SmartWorks Network

  • Home
  • RSS Blog
  • YouTube channels
  • Podcasts
  • Jobs
  • Tools
  • About us
  • Contact

Threat Actor Targeting Developers via Trojanized MS Visual Studio

by Valentin / Saturday, 13 January 2024 / Published in RSS blog posts

Cyber Security BlogsCookie Stealer Leveraging Telegram for Data Exfiltration

 

Microsoft’s Visual Studio is a highly popular Integrated Development Environment (IDE) that empowers developers to create diverse applications. However, the software’s widespread usage has attracted the attention of cybercriminals, leading them to craft nefarious schemes aimed at deceiving and victimizing unsuspecting users.

In response to the continued popularity of Visual Studio among developers, cyber attackers have seized the opportunity to develop malicious software. As unsuspecting individuals search for legitimate development tools, they may inadvertently download this fraudulent installer, unwittingly exposing themselves to malicious files alongside the genuine Visual Studio software.

Cyble Research and Intelligence Labs (CRIL) recently uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.

Information stealers target software developers because they have valuable data and access to sensitive resources such as passwords and secret codes. Attackers can gain unauthorized access to various services and databases by stealing certain information. Developers often have high-level access, making it easy for malware to spread across the network.

Figure 1 – Icon of the Trojanized Visual Studio installer file

 

These malicious installers can be delivered through various deceptive methods such as phishing websites, third-party websites, file-sharing platforms, social engineering tactics, misleading advertisements, etc.

Technical Details

 

The malicious installer file bearing the filename “VisualStudio.exe”, and can be identified by its SHA256 hash: 7e8f18c60e35472bf921d3b67fd427933bd150f57d6e83d1472b990a786976db. The figure below shows the trojanized installer file.

Figure 2 – Installer bundled with information stealer

 

Accompanying the installer is an information-stealing malware named “MainProject.exe.” This GUI-based .NET executable file operates on a 32-bit system and is associated with the SHA256 hash: e8a449e692f1b21f1bc4d49d8b27068b03dd7e8df583d429266fdfb261ddeed5.

The figure below shows the executable file.

Figure 3 – Stealer File Details

 

When the malicious “VisualStudio.exe” installer is executed, it not only installs the legitimate Visual Studio software but also triggers the execution of the information-stealing malware, “MainProject.exe”. In this deceptive method, unsuspecting users unwittingly install both the genuine development environment and the malicious information stealer simultaneously.

The figure below shows the process tree of the malicious Visual Studio installer.

Figure 4 – Process Tree of the Malicious Visual Studio Installer

 

Once executed, the information stealer proceeds to extract various system details. These details include the Machine name, username, processor bit version, operating system version, platform, and IP address.

The figure below shows the code to extract the data from the victim’s machine.

Figure 5 – Data Extracted from the System

 

Upon successfully extracting the data, the information stealer creates a folder named “Temp” within the working directory, where the malware was executed. Additionally, the stealer generates a subfolder within the newly created “Temp” folder, naming it as “<System name>_<machine IP>_timestamp.”

Following the folder creation, the extracted data is stored in a file called “system.txt,” which resides within the newly generated subfolder inside the “Temp” directory. The figure below shows the code to create the ” Temp ” folder and the “system.txt” file.

Figure 6 – Information Stealer creating a temp folder and dropping the System.txt file

 

Cookie Stealer

 

After successfully extracting the system data, the information stealer proceeds to target cookies from a range of web browsers, including Google Chrome, Firefox, Opera, and Edge. Furthermore, the stealer specifically targets acquiring cookies containing information related to well-known social media websites. The figure below shows the routine to target various browsers.

Figure 7 – Information Stealer targeting various browsers

 

To extract cookies from Google Chrome, the stealer initiates by listing the user profiles found in the Chrome path “C:Users<user>AppDataLocalGoogleChromeUser Data”. This is because the cookies and other relevant data are stored within the browser user profile directory.

The figure below illustrates the stealer in the process of listing Chrome profiles.

Figure 8 – Stealer Creating List of User Profiles

 

Once the stealer obtains a Chrome user profile from a targeted system, the stealer initiates the process of stealing cookies. These extracted cookies are then stored in a text file named “Chrome_<profile>_cookies.txt.” Furthermore, the stealer generates separate text files specifically for social media website cookies. All these files are subsequently placed in the temporary folder created by the stealer, as shown in the figure below.

Figure 9 – Stealer stealing Cookie Data

 

After targeting Google Chrome, the stealer proceeds to target Mozilla Firefox. Firefox stores its cookie data in an SQLite database, which is located in the path “C:Users<user>AppDataRoamingMozillaFirefoxProfiles”. Like in the case of Chrome, the stealer then saves the extracted cookies from Firefox in the form of text files within the Temp folder.

The figure below shows the code to steal cookies from Firefox.

Figure 10 – Stealer Code to Steal Firefox Data

 

The stealer now advances to the exfiltration stage by compressing the entire folder containing stolen text files into a zip file.

The figure below shows the code to compress the data into a zip file.

​Read More

  • Tweet

About Valentin

What you can read next

2024: The Year of Secure Design
An Alarming 66% Quarterly Growth in Ransomware Attacks Notes Cyble’s Q2-2023 Ransomware Report
Ransomware attacks break records in 2023: the number of victims rose by 128%

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Sniffnet: Free, open-source network monitoring
  • 90% of threats are social engineering
  • 78% of SMBs fear cyberattacks could shut down their business
  • Chinese attackers leverage previously unseen malware for espionage
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

Recent Comments

No comments to show.

Recent Posts

  • Sniffnet: Free, open-source network monitoring

    Cyber Security Blogs Sniffnet is a free, open-s...
  • 90% of threats are social engineering

    Cyber Security Blogs In this Help Net Security ...
  • 78% of SMBs fear cyberattacks could shut down their business

    Cyber Security Blogs 94% of SMBs have experienc...
  • Chinese attackers leverage previously unseen malware for espionage

    Cyber Security Blogs Sophos released its report...
  • Long-running Chinese cyberespionage operation targeted Southeast Asian government

    Cyber Security Blogs Researchers have uncovered...

Archives

  • June 2024
  • May 2024
  • March 2024
  • January 2024

Categories

  • RSS blog posts

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

    Featured Posts

    • Sniffnet: Free, open-source network monitoring

      0 comments
    • 90% of threats are social engineering

      0 comments
    • 78% of SMBs fear cyberattacks could shut down their business

      0 comments
    • Chinese attackers leverage previously unseen malware for espionage

      0 comments
    • Long-running Chinese cyberespionage operation targeted Southeast Asian government

      0 comments

    SEARCH

    RECENT POSTS

    • Sniffnet: Free, open-source network monitoring

    • 90% of threats are social engineering

    • 78% of SMBs fear cyberattacks could shut down their business

    TAG CLOUD

    ©2024 All rights Reserved @Smart Works Network

    TOP