SQ_White Paper_Wrap w w w . s e q r i t e . c o m Author: Sathwik Ram Prakki , Rayapati Lakshmi Prasanna Sai W H I T E P A P E R New Warp Malware drops modified Stealerium Infostealer P. 01 Introduction Warp is a potent malware written in the GO programming language, designed to load payloads and ex-filtrate sensitive information via Telegram. As new variants emerge daily in the current threat landscape to steal sensitive information from infected systems, the presence of Warp poses a significant risk to system security and privacy, necessitating its prompt removal from affected systems by the victims. Loaders, droppers, and stealers are typically components of a larger malware ecosystem. They are often used with other malicious modules, making malware attacks more sophisticated and potent. Warp malware is one of the best examples of this type of attack. This malware drops a stealer to steal user-sensitive information and send it to the attacker using Telegram as a medium. P. 02 A loader and a stealer are components commonly found in malware but serve different purposes. Let us provide you with a brief introduction to each of them: A loader, also known as a dropper, is a malware component designed to deliver and execute other malicious payloads onto a victim’s system. Its primary function is to bypass security mechanisms and initiate the infection process. It may connect to a command-and-control (C&C) server to receive instructions or download additional malware modules. Once the loader has successfully loaded and executed the intended payload, it hands over control to the main malware module, which may be ransomware, banking trojan, or any other malicious software. A stealer, or information stealer, is a type of malware specifically designed to collect sensitive information from an infected system. Its primary objective is to steal valuable data, such as login credentials, financial information, personal details, or any other information that attackers can monetize or exploit. Stealers often employ different techniques to gather data. They may search for saved passwords, browser cookies, stored credit card information, email credentials, or sensitive files on the victim’s machine. Some advanced stealers can also capture keystrokes or take screenshots to gather additional data. Once the information is collected, it is typically encrypted and ex-filtrated to a remote server controlled by the attackers. Brief about Loader and Stealer 1. Loader/Dropper 2. Stealer P. 03 The loader binary is a 64-bit Go-based executable file masquerading as ‘Adobe Self Extractor’ and ‘Adobe Acrobat Update’ with no compilation timestamp. The file size (4.96 MB) is bigger than the typical malware we observe daily since all necessary libraries are linked statically within a Go-compiled binary. It is last seen downloading from softstock[.]stop domain. Warp Loader Stealers are commonly distributed through various means, such as email attachments, malicious downloads, or exploit kits. They can have severe consequences for individuals and organizations, potentially leading to identity theft, financial losses, or unauthorized access to systems. Fig. 1 – Infection chain Fig. 2 – Static attributes P. 04 Function spam.tmpDir spam.tmpFile spam.TimeZone Description Create a directory in TEMP folder starting with the “dir” name Create a file in the TEMP directory and write the current timestamp Get file attributes Number 1, 2 0, 3 4 Loading the binary in IDA for debugging doesn’t give us metadata, as it is stripped of debug symbols, making the analysis difficult. Utilizing the GoReSym plugin to extract function metadata, we can see that around 19 functions have been renamed. It contains the package name “warp_loader_go” with spam and telegram functionalities. Starting with the “main.main” function, it initially calls the function to trigger random API calls. Based on a random number generated, “RandomApiCalls” executes the following three functions continuously until number 9 gets generated: Fig. 3 – Warp loader functions P. 05 hxxps://searx[.]be/?q=%s hxxps://yandex[.]com/search/?text=%s&lr=0&search_source=yacom_desktop_common hxxps://en.wikipedia[.]org/wiki/%s hxxps://www.bing[.]com/search?q=%s&search=Submit+Query The following function called in the process flow is “SendRandomRequests.” It decrypts the strings present, which perform random searches on SearX, Yandex, Wikipedia, and Bing search engines. These are used to send requests randomly, as seen