White Snake Menace: The Growing Threat of Information Stealers in the Cybercrime Landscape

Introduction

The rise of malicious software designed to steal sensitive information has become a significant problem in the cybercrime landscape. They are specifically created to infiltrate computer systems and extract valuable data, including personal information, login credentials, financial details, and intellectual property. Known as information stealers or data stealers, these malware programs pose a prevalent threat.

Cybercriminals use various tactics to distribute information stealers, and once installed on a victim’s device, these malware programs operate discreetly, often evading detection by security software. Information stealers target a wide range of applications, including web browsers, email clients, instant messaging platforms, and financial software.

The stolen data is usually sold on underground marketplaces or used for illegal activities like identity theft, financial fraud, corporate espionage, or blackmail. The financial motivation behind information stealers, combined with their ability to collect sensitive data from numerous victims, makes them appealing to cybercriminals.

In February 2023, a new information stealer called White Snake emerged, joining the list of threats in this category. In this blog we have delved into the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.

The White Snake Stealer

​​Focused on infiltrating diverse applications such as cryptocurrency wallets, FTP clients, and email clients among others, White Snake exhibits a range of capabilities. These include  execution of commands on the victim’s system enabling activities like taking screenshots and capturing webcam. Having undergone continuous development since its initial arrival, it has prompted Telegram announcements that suggest the addition of new capabilities.

Samples showcasing these enhanced features on public repositories strongly suggests the active distribution of new versions of the White Snake stealer in the Cybercrime scene.

White Snake Stealer offers versions for both Windows and Linux systems. However, we have not been able to find any samples specifically targeting Linux systems while others aimed at Windows platforms were identified, demonstrating advanced features.

Posts announcing White Snake Stealer Updates

Changes to Note in the Updated Version of White Snake Stealer

White Snake Stealer has undergone significant improvements, introducing the following key features:

• Expanded Browser Support:Now compatible with a wider range of browsers, including Opera, CocCoc, CentBrowser, and Yandex, allowing it to extract sensitive data from a broader user base.
• Extended Email Client Compatibility:It can now support popular email clients like Outlook, Foxmail, and ‘The BAT!,’ enabling the collection of data from these applications and expanding its reach.
• 2FA App and VPN Targeting:It is capable of targeting and extracting information from 2FA (Two-Factor Authentication) apps and VPN (Virtual Private Network) applications, posing a threat to user security and privacy.
• Enhanced Capabilities:Advanced features such as keylogging, webcam capture, and document grabbing have been incorporated, which allows it to easily compromise user data by recording keystrokes, capturing webcam footage, and collecting specific document types.
• Beacon Functionality:It can now establish communication with the command and control (C2) server allowing the receipt of instructions, transmission of stolen data, and potential downloading of additional malicious payloads.
• Document Grabber: Can now collect and exfiltrate files of interest from the victim’s machine.
• USB Spread:Is able to spread through USB devices by making copies on removable drives such as USB flash drives and external hard drives.
• Local User Spread:Is also able to propagate among local users by copying itself to their startup folders, ensuring automatic execution upon user login or system restart and facilitating its spread within the compromised system.

These noteworthy enhancements in White Snake Stealer highlights its dynamic evolution and adaptability, posing a significant threat to user privacy and security. 

Technical Analysis of the White Snake Stealer

The malware incorporates advanced string of obfuscation techniques which is used to deliberately obscure the code. This results in increased complexity and makes it challenging to decipher the underlying strings.

String Obfuscation Detected

The figure above shows the method responsible for deobfuscating strings within the stealer’s codebase. Its widespread usage adds complexity to the analysis process. Additionally, the deliberate incorporation of redundant codes within the stealer adds further layers of complexity. These intentional obfuscation techniques make the analysis of the stealer even more intricate.

Garbage Code

Anti Virtual Machines (VM) Checks

During the execution of the stealer’s main () method, the Anti VM method is invoked to prevent the malware from running in a virtual environment. This function employs Windows Management Instrumentation (WMI) queries to retrieve the system’s “Manufacturer” and “Model” information. Subsequently, it compares these details with predefined strings associated with VMs. If a match is detected, the malware terminates without proceeding with any further execution.

WMI Queries to Extract the Environment Information

Hardcoded Strings

Establishing Persistence

The stealer achieves persistence by duplicating itself in the Appdata directory and creating a scheduled task. Subsequently, it removes the original file to cover its tracks. Different versions are observed to be creating different directories.

Fig. Below shows the stealer creating a directory with the name “EsetSecurity.” Directory names may vary across different variants. It copies itself in this newly created directory.

Observed to be creating a director with “EsetSecurity” name

Stealer code for persistence, creating schedule task and deleting itself

         Creating a Scheduled Task

New Beacon Functionality

The latest version of the stealer introduces a new beacon feature that leverages The Onion Routing Project (TOR) for its implementation. This enhanced functionality enhances the capabilities of the stealer and involves the following key components:

• TOR Download and Installation:The stealer now has the ability to download and install TOR, a network tool that enables anonymous communication on the internet.
• Tailored TOR Service Configuration:The malware utilizes the “HiddenServicePort 80 127.0.0.1:2392” configuration directive in the TOR configuration file to set up a hidden TOR service. This directive specifies that incoming requests to the hidden service on port 80 will be redirected to a randomly generated port (2392) on the local machine. The malware specifically utilizes this redirected port to run an HTTPListener service responsible for handling the incoming requests.
• Connection Establishment: The beacon functionality is implemented by establishing a connection between TOR and an open port on the victim’s system. The onion address, which serves as the unique identifier for the hidden service, is generated and stored in a file within the directory specified by the “HiddenServiceDir” configuration directive in the TOR configuration file. The attacker or Threat Actor (TA) connects to the hidden service using this onion address through the TOR network.

