by RSS Rommel Joven and David Maciejak  |  Jul 07, 2016  |  Filed in: Security Research

Cyperine is a VB .NET info stealing malware advertised in hacking forums to retrieve information from victims and sends it to whichever email is entered in the builder. Cyperine version 1.0 was first released in December 2014, and on June 14, 2016 version 2.0 was released. It steals SSFN steam’s authentication files, stored passwords from browsers, user logins, and software product keys installed in the victim’s computer.

Figure 01. Cyperine builder

The seller also provides a skype account for convenient means of communication to prospected buyers. The program cost USD $5 for a one week trial and USD $35 for a lifetime.

The attackers then sell these online stolen accounts for prices varying from $1 to $5.

No need to remind that no matter how advanced is your security adoption within your own company, customer accounts sold to access your online services can’t be controlled once in the wild as of today there is still no bullet proof way to protect people from themselves.

Running the Code

To have a quick look at the behaviour of this malware we ran it in a controlled environment and observed the following.

Dropped files:

%Temp%\ProduKey.exe – tool to retrieve stored product keys

%Temp%\ChromePass.exe – tool to retrieve stored username and passwords

%Temp%\ChromePass.txt – log file

%Temp%\ProduKey.txt – log file

Created Folder:

%Appdata%\Cyperine – folder to store all stolen data

Taking a look at the network activity we see that Cyperine sends the stolen information by email.

Figure 02. SMTP Network Activity

The message sent is base64 encoded; this message can include the following:

Table 01. Information Sent

In addition, file attachments that can be included in the email are the following:

Table 02. File attachments

Info Stealing

Cyperine collects all the information and files needed into one folder %Appdata%\Cyperine and after this will be sent as an attachment to the attacker’s email address.

It starts on searching the steam directory in the victim’s computer.

Figure 03. Steam directory

If found it will look for all ssfn* and loginusers.vdf files and copy them. These files are needed to gain access to stolen steam accounts even with Steam Guard enabled.

Next, it will use free tools from Nirsoft like ProduKey and Chromepass which was embedded in its binary to easily retrieve the needed information from the victim.

The ProduKey utility is executed to retrieve the Product ID and the CD-key of Microsoft Office, Windows, Exchange Server, and SQL servers installed on the computer.

Sample of the product keys log file:

Figure 04. ProductKeys.txt Sample

The malware utilizes Chromepass to be able to view the usernames and passwords stored in Google Chrome Web browser.

Sample of the stolen passwords from chrome browser:

Figure 05. Chrome.txt Sample

Cyperine also takes credentials from the browsers Firefox. To be able to get the credentials stored in Firefox it takes the key3.db, logins.json, and signons*.txt files.

The malware also has the feature to take a screenshot of the victim’s computer.

Figure 06. Screenshot routine

Cracking the Encrypted Credentials

After collecting all the needed information it will continue in preparing the email to be sent to the attacker. However, looking at the code the important parameters for sending an email are encrypted.

Figure 07. Encrypted Email Parameters

Reading more on the code for the decryption, we saw AES_Decypt that has one input which is the encrypted parameters. Furthermore in the code there is a key that will be hashed and stored in an array. This array will serve as the decryption key.

Figure 08. Decryption routine

Luckily the key is a hardcoded value as shown below.

Figure 09. Hardcoded key

Running the decryption code independently, we were able to determine the username and password to login to the email account and the email of the sender and receiver.

Username = Cyperine7222

eSender = Cyperine5@gmail.com (dummy email address)

eReciever = Starcaster30@gmail.com (author’s email address)

Next is to try to access the account, provided the decrypted username and password. Logging in to the account, we were greeted with a dashboard of a third party email service that manages and delivers emails. Its main function is to route incoming emails to the attackers email address so we weren’t able to view the stolen information.

Figure 10. Dashboard of email activity

From a span of two weeks in operation it was able to reach at least 400 unique victims. These are mainly from English speaking countries like US and UK.

Figure 11. Geographical activity map

Observing the features of this email management service in the “latest activity” feed of the account, we can see below email addresses such as ddcombat@gmail.com and tigico2935@gmail.com to name a few that weren’t present in the malware sample.

These are attacker’s email addresses that had been hardcoded in clear text in some other variants of the same malware.

 This kind of email management service is a benefit to the author to easily monitor the progress of its malware and buyers who use the malware, as we were able to confirm that the author are tracking any emails sent using his builder.

Figure 12. Account’s latest activity feed

We were able to confirm four lifetime subscribers including the author for Cyperine and at least five has used the trial subscription. That means, as shared previously, a total income of at least $130 for the author. Not that big compared to the income from the stolen credentials. On the other hand, when comparing the unit price of the different kind of credentials shared in figure 02, it means a rapid ROI for subscribers.

Other feature is the IP Access Management showing the last logins. As shown in figure 14, there are different login locations for the same date, we could assume that the malware author/s uses VPN or proxy to access the account, by using this feature the author can also track if the account is compromised and been logged in by a different user.

 

 

Figure 13. Last login IPs

Collateral IOCs

Having a look on the file information of Cyperine 2.0 it was interesting to see that the binary was signed by DESKTOP-DIEEPUR\Matthew. When trying to search more samples with this signer we saw another info stealer named Next Man History Stealer which was released around the same time in June 21, 2016. However, Next Man History Stealer sends the stolen information through FTP compared to Cyperine that sends through SMTP.

Figure 14. Same Signers

Interesting to see that the encryption routine shared a lot of similitude with the Cyperine samples analysed above, comforting our idea that it was develop by the same author.

We were also able to access the upload directory and gather at least 50,000 compromised accounts by the Next Man History Stealer malware. We have determined that the majority of these victims are Canadians.

With the number of accounts compromised we can oversee that the author can earn as much as $51,000 USD.

We already reported to the FTP service the username being used by the Next Man History Stealer, they took action to suspend it and they will report the infraction to the law enforcement.

Conclusion

Info stealing is a growing underground business and anonymity is the key for success. The attackers are aware of this and are being cautious not to expose themselves and their buyers by using third party email management service to reroute emails. They also develop in parallel more than one malware for flexibility and to have more choices for buyers for their specific preferences.

Fortiguard will continue to monitor developments on info stealing malwares.

 

-= FortiGuard Lion Team =-

 

 

IOC:

Cyperine

SHA256: 056328a6ffda4597d8ce562d9a212290ed8ef03de8ec7ff1ad5da70f5aea14ca

Detected as: MSIL/Cyperine.A!tr

 

Dropped files:

%Temp%\ProduKey.exe – tool to retrieve stored product keys

%Temp%\ChromePass.exe – tool to retrieve stored username and passwords

%Temp%\ChromePass.txt – log file

%Temp%\ProduKey.txt – log file

Created Directory:

%Appdata%\Cyperine – folder to store all stolen data

 

Next Man History Stealer

SHA256: 70f9dc51465d6e39322ba115fe7991f2b854e1d52741b7136812c8dcef6753a1

Detected as: MSIL/HistoryStealer.A!tr

 

Dropped files:

%Appdata%\{HostName}-PC\-PC.zip

C:\{HostName}-PC\History{number}.ini

Created Directory:

C:\{HostName}-PC\Snapshots{number}

by RSS Rommel Joven and David Maciejak  |  Jul 07, 2016  |  Filed in: Security Research

comments powered by Disqus