in the above random calls, so it appears to be legitimate traffic. Looking at the AES decrypt function, the 32-byte hex key (ad47705ef93b3097868d0591d90a877a6c522d70853557ec7566cdd2f1e191ac) is decoded and used to create a new cipher block for AES-256 decryption. This block is then wrapped in GCM with a Nonce and Tag Size for decryption. The first stage HTA file ‘d.hta’ present on the remote URL contains two files embedded in it: a .NET module (preBotHta.dll) and a decoy file. This is similar to its usual HTA stager in the infection chain, where it first checks the .NET version. Instead of directly using the variables, this time, they are base64 encoded and later decoded during execution, getting the same names as commented in the below figure. Fig. 4 – Number generation for random API calls P. 06 Later, it fetches details of the current user, decrypts and concatenates a few more strings that are used to send an initial message to the telegram C2: All the encrypted strings from “str.init” can be fetched with this simple IDA Python snippet we made: for funcAddr in idautils.Functions(): funcName = idc.get_func_name(funcAddr) if 'str.init' in funcName: print(f"{funcAddr:#x}: {funcName}") for (startAddr, endAddr) in idautils.Chunks(funcAddr): for head in Heads(startAddr, endAddr): if idc.print_insn_mnem(head) == "lea" and idc.print_operand(head, 0) == "rdx": bytesAddr = int(idc.get_operand_value(head, 1)) print(idc.get_bytes(bytesAddr, 64)) Fig. 5 – AES-256 Decryption of Strings Chat ID Launch Command -1001963477498 New.launch P. 07 Then it fetches the command from the chat using the “telegram.GetChat” function with the chat ID. After verifying the return value, it downloads additional payloads using the “telegram.DownloadFile” function. The random calls and requests are performed again before downloading. The “telegram.SendMessage” user function sends a message containing the hostname and username to its telegram C2 bot. It utilizes “telegram.GetBase” to decrypt strings to be used in the URL: Telegram C2 Bot Initial Message URL for Telegram API Private Bot Token Get command Get the file to be downloaded Download path /sendMessage?&parse_mode=HTML&chat_id=%s&text=%s https://api.telegram.org/bot%s 6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8 /getChat?chat_id=%s /getFile?file_id=%s C:\ProgramData\warp Fig. 6 – Initial contact with Telegram C2 Bot Fig. 7 – Spam calls before downloading payload P. 08 Though the C2 bot was not alive during our analysis, we could find that it was downloading a file named wd.exe in the ProgramData directory. We observed a GO binary being dropped in the same directory is, in fact, the Warp Dropper. After downloading, the spam functions are triggered again before executing the payload using Cmd.Run(). Fig. 8 – Loader downloading the dropper Fig. 9 – Spam calls before executing a payload P. 09 Fig. 10 – Dropper functions Fig. 11 – Dropper flow The dropper component ultimately downloads and runs a stealer. It performs privilege escalation and kills the antivirus solution installed on the victim’s machine. The dropper utilizes the same telegram functionalities for C2. After using GoReSym, the functions are renamed as follows: Warp Dropper Though the stealer is downloaded and run, both the binaries required for getting privileges and killing AV are embedded in the dropper itself. P. 10 It checks if the running process is elevated via the current user’s UID and, if failed, self-restarts by dropping an embedded binary for UAC bypass to escalate privileges. The binary is decrypted in a similar fashion seen in the loader component and executed from the ‘Program Data\warp\uac.exe’ directory. The executable used to elevate privileges is PE64 with compiler-stamp May 06, 2023 and the PDB path leads us to a known UAC bypass trick. It uses RPC requests (RAiLaunchAdminProcess) via ALPC (Advanced Local Procedure Calls) kernel feature. C:\Users\root\Desktop\PR0CESS-main\UACBypassJF_RpcALPC\src\x64\Release\tyranid_app Info_alpc.pdb The non-elevated process created is ‘winver.exe’ to initial the debug object by setting the necessary flag. The auto-elevated process designed is ‘computerdefaults.exe,’ which gets assigning the existing debug object. UAC Bypass Fig. 12 – Dropping and executing UAC bypass binary P. 11 The handle of this elevated process is duplicated to retrieve a higher privileged handle by capturing the debug object retrieved from the debug event. Fig. 13 – Creating non-elevated and auto-elevated