1/8 LALALA InfoStealer which comes with Batch and PowerShell scripting combo securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/ December 13, 2019 Malware authors are using simple but very effective approaches to stay low and steal user’s data. SonicWall RTDMI ™ engine has recently detected Windows shortcut file (LNK) inside an ISO image which downloads and executes LALALA infostealer to the victim’s machine. LALALA infostealer is a batch script, which takes help of PowerShell to steal and send victim’s data to the server: https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/ 2/8 The LNK file copies itself to “%TEMP%\ htn90.bat” and executes the batch script file. The malware is intended to run only once on the victim’s machine. The batch script checks presence of “%TEMP%\htn.txt” file, if already present then the batch script terminates and deletes itself. The batch script writes “htn” into “%TEMP%\htn.txt”. The batch script downloads an archive file “%TEMP%\htn.rar” and a WinRAR (compression tool) executable file “%TEMP%\rar.exe” from Unified Resource Locator (URL) h[t] [t]p://185.183.96.54/[filename]. The batch script extracts LALALA infostealer “htn.bat”, an image file “lebenslauf_2019_11_20.jpeg” and an executable “sqlite3.exe” from “%TEMP%\htn.rar” using WinRAR executable: https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Flow.png 3/8 The batch script displays “lebenslauf_2019_11_20.jpeg” image to the user which contains “ERROR 0x89976 IMAGE BROKEN” message, to make him feel that the LNK file has some issues. The batch script then executes LALALA infostealer “%TEMP%\htn.bat”: https://securitynews.sonicwall.com/wp-content/uploads/2019/12/htn90.bat_execution.png https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Broken_image_message.png 4/8 LALALA InfoStealer: The malware creates directory “%TEMP%\jjghgjhfyt6” to store the stolen data. The malware uses PowerShell command to collect and save installed programs information into “%TEMP%\jjghgjhfyt6\proglist.txt”: BACKDOOR ACTIVITY: The malware opens a backdoor to the malware author by scheduling a task which executes the VBScript “%TEMP%\[random].vbs” every minute. The VBScript takes web request result from “185.183.96.54/gate990.php” as an argument and it contains the code to execute the argument: DATA EX-FILTRATION: The malware usually process the data on victim’s machine to extract very precise information which is sent to the malware server. But LALALA sends good amount of data to the server which needs further processing at server’s end to extract the operative data. The malware decrypts some application’s data (eg. Google Chrome and Microsoft Edge) on victim’s machine which uses Windows logon based encryption because that data can not be decrypted on the other machine. The malware steals login information from listed applications: Google Chrome Mozilla Firefox Microsoft Edge Mozilla Thunderbird https://securitynews.sonicwall.com/wp-content/uploads/2019/12/ProgramList.png https://securitynews.sonicwall.com/wp-content/uploads/2019/12/task_scheduler.png 5/8 Microsoft Outlook The malware copies Chrome data files “cookies”, “Login Data” and “Web Data” from “%LOCALAPPDATA%\Google\Chrome\User Data\Default” to “%TEMP%\jjghgjhfyt6\”. The malware decrypts and saves card details, cookies and passwords into “%TEMP%\jjghgjhfyt6\”: The malware copies data files from Mozilla Thunderbird and Mozilla Firefox to “%TEMP%\jjghgjhfyt6”: The malware terminates “taskhost” and “dllhost” processes, then it decrypts and saves login passwords from Microsoft Edge into “%TEMP%\jjghgjhfyt6\edg_[randome]”: https://securitynews.sonicwall.com/wp-content/uploads/2019/12/chrome_data_stealing.png https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Mozilla_Data_stealing.png 6/8 The malware decrypts and saves Outlook data into %TEMP%\jjghgjhfyt6\outloo_[random]: NETWORK: The malware compresses stolen data using WinRAR executable into “%TEMP%\ [random].rar” and sends the compressed file to “185.183.96.54/zit.php”. The malware deletes the stolen data files and malware component files except “%TEMP%\htn.txt”: https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Microsoft_Edge.png https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Outlook.png https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Network.png 7/8 The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog indicates its spreading potential: Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file: https://securitynews.sonicwall.com/wp-content/uploads/2019/12/VT_ISO.png 8/8 https://securitynews.sonicwall.com/wp-content/uploads/2019/12/Capture_Report.png SONICWALL | capture atp Report Dec 06, 5:19pm downloaded a malicious file. The endpoint may need to be cleaned. Source Destination as > & 56kb #180 9660 CD-ROM filesystem data '20191205_ 1059! iabenslaut_2019_11_20.i80 virus scanners reputation databases detonation engines live detonations Why live detonations were needed ‘Summary of actions once detonated See everything the engines saw Nota known malware Engine Alpha = libraries files registios processes imutexes functions axis 9 Gh ED suas (rtm [zs | Sx Embedded code found Not a known reputable vendor Engine Beta Not a known reputable domain unknown timeout @© ‘other resuits inconciusive. File sent to detonation engines for further analysis. . Sent to 4 Email Recipients. sohank@idenark de Fite ldentiiers MDS: 750509403e0adb5ée17ede491 4104422 Seid i SHA‘. 95999615207 7de7 0514202420302 120089621 ‘Capture ATP Version 2.56 H Report Generated on Wed, 11 Dee 2019 01:00:50 GMT 8/8