Cheana Stealer Attacking Windows & macOS VPN Users to Deploy Malware Payloads

Threat actors exploit phishing websites to distribute malware, often posing as well-known product brands on several platforms in order to increase their authenticity.

Cyble Research and Intelligence Lab recently found a rather sophisticated phishing campaign that mimicked “WarpVPN” and distributed custom-tailored malware for Windows, Linux, and macOS.

It is an illusory website designed to provide users with instructions on installing particular programs on a given platform.

Once installed, the stealer extracts valuable data, such as browser extensions related to cryptocurrencies, independent crypto wallets, saved browser password details, logins, cookies, SSH keys, macOS passwords, and Keychain information.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Researchers dubbed this stealer “Cheana,” which is found to be attacking Windows and macOS VPN users.

This multi-platform approach in conjunction with brand impersonation combined with detailed instructions increases user trust in known security programs consequently making it easier for threat actors to infiltrate.

Cheana Stealer Attacking VPN Users

The Cheana Stealer campaign, linked to the C&C server “ganache.live”, exploits a Telegram channel (54,000+ subscribers) to distribute malware via a phishing site impersonating a VPN service. 

It targets Windows, Linux, and macOS using platform-specific scripts like “install.bat”, “install-linux.sh”, “install.sh”. 

On Windows, PowerShell commands download “install.bat”, which checks for Python, installs dependencies, and runs the malicious “hclockify-win” package. 

This stealer targets cryptocurrency wallets (MetaMask, Trust Wallet, Bitcoin, Monero), browser extensions, and stored passwords. 

It uses “CryptUnprotectData()” to decrypt Chrome-based browsers’ “Login Data” and leverages nss3.dll for Firefox credentials. 

Linux and macOS variants perform similar functions, with added SSH key theft. On macOS, it mimics system prompts to capture user credentials, validating them with “dscl . -authonly”. 

Data exfiltration occurs via HTTPS POST requests to “hxxps://ganache.live/api/v1/attachment”, with stolen information compressed into categorized ZIP archives. 

The attackers, possibly non-Russian based on language analysis, manage exfiltrated data through a Django Rest Framework interface. 

The campaign employs obfuscation techniques, including installing legitimate Cloudflare Warp application as a lure, and targets multiple browsers, including Chrome, Firefox, Brave, and Edge.

The operation is believed to have changed hands in 2021 and it employs a strategy that builds user trust before going to destructive activities.

This multi-platform attack targets Windows, Linux, and macOS systems through customized malicious scripts, which show an inclusive approach to malware distribution.

The campaign becomes effective for each operating system as unique payloads are developed, consequently ensuring successful execution across diverse environments.

This means that attackers can compromise a variety of systems, which helps them collect sensitive information from many users and expand the operation’s reach and impact.

Recommendations

Here below we have mentioned all the recommendations:-

• Make sure to download software only from trusted sources.
• Educate users on phishing risks.
• Always verify VPN authenticity.
• Use robust endpoint protection.
• Monitor and block C&C server communications with security tools.
• Enable MFA on all accounts.
• Maintain and test an incident response plan regularly.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial