Warning: Agniane Stealer Targeting Users to Steal Financial Data

Threat actors use stealers to collect sensitive information from unsuspecting users covertly.

These tools are favored for their ability to infiltrate systems, remain undetected, and extract valuable data, which threat actors can exploit for financial gain and several malicious purposes.

Stealers offer a low-risk and high-reward method for threat actors to access valuable assets without a direct fight.

Cybersecurity researchers at Cisco recently discovered and warned of Agniane stealer attacking users to steal financial data.

Agniane Stealer Attacking Users

Agniane Stealer is a crypto-targeting malware that surged in August 2023. Researchers recently uncovered new insights into its URL pattern, file collection methods, and C2 protocol.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

The malware was actively marketed on Telegram (@agnianebot) and uses ConfuserEx Protector with a unique C2 method.

In November 2023, researchers’ threat hunting revealed passbook.bat.exe, a named PowerShell binary linked to Agniane Stealer.

Infections start with ZIP downloads from legit websites, following this URL pattern:-

http[s]://<domain name>/book_[A-Z0-9]+-\d+.zip 

Extracted files drop passbook.bat with obfuscated payload by spawning passbook.bat.exe. This renamed PowerShell binary executes a series of obfuscated commands.

Execution chain (Source – Cisco)

Then, it dynamically builds and invokes an XORing payload from a BAT file by decompressing and loading it into memory reflectively. 

Besides this, reversing the payload helps in getting the objectives of the threat actors.

The payload triggers a C# assembly that results in an executable with hash 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df. 

The file was unknown to online sandboxes, and emulating its activity on Cisco Secure Malware Analytics revealed anti-sandbox techniques. 

However, the binary, which was obfuscated with ConfuserEx, restricts the dynamic analysis.

Content of the passbook.bat file (Source – Cisco)

The sample lacked a ConfuserEx signature but had similar obfuscation. On reversing, another binary that emerged in its resources was loaded reflectively. 

This C# sample held the final payload, which was obfuscated directly with ConfuserEx.

The Passbook.bat.exe executes PowerShell to deobfuscate passbook.bat, then runs the tmp385C.tmp (header file name). This, in turn, reflectively loads the _CASH_78 C# app, which concludes with the Agniane Stealer.

Malware execution chain (Source – Cisco)

The Agniane Stealer steals credentials and files via a basic C2 protocol. It checks domain availability by requesting a specific URL and adds active C2 domains to a list. Then, it gathers file extensions from a C2 URL pattern.

Afterward, it requests a remote json file for error details and progresses based on the response.

The stealer employed many obfuscation and anti-detection methods to collect and exfiltrate files, credentials, passwords, credit cards, and wallets.

Moreover, its evasion tactics and broad data targeting could lure more threat actors to exploit its capabilities in the future.

IoCs

IoCs (Source – Cisco)

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which…

38 minutes ago

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

3 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

3 days ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

3 days ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

3 days ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

3 days ago