# Dissecting Blackguard Info Stealer **blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/** ## Sophisticated Variant Spotted in the wild April 1, 2022 There has been a marked increase in Threat Actors (TAs) using Info Stealers to carry out their attacks, [and Cyble Research Labs has actively been tracking such threats. Info Stealers are a serious security](https://blog.cyble.com/2021/12/14/cyble-research-labs-analysis-report-of-stealer-malware-family/) threat. The LAPSUS$ data extortion group, which was behind one of the most significant data breaches [in recent history, is also suspected of using Info Stealers to gain initial access to the organization’s](https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/) network. Recently Cyble Research Labs discovered a sample belonging to “Blackguard Stealer. “This stealer surfaced in the cybercrime forums in April 2021. We came across multiple variants for this stealer in the wild, which highlights that it might be in use by a large number of TAs. ----- Figure 1: Post on a cybercrime forum The stealer is written in C# and is obfuscated using Obfuscar tool which is an open-source .NET obfuscation tool. The recent stealer sample has used the sleep() function multiple times to avoid sandbox detection. It uses anti-debugging techniques, which prevent anyone from debugging the sample. It also uses an anti-forensic time stomping technique that changes the actual file timestamp to avoid being identified during forensic activities. Figure 2: File details of a recent variant This stealer operates on the Malware-as-a-Service (MaaS) model, in which TAs lease out their software to carry out malicious activities. The Blackguard stealer is also available on a monthly and lifetime-based subscription model. The TA has claimed on cybercrime forums that they can add clipper malware (A type ----- of malware that modifies the crypto addresses in the clipboard to the one specified by TA) functionality to the Blackguard stealer on demand. This indicates that the stealer can be customized for financial theft. Figure 3: Blackguard Stealer web panel from Cyber-Crime Forum The TA stated that the stealer has functionalities to exfiltrate the data shown in the figure below. Figure 4: Stealer functionalities ## Technical Analysis ----- The sample (SHA _256: 67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71)_ upon execution initially checks for the presence of a debugger and terminates its execution if a debugger is identified. The figure below shows the anti-debug function in the malware. Figure 5: Anti-debug check The malware uses the Sleep() function several times as an anti-sandbox technique during its execution. _Thread.Sleep() method causes the current thread to stop the execution for the specified time in_ milliseconds. The figure below shows the Sleep() function used during the initial execution. Figure 6: Sleep() function After performing the Anti-debug checks, it calls the Start() method, which will call other methods, as seen in Figure 7. These methods will initiate the data stealing activity from the victim’s system. The malware [creates a directory in “c:\users\[username]\Documents” for storing the stolen data from the victim’s](http://10.10.0.46/file:/c:/users/%5busername%5d/Documents) machines. The directory name is generated using the format: Random String + Computer Name + . + Username Figure 7: Start Method ----- The TA has encoded a few strings using base64 and gzip compression, so every time, an encoded string is passed as a parameter, the decrypt.Get() function is called to get the decoded strings. Figure 8 shows the Decrypt.get() function. Figure 8: Decrypt.Get() Function This stealer primarily targets browsers such as Chrome, Edge, and Firefox. The malware reads the files key3.db, key4.db, logins.json, and cert9.db to steal browser data such as passwords, credit cards, history, and auto-filled data. The malware creates a folder named “Browsers,” where it will save the data in separate .txt files. Figure 9: Stealing browser data Using the GetDomainDetect() method, the malware enumerates all the .txt files in the “Browser” folder created in the previous step, reads them, and then checks if the following domains are present which include popular crypto exchanges and major bank websites. If the malware finds these targeted domains, it stores any credentials related to them. ----- Figure 10: Domain Detection The malware copies the victim’s data from the USERPROFILE directory and saves it in a folder named “Files.” The USERPROFILE directory contains data specific to multiple users in a system. Figure 11: Stealing files This stealer has the capability to steal data from cold crypto wallets. A cold wallet stores the data offline and is thus more secure. The wallets targeted by the stealer can be seen in Figure 12. ----- Figure 12: Targeted cold crypto wallets After this, the malware identifies the user’s geolocation by sending a request to _hxxps[:]//freegeoip[.]app/xml/. The malware receives the response and then saves it to a file named_ “Information.txt.” Additionally, it saves the system information, as shown in Figure 13. Figure 13: Information.txt It then takes the screenshot of the victim’s system and saves it as “Screen.png” in the directory initially created by the malware. ----- Figure 14: Screenshot of the system The malware steals credentials from VPNs such as ProtonVPN, OpenVPN, and NordVPN. The malware first checks whether a VPN is installed or not by checking the directory “C:\Users\ _[username]\AppData\Local\[VPN