Through this communication channel facilitated by the HTTPListener(), the attacker can issue commands or exfiltrate stolen data from the victim’s machine. The attacker’s commands or requests are sent through the TOR network, reaching the hidden service configured on port 80, and subsequently forwarded to the local machine’s port 2392. The HTTPListener service of the stealer processes and responds to these requests.

Tailored TOR configuration in the malware code

TORRC (TOR configuration) file created by stealer

Onion address

Once a connection request is received from the TA, the stealer enters the processing phase. During this phase, it actively scans for incoming HTTP requests that utilize the POST method. The POST method is commonly used to send data to a web server, including commands or instructions in the payload of the request.

Upon detecting an incoming POST request, the stealer extracts and isolates the payload, which contains the commands encapsulated within the request. These commands may include instructions for various actions the stealer is designed to perform, such as collecting sensitive data, executing specific operations on the victim’s machine, or initiating further malicious activities.

By identifying and extracting the commands from the POST requests, the stealer gains access to the TA’s instructions and can proceed to execute them accordingly. This allows the TA to remotely control the stealer’s behaviour and carry out specific actions on the compromised system.

Processing the incoming request

Extracting the commands

Subsequently, once the TA’s commands have been extracted from the incoming HTTP requests, the stealer proceeds with its processing. The processing phase involves interpreting and executing the commands as instructed by the TA.

Further Processing of Commands

The updated version of the stealer includes an expanded set of command capabilities, allowing it to perform the following actions:

• REFRESH: Transmits the stolen data back to the attacker.
• COMPRESS: Compresses a file with TAR.
• PING: Performs a ‘ping’ like operation and responds with a ‘pong’.
• UNINSTALL: Terminates and removes itself from the system.
• WEBCAM: Captures webcam footage
• LIST_PROCESSES: Retrieves a list of all running processes.
• GET_FILE: Retrieves the contents of a specific file.
• SCREENSHOT: Captures a screenshot of the victim’s screen.
• LIST_FILES: Lists files in the current directory.
• TRANSFER: Transfers a file to the attacker’s server.
• LOADEXEC: Downloads a file from remote location and executes it.
• DECOMPRESS: Decompresses a file with TAR for transfer.
• DPAPI: Decrypts the encryption protection applied to sensitive data stored on the victim’s system.
• Keylogger: Capture keystroke

Keylogging using ‘hookCallback’ for monitoring of keystrokes

Screenshot Capability

USB Spread

The stealer has incorporated a USB spread capability, enabling it to propagate itself to removable disks. It achieves this by querying the system for removable disks and subsequently copying itself onto the identified media.

Queries removable media

Copies itself on removable media

Local Users Spread

The updated stealer now includes a Local User Spread capability, allowing it to propagate among local users. The malware achieves this by iterating over user profiles and copying itself to the startup folder of each user. This ensures that the malware is automatically executed when users log in or the system restarts. By leveraging this persistence mechanism, the malware can effectively spread among local users, resulting in its widespread presence throughout the compromised system.

Iterating over management objects

Copies itself to startup folder

Application Data Collection

The malware exhibits the capability to extract sensitive information from various types of applications:

Targeted Applications

Stealer configuration with reference to various application for information stealing

Furthermore, the malware possesses the capability to gather additional information from the victim’s system. This includes retrieving the username, computer name, public IP address, screen size, CPU, GPU, RAM, Disk, Model, OS information, running process and execution timestamp. These data points provide the attacker with valuable insights into the victim’s system and can be used for further analysis or exploitation.

Extracting username

Extracting computer name

Exfiltration

Once the data is gathered, the malware employs the XmlSerializer to transform it into a serialized format. Subsequently, the serialized data undergoes compression and encryption using the RSA encryption algorithm. This multi-step process ensures the secure protection of the data, preserving its integrity and maintaining confidentiality. It is worth noting that the malware embeds the RSA key necessary for encryption within its own code.

Captured data being serialized into XML format

RSA Key

Encryption using RSA Key

Now, the stealer will proceed to affix tags, including the filename (e.g., Username@Computername_report.wsr), to the gathered information. Subsequently, the malware establishes a connection to a predetermined server controlled by the attacker using the WebClient class’s ‘uploadData’ method with the PUT HTTP method. The malware code includes hardcoded IP addresses that specify the destination server for transmitting the encrypted data. This allows the attacker to receive the stolen information from infected systems.

WebClient Class instantiation

Obfuscated code used to send the PUT request for data exfil

Hardcoded IP addresses of the attacker’s server

PUT request issued for data exfil

To notify attacker about the data exfiltration, the malware sends a notification through a Telegram chat by executing an HTTP GET request to the Telegram BOT API.

The contents of the URL are encoded with URL encoding. Decoding the Telegram message reveals valuable resources for the attacker: the stolen data’s URL and victim details. This allows the attacker to directly access and exploit the information for malicious purposes, increasing their effectiveness in carrying out harmful activities.

URL decoded contents

Quick Heal Protection

All Quick Heal customers are protected against this threat through the following signature:

• Trojan.WhiteSnake.S30222827

To know more about Quick Heal’s range of digital protection visit – 

https://www.quickheal.com/

Conclusion

The White Snake Stealer is an evolving threat that is being actively developed and distributed through the Malware-as-a-Service (MaaS) model. The threat actors responsible for this stealer is dedicated to improving the code and implementing techniques to bypass detection measures. This ongoing development highlights the persistent and evolving nature of the threat landscape, re-emphasizing the criticality for individuals and organizations to stay updated on the latest security practices, implement robust Défense mechanisms, and maintain strong cybersecurity hygiene to protect themselves against such threats.

Indicators of Compromise (IOCs)

Vinay Kumar