Troy Stealer Analysis. How it all began?

logo
Featured On

NewsweekForbesBuisiness InsiderAxios
This article contains
arrow

It all began with a link from abuse.ch: https://bazaar.abuse.ch/sample/7c3289cdc59a8cf32feac66069d09c48a930d4665f740968521adaf870172644/

abuse.ch presented a new Trojan in town, so we, of course, we’re interested in examining it.  

The Trojan comes via email and harvests system information and user data from all browsers, chat programs and other programs such as Filezilla, battle.net, and team viewer. When it’s done it exfiltrates the data through an email message.

The Trojan is written in VB.net and the code is obfuscated. Luckily, the source code has been lingering in the World Wide Web. It appears the Trojan is not that new – as it was posted in Pastebin back in 2018. The code has been updated since then, but its main form has been kept about the same.

Getting the source code

One of the few files the Trojan creates on the system is “halloee.txt”. The file contains the results page of speedtest.net. The name is unique enough to search for in Google, and the results were fruitful. 

The first link led to a pastebin named “SiriTDecrypter” that contained long VB code (~1500 lines) that presented similar behavior; for example, the creation of “halloee.txt” file:

We can see in the snippet above, that the Trojan searches the “lautet” field in the response from speed test, saves the match to parameter T, and returns it along with Sk.Revpep(“c3NlcmRkQSBQSQ==”), which decodes to: ‘sserddA PI’, and reverses to “IP Address”. The code is full of sk.revpep calls, that base64-decodes and reverses the code.

Later I also found the source code in Github through some “hacking forums”. A user named “SiriT” posted about a credential decrypter that he developed, with “obfuscator like” code so it could not be read that well. The hackers in the forum were less supportive of it:

The post itself is from late 2018 and describes how much effort the hacker has put into it. It has a base64 encoded URL in his Pastebin, which translates to https://pastebin[.]com/Eezkrhq5.

“SiriTDecrypt” also gave a link between this and a project called “PixieV” – “PixieV | Stealer Async in VB.NET” in undercrack[.]com, as well as “[Source Code] PixieV | Steal Browser Passwords” on a Spanish hacker site ” which also matched the unpacked files we got named “PixieV”.

For those of you that don’t know Spanish: a user posted that he’d written the malware code in the past year and that it’s easy to use and steal passwords. He gives credit to several users for different features in the code and says he doesn’t know who deserves the credit for developing siriTDecrypt. He also credits himself for creating the stealer and the async processes. The link he provided leads to a GitHub repository and encourages people to get free Netflix accounts.

It seems that the code in the sample has changed since it was uploaded as the code is a bit different, but all in all it seems similar. In the older version a PHP uploader is used to exfiltrate data, but now it uses email messages. “SQLiteHandler” and “SiriTDecrypt” are there as well, and they look exactly like the paste. 

What’s in the GitHub is not the complete project – it seems like SiriTDecrypt was combined in the Trojan, along with other DLLs. 

With dnSoy in PixieV.exe, we can find the code of SiriTDecrypt at Class11.

Inside it our favorite “obfuscation” method called “smethod_0”, (base64+ reverse) is found. We can see the same code being used. I wrote a small script that replaces all the decoded and reversed strings in their plain text form to make the picture whole. For example

I also compared the code from GitHub vs the sample’s, using dnSpy, after unpacking and using de4dot to deobfuscate some code. There, I could find every function that was used in the GitHub version. 

What it does

The Trojan is programmed to steal credentials from the following applications:

Skype, FileZilla, TeamViewer, Battle.net, Trillion, Nimbuzz, Paltalk, Purple, Thunderbird, Proxifier, MSN, Outlook, Pidgin,Chrome, Firefox, Opera, Safari, iExplore, Chromium, CoolNovo, SRWare Iron, Dragon, Flock, and Rockmelt. It parses the credential files using Mozilla’s DLLs and nss3.

It checks if it has an Internet connection by downloading a response from “speedtest.net” and parses the file, looking for the IP address, as was seen above. It performs system information gathering as well (i.e. Windows username and password, volume serial number, digital product ID – Windows product key, machine time zone), and does some of this with WMI queries, such as

IWbemServices::ExecQuery – root\cimv2 : SELECT Caption FROM Win32_OperatingSystem

IWbemServices::ExecQuery – root\SecurityCenter2 : SELECT * FROM AntivirusProduct

The name “Troy Stealer” probably comes from the title the author himself gave it – as he exfiltrates the above data using an email message with the same title. 

At the end of the file, we can see it kills every browser type that runs and that it calls to 4 functions. 

Each of these functions is checking if certain browser folders exist, and if so, deletes files, cookies, last sessions, and web data from their history.

In another executable similar to this one, we saw different credentials being used to connect to the SMTP  server, but those attempts failed. 

In addition, this version also dropped a copy of chrome.exe to appdata\local and created persistence using “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” to run that dropped file.

The unpacked files have some DLLs in common – such as 26.dll, unhook.dll. But Some DLLs are different in name – like Shutup_And_Fuckof.dll. Looking at this DLL’s properties we can see the PDB path: “C:\Users\Raz\Desktop\STUB\Shutup_And_Fuckof\obj\Debug\Shutup_And_Fuckof.pdb”.

Samples
https://www.virustotal.com/gui/file/9bc17db7e037caa4b6f176fdfc89a132dc63445bf66cf51050bb77cac0e09e75/detection
https://www.virustotal.com/gui/file/7c3289cdc59a8cf32feac66069d09c48a930d4665f740968521adaf870172644/detection
https://www.virustotal.com/gui/file/40c604bb72f83a0f4ad24fce83aa25332610b2158c7a837dbd89778b4e48c067/behavior/Dr.Web%20vxCube

Summary

This Trojan does what every Trojan does; there’s nothing bright and shiny about it, but it’s source code just waits in the open for someone to compile and use it. Anyone can adapt it and change its key functionality, such as how to exfiltrate data and communicate with CNC, check the Internet connection, add or remove data collection functions, add persistence mechanisms, and so on.