name]. “_ If it finds a targeted VPN service, it steals the credentials from the configuration files, such as user.config, etc., and copies the configuration file to the folder used for saving stolen data. Figure 15: Stealing VPNs credentials for Nord VPN The malware steals data from Steam, a video game digital distribution service. The stealer identifies the Steam installation path by checking the registry key value at “HKEY_LOCAL_MACHINE\Software\Valve\Steam.” If Steam is installed on the machine, the malware steals Steam’s data from loginusers.vdf config file present in the victim’s machine. The malware creates a folder named “Steam” and copies the .vdf file into it for its exfiltration purposes. ----- Figure 16: Stealing Steam data from victim’s device After this, the malware checks for Discord tokens. It first searches for the following directories: _Discord\\Local Storage\\leveldb_ _discordptb\\Local Storage\\leveldb_ _Discord Canary\\leveldb_ If it can locate these directories, it checks for files ending with .ldb or .log and extracts Discord tokens from them using regular expression. Then it creates a folder named “Discord” and will write the stolen tokens to “Tokens.txt.” Figure 17: Stealing Discord tokens Blackguard stealer can also steal data from FileZilla. It checks if FileZilla\recentservers.xml file is present in the ApplicationData folder and then extracts Host, Port, User, and Password from the “recentserver.xml.” This data is then written to “FileZilla\FileZilla.log“. Figure 18: Stealing FileZilla data ----- After this, the malware checks for the _Telegram Desktop\tdata file in the ApplicationData folder. If this is_ present on the victim’s system, it creates a folder named “Telegram” which will be used to save files stolen from the “Telegram Desktop\tdata” location. Figure 19: Stealing Telegram session The TA in this sample is using Telegram for exfiltrating the data. We found the following Telegram API used by the malware during our analysis for exfiltrating data. URL: hxxps[:]//api.telegram.org/bot/sendDocument?chat_id= The malware compresses the stolen data before exfiltration. Figure 20 shows the folders created by the malware. Figure 20: Directories Created ## Conclusion We have observed and analyzed multiple samples of this Info stealer in the wild. It appears that this particular TA is trying to make the stealer even more evasive with every update, as the anti-analysis and obfuscation levels are quite different between the oldest and most recent samples. Info Stealers are emerging as a major concern as they are assisting TAs to gain initial access to corporate networks. It is thus, increasingly necessary to follow basic cyber-hygiene and security practices as listed below. ## Our Recommendations: ----- Avoid downloading pirated software from warez/torrent websites. The Hack Tool present on sites such as YouTube, torrent sites, etc., mainly contains such malware. Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and email attachments without first verifying their authenticity. Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. Block URLs that could be used to spread the malware, e.g., Torrent/Warez. Monitor the beacon on the network level to block data exfiltration by malware or TAs. Enable Data Loss Prevention (DLP) Solution on the employees’ systems. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** **Execution** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution **Defense Evasion** [T1497.001](https://attack.mitre.org/techniques/T1497/001/) [T1027](https://attack.mitre.org/techniques/T1027/) **Credential Access** [T1555](https://attack.mitre.org/techniques/T1555/) [T1539](https://attack.mitre.org/techniques/T1539/) [T1552](https://attack.mitre.org/techniques/T1552/) [T1528](https://attack.mitre.org/techniques/T1528/) Virtualization/Sandbox Evasion: System Checks Obfuscated Files or Information Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token **Collection** [T1113](https://attack.mitre.org/techniques/T1113/) Screen Capture **Discovery** [T1087](https://attack.mitre.org/techniques/T1087/) [T1518](https://attack.mitre.org/techniques/T1518/) [T1057](https://attack.mitre.org/techniques/T1057/) [T1124](https://attack.mitre.org/techniques/T1124/) [T1007](https://attack.mitre.org/techniques/T1007/) [T1614](https://attack.mitre.org/techniques/T1614/) Account Discovery Software Discovery Process Discovery System Time Discovery System Service Discovery System Location Discovery **Command and Control** [T1095](https://attack.mitre.org/techniques/T1095/) Non-Application Layer Protocol **Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel ## Indicators of Compromise (IoCs): **Indicators** **Indicator** **type** **Description** **Stealer** **Payload** ef8385f6ccc6dc6aa6fa9833e13c1cf3 2fe6c0b8cef78d409d29fbd0d1260f39874b068e 5b8d0e358948f885ad1e6fa854f637c1e30036bc217f2c7f2579a8782d472cda **Md5** **SHA-1** **SHA-** **256** ----- d4e02002916f18576204a3f1722a958b 33ec434ad2c31de93e758b9d53fcf211c5b13702 9fff9895c476bee0cba9d3e209e841873f1756d18c40afa1b364bd2d8446997c eb6c563af372d1af92ac2b60438d076d 9895725811ae5fda88629781daaa439c95a4976e 67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71 a6651dc499e0b9141a6fa0f411f885ea a421e5753596d4c07ee8df06c2080c03507f7a37 5ce632f1f10c96a7524bf384015c25681ef4771f09a6b86883a4da309d85452a **Md5** **SHA-1** **SHA-** **256** **Md5** **SHA-1** **SHA-** **256** **Md5** **SHA-1** **SHA-** **256** **Stealer** **Payload** **Stealer** **Payload** **Stealer** **Payload** -----