkdpomccnjblmj |
| Keplr | dmkamcknogkgcdfhhbddcghachkejeap |
| Crocobit | pnlfjmlcjdjgkddecgincndfgegkecke |
| Oxygen | fhilaheimglignddkjgofkcbgekhenbh |
| Nifty | jbdaocneiiinmjbjlgalhcelgbejmnid |
| Liquality | kpfopkelmapcoipemfendmdcghnegimn |
| Ronin | fnjhmkhhmkbjkkabndcnnogagogbneec |
| Oasis | ppdadbejkmjnefldpcdjhnkpbjkikoip |
| Temple | ookjlbkiijinhpmnjffcofjonbfbgaoc |
| Pontem | phkbamefinggmakgklpkljjmgibohnba |
| Solflare | bhhhlbepdkbapadjdnnojkbgioiodbic |
| Yoroi | ffnbelfdoeiohenkjibnmadjiehjhajb |
| iWallet | kncchdigobghenbbaddojjnnaogfppfj |
| Wombat | amkmjjmmflddogmhpjloimipbofnfjih |
| Coinbase | hnfanknocfeofbddgcijnmhnfnkdnaad |
| MewCx | nlbmnnijcnlegkjjpcfjclmcfggfefdm |
| Jaxx Liberty (Web) | cjelfplplebdjjenllpjcblmjkfcffne |
| OneKey | jnmbobjmhlngoefaiojfljckilhhlhcj |
| Hycon Lite Client | bcopgchhojmggmffilplmbdicgaihlkp |
| SubWallet (Polkadot) | onhogfjeacnfoofkfgppdlbmlmnplgbn |
| Goby | jnkelfanjkeadonecabehalmbgpfodjm |
| TezBox | mnfifefkajgofkcjkemidiaecocnkjeh |
| ONTO Wallet | ifckdpamphokdglkkdomedpdegcjhjdp |
| Hashpack | gjagmgiddbbciopjhllkdnddhcglnemk |
| Cyano | dkdedlpgdmmkkfjabffeganieamfklkm |
| Sender Wallet | epapihdplajcdnnkdeiahlgigofloibg |
| Zecrey | ojbpcbinjmochkhelkflddfnmcceomdi |
| Auro | cnmamaachppnkjgnildpdmkaakejnhae |
| Terra Station | aiifbnbfobpmeekipheeijimdpnlpgpp |
| KardiaChain | pdadjkfkgcafgbceimcpbkalnfnepbnk |
| Rabby | acmacodkjbdgmoleebolmdjonilkdbch |
| NeoLine | cphhlgmgameodnhkjdmkpanlelnlohao |
| Nabox | nknhiehlklippafakaeklbeglecifhad |
| XDEFI | hmeobnfnfcmdkdcmlblgagmfpfboieaf |
| KHC | hcflpincpppdclinealmandijcmnkbgn |
| OneKey | jnmbobjmhlngoefaiojfljckilhhlhcj |
| Auro | cnmamaachppnkjgnildpdmkaakejnhae |
| CLW | nhnkbkgjikgcigadomkphalanndcapjk |
| Polymesh | jojhfeoedkpkglbfimdfabpdfjaoolaf |
| ZilPay | klnaejjgbibmhlephnhpmaofohgkpgkd |
| Byone | nlgbhdfgdhgbiamfdfmbikcdghidoadd |
| Eternl | kmhcihpebfmpgmihbkipmjlmmioameka |
| Nami | lpfcbjknijpeeillifnkikgncikgfhdo |
| Maiar DeFi Wallet | dngmlblcodfobpdpecaadgfbcggfjfnm |
| Leaf Wallet | cihmoadaighcejopammfbmddcmdekcje |
| Trust Wallet | egjidjbpglichdcondbcbdnbeeppgdph |
| Exodus(web) | aholpfdialjgjfhomihkjbmgjidlcdno |
| Brave Wallet | odbfpeeihdkbihmopkbjmoonfanlbfcl |
After stealing the wallet data, the stealer closes the socket connection and terminates its own process.
Conclusion
ImBetter stealer is an information stealer designed to steal sensitive system information and steal information from browsers, such as Login Data, Cookies, User profile information, and Wallet extension. This type of malware can be very dangerous because it can enable cybercriminals to gain unauthorized access to a victim’s crypto wallets or online accounts, which can result in the theft of valuable digital assets or personal information.
Cyble Research and Intelligence Labs will maintain its surveillance on the latest phishing or malware strains in circulation, providing up-to-date blogs containing actionable intelligence to safeguard users against these infamous attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices as mentioned below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1204 | User Execution |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1528 | Steal Application Access Token |
| Discovery | T1010 T1083 | Application Window Discovery File and Directory Discovery |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Application Layer Protocol |
Yara Rule
rule ImBetter: Stealer
{
meta:
Description = “ImBetter Stealer”
Maltype = “Information Stealer”
Filetype = “Win32 EXE”
strings:
$a1 = “C:\\Users\\Public\\Scr-urtydcfgads.png”
$a2 = “ImBetter.pdb”
$a3 = “195.133.40.3”
$a4 = “AcWebBrowser\\User Data\\Local State”
condition:
uint16(0) == 0x5A4D
and 2 of ($a*)
}
Indicators Of Compromise
| Indicators | Indicator type | Description |
| e7b7595c06031d68bcdf6f13cb4632a6 f239dad6cf421b8b9475bfa56af2c8a5cea7a066 9668d4e072999eb5098e97bac471014f5ac8478774f67cba4e8be95ba84e7576 | MD5 SHA1 SHA256 | ImBetter Stealer |
| d92d9f696c502c6560eb94812e8f1979 d4af060cbe6f6a7258a871709f89914a03349a77 17c3f8cb4a06a63b56cb813191a313419ab33401ff03881ed96b18c5b6d86d9c | MD5 SHA1 SHA256 | ImBetter Stealer |
| 507f9b74894bf39fa023f1b50642c90e 9fa7cc65b7c8108865da6eb048ff90065b6162db 52712db8db54e97453c7a0758c63d0cf76bb13a9e15a5b4a229f3731bd4ab2fe | MD5 SHA1 SHA256 | ImBetter Stealer |
| b04025b076d19641f3db5a546f3fb231 67377d2b97feb01693cc89e516265e784aa0465f 54df902f2e6d174fe977d9503896b7cad2f48f38fcb85a5af554a0228c029d8d | MD5 SHA1 SHA256 | ImBetter Stealer |
| bc9fce4292ec484d5ccbde685854aea6 d0ab1c13df1572f2a497645ad0cbbf8658774c18 5e0c028ed62b2a3ffeb211c53493335f8197f17fc81581fa6d06abddd90fdb82 | MD5 SHA1 SHA256 | ImBetter Stealer |
| f150c897aab84fd8e8a0aff75a924761 50eebb448e8b162de64f15ac4098db3a1b151e21 8747ce656fe657e621a82c17fe6640145c4e4f2d8f90e255cda0a68e6f341c22 | MD5 SHA1 SHA256 | ImBetter Stealer |
| e9df653567149f789852c2dab16f46bb 98ae2ff4c64adad0395de300f2fb7e060d146271 65c2dbec05a4949cc40e6817b66c3a2a3a99e73f6c500070b721107b2b09bc74 | MD5 SHA1 SHA256 | ImBetter Stealer |
| hxxp://currenyc-crypto[.]loan/currency[.]exe | URL | Downloading Stealer |
| hxxp://currenyc-crypto[.]loan/ | Domain | Website |
| 195[.]133[.]40[.]3 | IP | Network Communication |
| hxxps://softeforyou[.]fun | Domain | Phishing Domain |
| hxxps://softeforyou[.]fun/ Metamask.exe | URL | ImBetter Stealer |
