# Infostealer Distributed Using Bundled Installer **[blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/](https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/)** ## New Temp Stealer Spreading Via Free & Cracked Software October 20, 2022 While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively. The Temp Loader is developed for deploying additional malicious files into the victim system. The Temp Stealer is information stealer malware that can exfiltrate crypto wallets, system information, browser data, and other important system & software information and then send it to the attacker’s remote server. After searching for the impact of the loader and information stealer on the surface web, we identified multiple active instances of the Temp Stealer in the wild. The stealer is disguised as cracks, keygens and can also be bundled with other software. The malware developer posted about the capabilities of the stealer and loader in the Dark Web. The figure below shows the post for Temp Loader. ----- Figure 1 – Temp Loader post on the Dark Web Forum English translation of the Temp Loader post is as follows: _Description:_ _Native stub without dependencies written in C++_ _Runs even on a clean computer!_ _Built-in Anti-VM_ _Ability to add Fake Error (and its customization)_ _Ability to use RunPE_ _You can add any number of links_ _Price_ _15$ (900 rub) – 1 Month_ ----- _49$ (3000 rub) Lifetime_ Malware developers also posted about Temp Stealer and its capabilities. The figure below shows the post for Temp Stealer. Figure 2 – Temp Stealer post on the Dark Web Forum The English translation of the post by malware authors is mentioned below: _Description:_ _Collection of more than 40 types of crypto wallets._ ----- _Recursive search for browsers (even finds custom browsers or browsers with a changed folder name)._ _Collecting information about the PC (IP, Country, City, Zipcode, Timezone, Ram, Processor, GPU,_ _Screenshot)._ _The stub is written in C++ (native)._ _Log collection in memory._ _Quick build through the bot._ _Collection of Telegram, Steam, and FTP sessions._ _Collection of Cookies, Autofills, and Passes._ _Multifunctional Telegram bot._ _Price:_ _7 days – 5$_ _30 days – 15$_ _(lolz +7%, qiwi, crypto)_ According to the malware, developers post that the stealer can collect more than forty crypto wallets, search for custom browsers to steal data, steal system information, and track the victim’s geolocation. Additionally, the stealer collects information related to Telegram, Steam, FTP Session, Cookies, Autofill, Passwords, and works as a Telegram bot. ## Initial Infection and Persistence: As per our analysis, the stealer is masquerading using the following names, indicating that this stealer targets users who are interested in downloading free and cracked software. azclean3_setup.exe CheatLoader.exe Shadow Fiend Game.exe RainbowCrackV4.8.exe spoofer.exe It’s also observed that the stealer is bundled with other software installers. One example shows that Temp Stealer targets Adobe Photoshop users by bundling the malicious stealer into the Topaz Clean stylization tool installer, which installs a plugin for Adobe Photoshop Software. The TAs usually upload this Malicious bundled software to a site that provides services to users for downloading various free and Cracked software. The user interested in this software will be redirected to these websites using Google SEO and download the file. The initial infection initiates when user clicks on the installer that has Temp Stealer bundled to it. The below Figure shows the Topaz Clean installer installation wizard. ----- Figure 3 – Installation Wizard of Topaz Clean The installer drops Temp Stealer in the %temp% location, as shown in the below figure. Figure 4 – Installer Drops Temp Stealer in the Users Machine After dropping the stealer, the installer then creates an autorun registry entry for Temp Stealer; the figure below shows the registry entry created by the installer for stealer persistence. Figure 5 – Autorun Registry Entry for Temp Stealer ----- ## Technical Details of Temp Stealer The Malicious Topaz Clean installer file dropped Temp Stealer with file hash: “SHA256:d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c”. The file is a 64-bit GUI executable compiled using Microsoft Visual C/C++. The figure below shows the static file details. The TimeDateStamp indicates that the malware was compiled recently. Figure 6 – Temp Stealer File Details After execution, the malware tries to connect to an embedded IP 79[.]137[.]199[.]73. After connecting to the mentioned IP, the stealer then checks for the wallets in the system to steal the file related to the corresponding wallets. The Stealer targets the following crypto wallets in the Victims machine. Exodus Web Wallet BitAppWallet BinanceChain BraveWallet EqualWallet iWallet MathWallet NiftyWallet Wombat Coin98Wallet Phantom XDCPay