Sunday, January 26, 2025
HomeCyber AttackWhiteSnake Stealer Checks for Mutex & VM Function Before Execution

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

Published on

SIEM as a Service

Follow Us on Google News

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated to be more elusive and efficient in its malicious endeavors.

One of the key features of the updated WhiteSnake Stealer is its use of mutexes (mutual exclusions).

Mutexes are a common programming practice to prevent the same program from being launched multiple times, which can lead to system instability or make the malware more detectable.

Performing mutex check
Performing mutex check

Upon execution, the stealer checks for a specific mutex value predefined in its configuration file.

If this mutex is already present on the system, indicating that an instance of the stealer is running, the newly executed stealer will terminate itself.

This ensures that only one instance of the malware operates at a time, reducing the risk of detection and system resource exhaustion.

Anti-VM Detection to Evade Analysis

Another layer of stealth is the AntiVM feature.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Security researchers often use virtual machines (VMs) to analyze malware behavior in a controlled environment.

To combat this, WhiteSnake Stealer can be configured to detect the presence of VMs and terminate itself if one is found.

Performing AntiVM check
Performing AntiVM check

The stealer uses a WMI query to retrieve the computer system’s “Model” and “Manufacturer” properties.

It then searches for strings that are typically associated with virtual environments, such as “VMware,” “virtual,” and “qemu.”

If any of these strings are detected, the stealer will exit, thwarting any attempt to analyze or reverse-engineer its code.

According to the latest findings by SonicWall Capture Labs’ threat research team, WhiteSnake Stealer malware has emerged, showcasing less obfuscation and increased danger. 

Advanced-Data Exfiltration Capabilities

Following the Anti-VM check, the malware proceeds to its primary function: data theft.

The Create() function is called, leading to the ProcessCommands() function, designed to siphon sensitive data from various sources.

The WhiteSnake Stealer targets a wide range of web browsers, including mainstream options like Google Chrome, Mozilla Firefox, and Microsoft Edge, as well as less common ones like Vivaldi and CocCoc Browser.

It extracts cookies, autofill information, login credentials, browsing history, and more.

In addition to web browser data, the stealer is programmed to target cryptocurrency wallets to capture the lucrative financial information associated with these assets.

 The table below shows the targeted cryptocurrency wallets and browser extensions.

Cryptocurrency Wallets

Cryptocurrency Wallet NameTargeted Directory
Ledger%AppData%\ledger live
Atomic%AppData%\atomic\Local Storage\leveldb
Wasabi%AppData%\WalletWasabi\Client\Wallets
Binance%AppData%\Binance
Guarda%AppData%\Guarda\Local Storage\leveldb
Coinomi%LocalAppData%\Coinomi\Coinomi\wallets
Bitcoin%AppData%\Bitcoin\wallets
Electrum%AppData%\Electrum\wallets
Electrum-LTC%AppData%\Electrum-LTC\wallets
Zcash%AppData%\Zcash
Exodus%AppData%\Exodus
JaxxLiberty%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
JaxxClassic%AppData%\Jaxx\Local Storage\leveldb
Monero%UserProfile%\Documents\Monero\wallets

Targeted Cryptocurrency Wallets

Beyond its sophisticated evasion techniques, WhiteSnake Stealer boasts a range of functionalities designed to harvest sensitive data from infected systems.

While keylogging is disabled by default, attackers can activate this feature remotely and capture every keystroke of the victim.

Moreover, the malware can hijack the victim’s microphone and webcam, turning personal devices into surveillance tools.

Part of the code responsible for keylogging
Part of the code responsible for keylogging

The new variant of WhiteSnake Stealer demonstrates the continuous innovation by cybercriminals to bypass security measures and remain undetected.

Implementing mutexes and anti-VM techniques, along with its comprehensive data theft capabilities, make it a significant threat to users and organizations.

As the cyber threat landscape evolves, it is crucial for cybersecurity professionals and end-users to stay informed about the latest malware trends and to implement robust security measures to protect sensitive information.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...