processes Fig. 14 – Duplicating process handle P. 12 Fig. 15 – Sending a message to C2 with privilege info Fig. 16 – Dropping driver file and executing it as a service To kill the antivirus solution, an embedded driver file is dropped, which is a vulnerable Avast’s Anti-Rootkit driver file that can terminate a given process. It is installed as a kernel service with the following command: This disabling technique was first found in 2022 and was used by AvosLocker and Cuba Ransomware groups to terminate EDR solutions. Meanwhile, a thread function uses CreateToolhelp32Snapshot winAPI to fetch the process list and kill process PID using DeviceIoControl API. sc.exe create aswSP_ArPots binPath=C:\ProgramData\warp\av.sys type=kernel Disabling AV P. 13 Fig. 17 – Killing process via PID using DeviceIoControl Fig. 18 – Creating a scheduled task for persistence It moves itself (dropper) into the ProgramData directory and creates a scheduled task. This is done to persist it to execute daily at a specific time via cmd.exe. The task name used here, “MicrososftSecureUpdateTaskMachineUA,” can be easily confused with the legitimate update schedule of Microsoft Edge. P. 14 Fig. 19 – Task Scheduled for persistence Fig. 20 – Function Diff This modified infostealer belongs to the malware family known as Stealerium, an open-source C# project present on a GitHub repository. It has stealer, clipper, and keylogger features. This year, various modified versions of this malware, like Enigma Stealer, have been discovered that targeted individuals in the crypto industry. After analyzing the modified .NET sample using BinDiff, we have found changes in a few modules present in this new Warp Stealer, with both being 83% similar. Finally, the stealer is downloaded into the same directory as ‘wst.exe’ and executed. After the initial stealer report is sent to the C2, the stealer is deleted as the dropper component persists through a system reboot and keeps it from getting detected. Significant changes are the removal of Discord Web-hooks used for ex-filtrating information stolen and string occurrences “Stealerium.” Warp Stealer P. 15 For sending data, the threat actor has added the same Telegram bot configuration used in the loader/dropper component. Some modules have been disabled in this modified version 2.0, like Clipper, Keylogger, and AutoRun. The grabber module has added new files and folders that interest the threat actor. Rust-based source code and maFile databases have also been added, whereas image files have been removed completely. Files and folders added: Fig. 22 – Stealer Configuration Changes Fig. 21 – Removed Stealerium details .env .gitignore docker-compose.yml docker-compose.yaml rs maFile .git .ssh Dockerfile README.md P. 16 Other additions include fetching network cookies and local storage for the Chromium browser. Multiple changes in Discord Webhook and Helper functions are also found. Fig. 23 – Modifications in Grabber module P. 17 The final Warp Stealer report sent to the Telegram C2 is shown below. Compared to the original Stealerium report, this sends less data as some modules are disabled. Fig. 25 – Report of Warp Stealer Fig. 24 - Additions in fetching Chromium browser data P. 18 Fig. 26 – Report of Stealerium P. 19 Execution Immediately after the execution, it creates a hidden directory in AppData/Local folder. The name of the directory is by combining Hash+system information (username, computer name, CPU name, GPU name, and system language) The remaining features of Stealerium are described below: Fig. 27.1 – Hidden directory creation Fig. 27.2 – Naming the hidden directory P. 20 Clipper Gets clipboard information and will store it as clipboardText. If clipboard text matches any of the wallet addresses, it will replace it with the attacker’s crypto wallet address. Keylogger It monitors the victim’s keyboard and saves keys in a log file in the keylogger directory with the date and time. Fig. 28 – Clipper module Fig. 29 – Keylogger module P. 21 Persistence It sets a RUNKEY for persistence at the location HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Defense Evasion It delays the execution and sleeps for 10000 milliseconds to postpone its execution in sandbox systems. Delay Execution Fig. 30 – Persistence mechanism used by the stealer Fig. 31 – Delay execution module P. 22 It delays the execution and sleeps for 10000 milliseconds to postpone its execution in sandbox systems. If any checks pass it generates a fake