BitApp GuildWallet ICONex Oxygen YoroiWallet GuardaWallet JaxxLiberty AtomicWallet SaturnWallet RoninWallet TerraStation HarmonyWallet TonCrystal KardiaChain PaliWallet LiqualityWallet XdefiWallet NamiWallet MaiarDeFiWallet Authenticator TempleWallet ----- Also, the stealer steals data from the following crypto wallets, which are hard coded in the stealer binary. Exodus Aholpfdialjgjfhomihkjbmgjidlcdno BitApp Wallet Fihkakfobkmkjojpchpfgcmhfjnmnfpi BinanceChain Fhbohimaelbohpjbbldcngcnapndodjp Brave wallet Odbfpeeihdkbihmopkbjmoonfanlbfcl Coinbase Wallet Hnfanknocfeofbddgcijnmhnfnkdnaad EQUAL Wallet blnieiiffboillknjnepogjhkgnoapac iWallet kncchdigobghenbbaddojjnnaogfppfj Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc MetaMask Nkbihfbeogaeaoehlefnkodbefgpgknn Nifty Wallet Jbdaocneiiinmjbjlgalhcelgbejmnid TronLink Ibnejdfjmmkpcnlpebklmnkoeoihofec Wombat amkmjjmmflddogmhpjloimipbofnfjih Coin98 aeachknmefphepccionboohckonoeemg Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa MOBOX Wallet fcckkdbjnoikooededlapcalpionmalo XDCPay bocpokimicclpaiekenaeelehdjllofo GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj ICONex flpiciilemghbmfalicajoolhkkenfel Copay cnidaodnidkbaplmghlelgikaiejfhja Oxygen fhilaheimglignddkjgofkcbgekhenbh Yori ffnbelfdoeiohenkjibnmadjiehjhajb Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp Harmony ONE fnnegphlobjdpkhecapkijjdkgcjhkib EVER Wallet cgeeodpfagjceefieflmdfphplkenlfk KardiaChain Wallet pdadjkfkgcafgbceimcpbkalnfnepbnk ----- Pali Wallet mgffkfbidihjpoaomajlbgchddlicgpn BOLT X aodkkagnadcbobfpggfnjeongemjbjca Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn XDEFI Wallet hmeobnfnfcmdkdcmlblgagmfpfboieaf Nami lpfcbjknijpeeillifnkikgncikgfhdo Maiar DeFi Wallet dngmlblcodfobpdpecaadgfbcggfjfnm Authenticator bhghoamapcdpbohphigoooaddinpkbai The stealer also steals cookies, usernames, passwords, autofills, history from the Chromium and Firefoxbased browsers. The Temp Stealer recursively searches for all installed browsers and steals sensitive information from them. The below image shows the code that steals browser data. Figure 7 – Stealer Routine to get Browser Data The stealer then checks for steam application in the system by checking registry entry _HKLM\\Software\\Classes\\steam\\Shell\\Open\\Command. If the registry entry exists, then the stealer looks_ for Steam Sentry File (SNF) and Config file to steal data which includes player profiles, passwords, etc. The figure below shows the pseudocode of the stealer checking for steam registry key. ----- Figure 8 – Stealer Checking for Steam Application After collecting steam data, the stealer checks for the Telegram application and steals Telegram’s data from the victim’s system. First, the stealer checks If Telegram is installed in the machine by checking the registryHKU\\Software\\Classes\\tdesktop.tg\\shell\\open\\command. If the registry entry is present, then the stealer identifies the installation folder of Telegram and then checks for tdata and working folder, which contains Telegram session data, messages, images, etc. The figure below shows that Stealer is looking for Telegram artifacts. Figure 9 – Stealer Checking Telegram Application in the Victims machine The stealer takes a screenshot of the current Windows and saves it for exfiltration. The Code snippet in the figure below shows the routine to capture the screenshot ----- Figure 10 – Routine to Capture the Screenshot After taking a screenshot, the stealer gets the geolocation details by calling the URL hxxp://ip-api.com/xml/, which response with details in XML format. The stealer then parses the XML and gets the geolocation details of the victim. The figure below shows the routine to get the geolocation details. Figure 11 – Stealer Checking for the Geolocation of Victim The stealer then extracts the IP address, Country, City, Zip code, and Timezone details, as shown in the figure below. ----- Figure 12 – Stealer extracting the Geolocation Details The Stealer also collects details of RAM, Processor, and GPU from the victim’s system, as shown in the figure below. Figure 13 – Stealer Getting System Information from Victim System The stealer steals the _[\\FileZilla\\recentservers.xml file from the victim system, which contains session](http://10.10.0.46/file://FileZilla/recentservers.xml)_ information of the FileZilla FTP client. The figure below shows the routine to get the FileZilla session file. Figure 14 – Stealer Stealing FileZilla Session File Stealer then looks for discord token files and steals them; the figure below shows the location of the discord token files. ----- Figure 15 – Stealer Checking for Discord Token File After getting all the above information, the stealer then sends the data to the attacker’s remote server. The figure below shows the routine to send stolen information to a remote server. Figure 16 – Stealer Sending Stolen Data to Remote Server The Temp stealer