WhiteSnake Stealer Malware Analysis
0A new and interesting malware, WhiteSnake Stealer has a few unique properties.
Support us on GH: https://guidedhacking.com/register/
Support us on Patreon: / guidedhacking
Support us on YT: / @guidedhacking
Learn more here:
https://guidedhacking.com/threads/whi...
Today we carry out some malware analysis on WhiteSnake Stealer. Whitenake stealer has recently hit the market selling multiple commonly found functionalities that are found in other stealers. Some of the functionalities offered by WhiteSnake stealer is that it will steal from browsers, wallets and has a file grabber. WhiteSnake stealer will then send out this information through Telegram which is becoming a very common method of C2 exfiltration. WhiteSnake stealer also offers a Linux binary that is currently in development and can steal from Ubuntu with some of but not all functionalities that are offered within the malware.
Beginning our malware analysis on WhiteSnake Stealer we see that it is written in .NET v4 and when opening it up in DnSpy which is the default tool that all malware reversers should use for analyzing .NET files we find that it is somewhat obfuscated by using string encryption. String encryption is used to hide the strings within a malware so that it hinders malware analysis and makes it harder for the reverse engineer to read the strings within the binary. Looking at the function that is used to decrypt the string it takes two paramaters and XORs the first parameter by the second parameter. Of course to continue our malware analysis of WhiteSnake Stealer we need to be able to read these strings so we'll use de4dot which is a .NET deobfuscation tool to decrypt the strings. Within de4dot you can set two flags of strtok and strtype within the de4dot flags. Setting strtype will define whether we want to statically decrypt the string with an already known method or delegate where the original decryption function in the binary will be called. Then we set the strtok to the name of the decryption function so that de4dot knows how to decrypt the string.
Now that the binary is deobfuscated we see that it has anti vm functions and a mutex then collects stolen information. This stolen information is then gzipped, RC4 encrypted with a random key and then this random key is encrypted using RSA with a public key within the malware config. Then the encrypted data is turned to bytes and then RSA encrypted RC4 key is appended to the end of the file. This way without the RSA private key a malware analyst can't see what the malware is sending over the Telegram C2 exfil.
Stealer malware represents a type of malicious software designed specifically to infiltrate victims' systems and exfiltrate sensitive data. Particularly noteworthy among the multitude of stealer malwares are the Vidar Stealer, Raccoon Stealer, and the White Snake Stealer virus, each showcasing a unique modus operandi.
Vidar Stealer malware is a formidable cyber threat that has been the subject of in-depth analysis by cybersecurity researchers. Originating from an unknown source, Vidar Stealer operates by exploiting browser vulnerabilities to obtain confidential user data. A key characteristic of this malware is its capability to steal not only sensitive information, such as credit card details and login credentials, but also 2FA information. This functionality makes Vidar Stealer a particularly dangerous threat to both personal and business cyber environments.
Similarly, the Raccoon Stealer malware has been under significant scrutiny. Unlike Vidar, Raccoon uses a "malware-as-a-service" model, making it accessible to a wider audience of cybercriminals with varying skill levels.
The White Snake Stealer virus stands out for its focus on stealth and evasion. Leveraging advanced obfuscation techniques, it evades traditional antivirus solutions, making it difficult to detect and remove.
Information stealer malware, like the aforementioned, is designed with one primary objective: to obtain sensitive data surreptitiously from infected systems. This category of malware often goes beyond just stealing data, however.
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu
0:00 - Introduction
0:13 - White Snake Stealer Overview
1:05 - Dealing with String Encryption and Obfuscation
2:21 - De-obfuscating Encrypted Strings
3:01 - Analyzing Main Functions of the Malware
4:34 - Anti-VM Techniques
5:29 - Encrypting Exfiltrated Data
7:11 - Using RSA Encryption for Security
8:50 - Exfiltration Process to Telegram
9:22 - Conclusion
9:30 - Outro and Resources
malware analysis
guided hacking
reverse engineering
#malwareanalysis #reverseengineering #malware