# A Deep Dive Into the APT28’s stealer called…

**[securityscorecard.com/research/apt28s-stealer-called-credomap](https://securityscorecard.com/research/apt28s-stealer-called-credomap)**

Skip to main content

[Support](https://support.securityscorecard.com/hc/en-us)
[Login](https://platform.securityscorecard.io/#/start)
[Contact](https://securityscorecard.com/company/contact-us)
[Blog](https://securityscorecard.com/blog)
[Languages](https://securityscorecard.com/research/apt28s-stealer-called-credomap)

[English](https://securityscorecard.com/)
[Français](https://securityscorecard.com/fr)
[日本語](https://securityscorecard.com/jp)
[Request a Demo](https://securityscorecard.com/request-a-demo)

Interested in reading the report later? Download it.

[Download Now](https://securityscorecard.pathfactory.com/all/credo-map)

## A Deep Dive Into the APT28’s stealer called CredoMap

**Prepared by: Vlad Pasca, Senior Malware & Threat Analyst**

## Executive summary


-----

CredoMap is a stealer developed by the Russian APT28/Sofacy/Fancy Bear that was used
to target users in Ukraine in the context of the ongoing war between Russia and Ukraine.
[The malware was initially discovered by Google and](https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/) [CERT-UA. The threat actor weaponized](https://cert.gov.ua/article/341128)
a document to exploit the Follina (CVE-2022-30190) vulnerability that would result in
downloading the .NET stealer. The malware aims to steal the credentials and cookies from
Google Chrome, Mozilla Firefox, and Microsoft Edge. The data exfiltration is done by
sending information to a possibly compromised C2 server via the IMAP email protocol.

## Analysis and findings

SHA256: 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

The process retrieves the path of the current executable and then connects to a hard-coded
C2 server (162.241.216.236) on port 143 (IMAP) using hard-coded credentials:

Figure 1

Figure 2

The malware creates a TcpClient object, obtains a client stream for reading and writing, and
then reads the response from the server:


-----

Figure 3

The binary performs the login operation and reads the response using the Read method:

Figure 4

It selects the INBOX folder using the SELECT command and performs multiple function calls
that steal the browsers’ credentials and cookies:

Figure 5

Figure 6

The sample verifies if the file “\Google\Chrome\User Data\Default\Network\Cookies” exists in
the Local AppData folder by calling the File.Exists function:


-----

Figure 7

The File.Copy method is used to copy the above file to a new file called “cc”:

Figure 8

The malicious binary opens a connection to the Cookies database and executes an SQL
query that extracts some fields:

Figure 9

The process opens and reads the file called “Local/Google/Chrome/User Data/Local State”
using File.ReadAllText. It extracts the Base64-encoded random key that is encrypted with
DPAPI from JSON([“os_crypt”][“encrypted_key”]). The key is Base64-decoded and decrypted
via a function call to ProtectedData.Unprotect:

Figure 10

The binary creates an AESEngine object, an AEADParameters object containing the
decrypted AES-128 key and the nonce (12 bytes), and calls the GcmBlockCipher.Init function
with a “False” parameter (decryption operation):

Figure 11

The “encrypted_value” extracted from the Cookies database is decrypted using the
ProcessBytes and DoFinal methods:

Figure 12

The resulting values are stored in a dictionary that has the keys as "host_key" with values
"name=<Decrypted encrypted_value>;”, as highlighted in the figure below.


-----

Figure 13

Finally, the process serializes the dictionary to a JSON string using
JsonConvert.SerializeObject:

Figure 14

The data exfiltration occurs by issuing a valid IMAP APPEND command. The “From” field is
set to the username obtained from the Environment.UserName property, the “Subject” field is
set to the current date and time on the computer obtained from the DateTime.UtcNow
property, and the JSON string is also included in the command (see figure 15).

Figure 15

The malware verifies if the file “\Google\Chrome\User Data\Default\Login Data” exists in the
Local AppData folder using File.Exists:

Figure 16

The File.Copy function is utilized to copy the above file to a new file called “cp”:


-----

Figure 17

The binary opens a connection to the Login Data database and executes an SQL query that
extracts the “action_url”, “username_value”, and “password_value” fields:

Figure 18

The malicious process reads the file “Local/Google/Chrome/User Data/Local State” found in
the AppData directory and deserializes it using the JsonConvert.DeserializeObject method:

Figure 19

Figure 20

The sample extracts the Base64-encoded random key that is encrypted with DPAPI from

[“os_crypt”][“encrypted_key”]. The key is Base64-decoded and decrypted via a function call
to ProtectedData.Unprotect:

Figure 21

The encrypted “password_value” field is decrypted using a function that will be explained
below:


-----

Figure 22

The first 12 bytes after skipping 3 bytes (version tag) from “password_value” represent the
AES nonce, and the rest of the information is the ciphertext, as displayed in the figure below.