identified to be sending the stolen information to IPs 79[.]137[.]199[.]73, 157[.]90[.]126[.]84, which are hosted in Europe. The below figure shows the information of the IPs. ----- Figure 17 – Information of the IPs (Source -ipinfo.io) ## Conclusion Bundling malware in the software tools is quite common among attackers. Now we are observing the rise of the stealers bundled into the software and utility tools to target potential victims globally. The temp stealer not only targets Crypto wallets but also steals data from Discord, Steam, and Telegram applications. The malware authors are continuously creating new stealers as there is a rise in digital transactions and cryptocurrency usage. The increasing use of digital currency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to commit financial fraud and other attacks. ## Our Recommendations Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware. Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and Email attachments without first verifying their authenticity. Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. Block URLs that could be used to spread the malware, e.g., Torrent/Warez. Monitor the beacon on the network level to block data exfiltration by malware or TAs. Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. ## MITRE ATT&CK® Techniques **Tactic** **Technique** **ID** **Technique Name** ​Credentials from Password Stores Steal Application Access Token Steal Web Session Cookie **​Credential** **Access** [T1555](https://attack.mitre.org/techniques/T1555/) [T1528](https://attack.mitre.org/techniques/T1528/) [T1539](https://attack.mitre.org/techniques/T1539/) ----- **Discovery** [T1087](https://attack.mitre.org/techniques/T1087/) [T1083](https://attack.mitre.org/techniques/T1083/) **Collection** [T1213](https://attack.mitre.org/techniques/T1213/) [T1005](https://attack.mitre.org/techniques/T1005/) [T1113](https://attack.mitre.org/techniques/T1113/) Account Discovery File and Directory Discovery Data from Information Repositories Data from Local System Screen Capture **Command and** **Control** [T1071](https://attack.mitre.org/techniques/T1071/) Application Layer Protocol **Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel ## Indicators of Compromise **Indicators** **Indicator** **Type** **Description** Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable **49aefb24f729dbd71cef9cb382692ca6** **f025735b2dfffe4ae43c5154881a3f7fcd9f32ea** **d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c** **bc6bb3430654d410bd9e40292bf32d77** **8b54d67c889e9f13f232cd9b4d72253f9e5af99a** **38b387b09dee7eefddcf164239be0bda1fb15285aea27e3f5b1008c7c727929a** **47dbbc7793152a8cb36cde2da0529684** **16dc7205c3931c0f873c8b2e236742720d1e3a55** **8619435c6dc202f45919fafdc7538d46220f42cadefccdba2cf094eccb09e436** **9335349810042820689b6d558dff50c1** **e98cd5d2e3351d20f348fc983f9e679450c33181** **54d6c6372fd8bfb52431986be148d41b021376770ef13a3baf70912488dd3863** **ad14fb5c857053d9bdebc4c63ba0a57d** **2322090e024942fad77e0250e8cbc7e691663993** **3c0856becfc32d59dc0503adb58d111ae56a1625ee99bdef4bcc5907f91dc69f** **3c9df1d7f4835810fad268435699f1a7** **05e0fc8c5cd5da82e94316afe82e8408fab03974** **7b9830bfdd87e47b4e6995b3e88640eb690bdef7642c74775e1f3ab89e71d5ce** **c84a51c0e598563ff4c5b2e494da0152** **9f345c4e7f192380f7b2d098436a392ecf97ff73** **f7cd47dc867e19dfdc37a0e6c59f6993155d4ad03f9b06292f6cd21515a8c234** **dfbb9e4a30a266ea453637ddfe370e14** **ddb20679f08d94e84c5e64d5f2fa00f105ad8204** **f642d7450c597b067ad47ee5220c8c028f0c28b4473093028e3371b450fad9e0** **4da571eb595d83a4f3ffe3e0047efd8a** **063d687a6a88804000162deeb00244d22cfe3228** **6330b32586d7b1f4c09193cff1118aa6e33fbe2fcbf174264fe5793e45f20748** **51a4b9154b05dde9c7e14831fc54c6b3** **8db134b83a65293dd675c52de2996e1c618b07ef** **55d86d705daefee9c692cd742d83ec670b976261d0c2e28ccb4933d4f6483182** MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 ----- **42febc30a814484455ee8f31ee2f2d88** **b71332d1aacc1907cdaeaad0cc987621c893f8e7** **30a62745d4c135ee3bec73a1d4903cb42add1b2d846c16e65e73ffca41386cf2** **72f5de4a2f52c098ba5520ebaa022290** **196b144cd138ab958ea0c2b5eb1a641d9936abce** **3dcaa05c859118dc53752f74df59f74c05e7919bd0df635584c74dc8077d11c1** **18a5458b38dc20ecc4f9c9e50d369563** **7187a067b664692344a61eadaf1cd47f580add61** **bd95a70300f8cc5bcc0f8d7bdcd269234eff52fa79ecd97c150e58b923b4c51a** **2996f780af9b3fdb28971e887ff8436a** **294dd0574cc6b953c0bebc1c15b725321073aa82** **54f4df7424b205b9931b87bf4b5e5635374165e1ed298642034f2fcc44a7ff70** **1f7a139d3c23ded0904a845b7a2db053** **39431e960dae6140e4603bddb890de58370b920e** **b8ad6a975cec6279208fd7b5073107eefbbfd7ebdb2f674e7bd0578b18484eee** MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 MD5 SHA1 Sha256 Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable Temp Stealer Executable **79[.]137[.]199[.]73** IP Communicating IP **157[.]90[.]126[.]84** IP Communicating IP -----