AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Cyber shadow rust flies11/6/2022
Once all those decryption functions were successfully loaded, it looks for and opens the login.json file which contains all the information related to the users. Does this folder exist? Let’s load the DLLs! Krypton Stealer loads two specifics DLLs (Figure 7) and all the required functions to decrypt the credentials exactly as FireFox does (Figure 8). It first looks for the default installation folder path in order to find out if FireFox or Thunderbird is installed. Let’s see the whole process step-by-step up until the actual theft of the credentials. One of them is Mozilla Thunderbird – a famous email client that has the same credential mechanism as FireFox. The exhaustive list of targeted applications can be found at the end of this article. Once all of this is completed, it starts the credential harvesting process. Cyber shadow rust flies software#By the way, it is also collecting information about the computer’s hardware (number of disks, list of users, remaining space, etc.) and the whole list of installed software by checking the Uninstall registry keys as Pony does. Krypton Stealer creates a folder in a path that always exists – the Public user’s folder (Figure 6) – and stores all the collected data moment-by-moment. Afterward, it sends a specific packet to a specific address to check if the C&C server is alive or not (Figure 5). Cyber shadow rust flies windows#Checking the requirement means, first, checking the Windows version. It will check that all the requirements are respected before running the malicious payload. Krypton Stealer’s behavior starts with initialization. In brief, we can see that the malware is targeting Chromium-based browsers which are all using the same credential storage mechanism. In Figure 4, we see a list of paths to different browser LoginData files. The strings are hints to detect credential theft malware. As we said above, there is no string obfuscation. The first basic thing we did was to check the strings. Krypton Stealer may be a small-sized malware, but it targets quite a lot of software used worldwide. The compressed version has a lower score and a smaller size. We want to test a theory: could the low score be the result of the stealer not actually being dangerous? Let’s see if this theory could be correct. VirusTotal detection page.Īs an example, we found the compressed version of it on VT too and the result (Figure 3) is not surprising: the score is lower! If you add obfuscation – which is not present in the current binary – it could achieve a perfect score on VirusTotal and really fly under the radar. Krypton Stealer’s binary is very light and, as a consequence, can be easily integrated into a bigger project. Krypton Stealer May be Kryptonite for Antivirus?ĬyberArk’s threat hunting effort caught a sample with very low positives on VirusTotal. Even if he declares that all the passwords are kept encrypted on the server, we will see that it is not true. It seems that all the infrastructure is managed by Maltego, which means that means that he has access to all the data collected on behalf of all the customers. In this message (Figure 1), Maltego is selling a package including installation instructions, software usage instructions, access to the bot to get the latest builds generated and a unique URL. It first appeared in April 2019 on a famous website: posted by a mysterious user under the nickname Maltego. Cyber shadow rust flies windows 7#Krypton is a small size binary and it is an efficient credential stealer, working on Windows 7 to 10 without any permission requirements – regular user rights are enough. As a member of the Malware-as-a-Service (MaaS) world, Krypton Stealer is sold on foreign forums for the modest price of $100 (payable in cryptocurrencies only).
0 Comments
Read More
Leave a Reply. |