Threat actors use stealers to collect sensitive information from unsuspecting users covertly.
These tools are favored for their ability to infiltrate systems, remain undetected, and extract valuable data, which threat actors can exploit for financial gain and several malicious purposes.
Stealers offer a low-risk and high-reward method for threat actors to access valuable assets without a direct fight.
Cybersecurity researchers at Cisco recently discovered and warned of Agniane stealer attacking users to steal financial data.
Agniane Stealer is a crypto-targeting malware that surged in August 2023. Researchers recently uncovered new insights into its URL pattern, file collection methods, and C2 protocol.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .
The malware was actively marketed on Telegram (@agnianebot) and uses ConfuserEx Protector with a unique C2 method.
In November 2023, researchers’ threat hunting revealed passbook.bat.exe, a named PowerShell binary linked to Agniane Stealer.
Infections start with ZIP downloads from legit websites, following this URL pattern:-
http[s]://<domain name>/book_[A-Z0-9]+-\d+.zip
Extracted files drop passbook.bat with obfuscated payload by spawning passbook.bat.exe. This renamed PowerShell binary executes a series of obfuscated commands.
Then, it dynamically builds and invokes an XORing payload from a BAT file by decompressing and loading it into memory reflectively.
Besides this, reversing the payload helps in getting the objectives of the threat actors.
The payload triggers a C# assembly that results in an executable with hash 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.
The file was unknown to online sandboxes, and emulating its activity on Cisco Secure Malware Analytics revealed anti-sandbox techniques.
However, the binary, which was obfuscated with ConfuserEx, restricts the dynamic analysis.
The sample lacked a ConfuserEx signature but had similar obfuscation. On reversing, another binary that emerged in its resources was loaded reflectively.
This C# sample held the final payload, which was obfuscated directly with ConfuserEx.
The Passbook.bat.exe executes PowerShell to deobfuscate passbook.bat, then runs the tmp385C.tmp (header file name). This, in turn, reflectively loads the _CASH_78 C# app, which concludes with the Agniane Stealer.
The Agniane Stealer steals credentials and files via a basic C2 protocol. It checks domain availability by requesting a specific URL and adds active C2 domains to a list. Then, it gathers file extensions from a C2 URL pattern.
Afterward, it requests a remote json file for error details and progresses based on the response.
The stealer employed many obfuscation and anti-detection methods to collect and exfiltrate files, credentials, passwords, credit cards, and wallets.
Moreover, its evasion tactics and broad data targeting could lure more threat actors to exploit its capabilities in the future.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…