error message and calls a self-destruction process. Anti- Analysis techniques Anti-Debugging Anti-Virtual Box Anti-Emulator Anti- sandbox Analysis tools CheckRemoteDebuggerPresent() API Checks with the keyword VMware, VirtualBox Compares the system’s date and time Checks for SbieDll, SxIn, snxhk,cmdvrt32 Checks for Processhacker, netstat, netmon, tcpview, wireshark, filemon, regmon, cain Fig. 32 – Anti-analysis techniques used Fig. 33 – Generating fake error message P. 23 Fig. 34 – Self-destruction process Fig. 35 – Collecting saved Wi-Fi password from the victim’s system Credential Access It collects data from the browsers like Chrome, Firefox, and internet explorer • From Chromium browsers, it collects information like saved passwords, card details, cookies, auto-fill field information, and bookmarks. • From Firefox browsers, it collects information like bookmarks, browser history, db files, and cookies. • From internet explorer/edge, it collects auto-fills, bookmarks, credit card details, and saved passwords. • From the system, it collects the username and passwords of WiFi networks and performs scans to get information about the devices around. P. 24 Fig. 36 – Sensitive data collection from different browsers P. 25 Collection It will check for the below strings. It will take screenshots and record keys when it matches any of the below strings. Financial details from It collects data from the below crypto services Sensitive information Fig. 37 – Data collection from these social media accounts Fig. 38 – Data collection from these financial services P. 26 Fig. 39 – Data collection from these crypto services P. 27 Gets system information It tries to get system information from the victim’s machine like In addition to the above information, it takes desktop screenshots and saves them as DESKTOP.jpg PublicIP Username CPU name Date and time LocalIP Computername GPUname Battery details DeafaultGateway Systemversion RAM details Process list Fig. 40 – Taking Desktop screenshot Fig. 41 – System information collection from the victim’s system P. 28 Porn detection It will check if the system has adult content and takes a screenshot and shot from the webcam, which will be stored in logs. Fig. 42 – Porn detection module P. 29 Conclusion IOC Warp malware combines a loader, a dropper, and a stealer. Multi-functional malware targets users’ sensitive information from all sources, including system information. At first, the attacker creates a telegram Bot account and inserts that token into the malware. Later, the sample is sent as an attachment to the victim’s machine, luring the victim to open it. Then immediately after opening, it starts its execution and downloads a stealer, which is responsible for collecting all user data related to financial and personal, including web camera shots. And later, all this collected information is stored as logs which will be sent to the attacker through C2. To mitigate these types of attacks, it is essential to maintain robust security practices, including using up-to-date antivirus software, regularly updating systems and applications, exercising caution while clicking on links or downloading files, and practicing good password hygiene to safeguard our personal information. URLs hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/send Message?&parse_mode=HTML&chat_id=-1001963477498&text= hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/getChat? chat_id=-1001963477498 hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/send Document?chat_id=-1001963477498 hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/send Message?parse_mode=Markdown&chat_id=-1001963477498&text= hxxps://api.telegram[.]org/bot6273916038:AAHnJC6VymoyKdR2Iq8CzH2-ZnzIcJQ0-w8/getFile? file_id=-1001963477498 hxxps://softstock[.]shop/download/Adobe%20Acrobat%20Update.exe MD5 Description Detection Warp Loader Warp Dropper Warp Stealer (Stealerium) UAC Bypass Avast Anti-Rootkit Driver Trojan.WarpLoader Trojan.WarpDropper Trojan.YakbeexMSIL.ZZ4 Exploit.UACBypass (legitimate) ac941919c2bffaf6aa6077322a48f09f fe08102907a8202581766631b1e31915 e1f6f92526dabe5365b7c3137c385cd2 b400973f489df968022756822ca4d76a 0a0bdd679d44b77d2e6464e9fac6244c All Intellectual Property Right(s) including trademark(s), logo(s) and copyright(s) are properties of their respective owners. Copyright © 2023 Quick Heal Technologies Ltd. All rights reserved. Marvel Edge, Office No. 7010 C & D, 7th Floor, Viman Nagar, Pune - 411014, India. www.seqrite.com