New Heracles Stealer in the Wild

Overview

This week, the SonicWall Capture Labs threat research team analyzed a new sample of an infostealer dubbed ‘Heracles’, which has multiple evasion and persistence techniques. The malware is programmed to search for system credentials, installed programs and crypto currency wallets.

Technical Analysis

The file is detected as “Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe”, which translates to “Responsibilities of a senior technician on a TU-160 aircraft_vch_85927_D_Kaplunov.exe”. It is a .NET executable.

Figure 1: Sample Detection

When attempting to look at the file resources in DNSpy, the records are completely obfuscated.

Figure 2: Obfuscated (left) and deobfuscated data (right)

Once the file has been deobfuscated, it shows hundreds of classes and attributes. In a secondary check against the deobfuscated sample, two embedded files are found. The first is ‘DotNetZip.dll’, and the second is another .NET DLL file (“zx_8d21b2346df842017090f44c62fec926.dll”). The former is used for handling zip files in memory and is a legitimate application, while the latter is a secondary payload.

Figure 3: Payload detection

Looking at the payload sample, it shows the name “PDF_Reader” in its resource section. However, it has a number of domains listed related to cryptocurrency and dark web sites, including a .onion address.

Figure 4: Domains listed in the payload, which also mentions ‘Eazfuscator’, an obfuscation tool

Once runtime occurs, the main file will perform checks against CPU features using WMI using the following queries:

• CreateInstanceEnum – root\cimv2 : Win32_Processor
• ExecQuery – root\cimv2 : SELECT ProcessorId FROM Win32_Processor
• ExecQuery – root\cimv2 : SELECT * FROM Win32_VideoController
• ExecQuery – root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

It will also check for VMWare and QEMU virtual environments specifically while running processes and debuggers to ensure it is running on a viable system. All errors are disabled via SetErrorMode to prevent the user/system from detecting activity. Files are dropped into the following locations for persistence and staging:

• ~AppData\Roaming\\\Files\Local Settings\Temp
• ~AppData\Roaming\\Files\Start Menu\Programs
• ~AppData\Roaming\\Files\Start Menu\Programs\Windows Powershell
• ~AppData\Roaming…\Files\Start Menu\Programs\System Tools\
• ~AppData\Roaming…\Files\Start Menu\Programs\Startup
• ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Administrative Tools\
• ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Maintenance\
• ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessories\
• ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessibility\

The main sample creates copies of itself in the ‘Temp’ location as ‘.tmp’ files. In testing, these were presented as ‘wct3D66.tmp’ or similar. For all other locations, either ‘.ini’ or ‘.lnk’ files are created that will point back to one or more of the copies. Enumeration begins by going through the main directory and looking for Microsoft Office profiles, cryptocurrency wallets and clipboard data. The main wallets are: Electrum, Ethereum, Exodus, bytecoin and Zcash.

Figure 5: Wallet strings found during runtime

Data is staged in the same ‘Temp’ directory and is compressed via DotNetZip. While no network connections were made, the following IP addresses were found in memory:

208.95.112.1 (ip-api.com)
149.154.167.220 (api.telegram.org)
104.237.62.212 (api.ipify.org)
64.185.227.156 (api.ipify.org)
173.231.16.77 (api.ipify.org)

The telegram IP is used for communications, as it has been confirmed that there is a telegram group associated with this sample (‘https://t{.}me/rusvolcorp’) in other tests. Rusvolcorp is a Russian group fighting on behalf of Ukraine, but it is unknown whether this link is legitimate.

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

• MalAgent.Heracles.A
• MalAgent.Heracles.Payload

IOCs

• 53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa (Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe)

• BAD79DB7BE7C9C4BFBA84BFE7B3254E215650A5532098DC7C4A787695D52A983 (PDF_Reader.dll)

URLs

• xss.is
• coinbase.com
• antiscan.me
• dyncheck.com
• avcheck.net
• dark2web.cc
• blockchain.com
• freewallet.org
• btc.com
• bhf.io
• direct.yandex.ru
• payeer.com
• exploit.in
• exploitinqx4sjro.onion

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.