Figure 23

As in the first case, the “password_value” field is decrypted by calling the ProcessBytes and
DoFinal functions:

Figure 24

However, not all the passwords might be encrypted using AES-GCM. In the case of older
versions of Chrome, the threat actor tries to decrypt the passwords using the
ProtectedData.Unprotect API:

Figure 25

As we can see in figure 26, the process computes a string containing "action_url",
"username_value", and the decrypted “password_value” field that was obtained using the 1st
method of decryption or the 2nd method of decryption, respectively:


-----

Figure 26

The credentials exfiltration occurs, in the same way, using an IMAP command to the C2
server.

The binary checks if the directory “Mozilla\Firefox\Profiles\” can be located in the AppData
folder (see figure 27).

Figure 27

The malware is looking for a file called “cookies.sqlite” in the profile folders. The
“cookies.sqlite” database is copied to a file called “fc”:

Figure 28

The sample runs the "SELECT * FROM moz_cookies" SQL query to retrieve the Firefox
cookies:


-----

Figure 29

A new dictionary is created having the keys as “host” with values “name=value;”, as shown in
the figure below.

Figure 30

The dictionary is serialized to JSON and will be exfiltrated via IMAP.

The executable verifies if the following files can be identified in the profile folders:

logins.json

key4.db

cert9.db

signons.sqlite

key3.db

cert8.db

Figure 31


-----

If any of the above files exist, it is copied to the current directory, and its content is encoded
using Base64. The file location and the Base64-encoded content are exfiltrated using the
IMAP protocol. Finally, the newly created files are deleted using File.Delete:

Figure 32

The File.Exists function is used to check if the file “\Microsoft\Edge\User Data\Default\Login
Data” exists in the Local AppData directory:

Figure 33

The above file is copied to a new file called “ep”, as highlighted in figure 34.

Figure 34

The sample executes the following SQL query that extracts usernames and encrypted
passwords from the “logins” table:

Figure 35

The “password_value” field is decrypted by calling the decrypt function that was also used to
decrypt the Chrome credentials:


-----

Figure 36

In the case of older versions of Microsoft Edge, the process tries to decrypt the passwords
using the ProtectedData.Unprotect function:

Figure 37

The malware creates a string containing "action_url", "username_value", and the decrypted
“password_value” field that was obtained using one of the two decryption methods:

Figure 38

The executable verifies if the file “\Microsoft\Edge\User Data\Default\Network\Cookies” can
be found in the Local AppData folder (see figure 39).

Figure 39

File.Copy is used to copy the above file to a file called “ec”:

Figure 40


-----

The following SQL query is run by the malware, which extracts some fields from the
“cookies” table:

Figure 41

The binary extracts the Base64-encoded key that was encrypted with DPAPI from
“%LocalApplicationData%\Microsoft\Edge\User Data\Local State”. The key is decrypted via a
function call to ProtectedData.Unprotect:

Figure 42

The “encrypted_value” field is decrypted using the AES key extracted above by calling the
ProcessBytes and DoFinal methods:

Figure 43

The function result is a dictionary containing the relevant information that is serialized using
JsonConvert.SerializeObject:

Figure 44

All the files that were copied to the current directory are deleted using the File.Delete
function:


-----

Figure 45

The malicious process sets Normal attributes for a file called “SQLite.Interop.dll,” which
Malwarebytes found that it’s downloaded from the C2 server along with the initial executable.
The DLL file is deleted using File.Delete and another deletion function implemented by the
malware:

Figure 46

The implementation of the deletion function consists of creating a cmd.exe process that
deletes the DLL file shown above:

Figure 47

The process deletes the initial executable and then exits:


-----

Figure 48

## Indicators of Compromise

**C2 server**

162.241.216.236

**SHA256**

2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

**Processes spawned**

cmd.exe “/C Del <Files>”

## YARA rule to detect the threat

rule CredoMap_APT28

{

meta:

author = "Vlad Pasca - SecurityScorecard"

Date = "2022-09-16"

strings:

$s1 = "\\cookies.sqlite" fullword wide

$s2 = "SQLite.Interop.dll" fullword wide

$s3 = "Subject:" fullword wide

$s4 = "$ LOGIN" fullword wide

$s5 = "/C Del" fullword wide

condition:


-----

(uint16(0) == 0x5A4D) and (4 of ($s ))

}

Join us in making the world a safer place.

[Free Account Sign Up](https://securityscorecard.com/free-account)


-----