New Fast-Developing ThirdEye Infostealer Pries Open System Information
2023-6-28 04:27:0 Author: feeds.fortinet.com(查看原文) 阅读量:1 收藏

Affected platforms: Windows
Impacted parties: Windows Users
Impact: The information collected can be used for future attacks
Severity level: Medium

FortiGuard Labs recently came across files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEye”. While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks.

This blog post analyzes the behavior and evolution of this new infostealer.

Meet the ThirdEye

Our investigation began when we spotted an archive file with a file name in Russian, “Табель учета рабочего времени.zip” (“time sheet” in English). This zip file contains two files our experience immediately identified as up to no good. Both files have a .exe extension preceded by another document-related extension (double extension). And one of the files is “CMK Правила оформления больничных листов.pdf.exe” (“QMS Rules for issuing sick leave” in English, which is an executable instead of a document, as the title suggests). The file has a SHA2 hash value of f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

Screenshot of Figure 1. CMK Правила оформления больничных листов.pdf.exe

The ThirdEye infostealer has relatively simple functionality. It harvests various system information from compromised machines, such as BIOS and hardware data. It also enumerates files and folders, running processes, and network information. Once the malware is executed, it gathers all this data and sends it to its command-and-control (C2) server hosted at (hxxp://shlalala[.]ru/general/ch3ckState). And unlike most other malware, it does nothing else.

One interesting string unique to the ThirdEye infostealer family (from which we derived its name) is "3rd_eye", which it decrypts and uses with another hash value to identify itself to the C2.

The second item in the archive is “Табель учета рабочего времени.xls.exe”, which shares the same file name with the parent file. This file is a ThirdEye infostealer variant designed to perform the same activities as f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

Figure 2. Табель учета рабочего времени.xls.exe

Based on the traits we saw in those ThirdEye infostealer samples, we managed to trace the very first sample to 610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2, which was first submitted to a public file scanning service on April 4th, 2023. Our analysis of that oldest sample uncovered that it did not harvest as much information as recent samples. The earliest sample we found has a compilation timestamp of Mon Apr 03 12:36:37 2023 GMT and collects the following data:

  • client_hash
  • OS_type
  • host_name
  • user_name

Figure 3. Data to be exfiltrated by 610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2

It calculates a “client_hash”, which is used as an identifier. During exfiltration, the collected data is sent to the C2 server with a custom web request header:

Cookie: 3rd_eye=[client_hash value]

Figure 4. Client hash as cookie value

This variant uses hxxp://glovatickets[.]ru/ch3ckState as a C2 server.

No significant changes were made to the malware family until a few weeks later. A variant (SHA256: A9D98B15C94BB310CDB61440FA2B11D0C7B4AA113702035156CE23F6B6C5EECF) with a compile timestamp of Wed Apr 26 09:56:55 2023 GMT collected additional data, such as:

  • BIOS release date and vendor
  • Number of CPU cores and RAM size
  • File list of the user’s desktop
  • Network interface data
  • List of usernames registered to the infected computer

However, this version would crash in certain virtual machines due to missing hardware information. An updated variant was released one day later (SHA256: C36C4A09BCCDEDA263A33BC87A166DFBAD78C86B0F953FCD57E8CA42752AF2FC). The only change here was the use of a PDF icon. Prior to this, none of the samples we found used a custom/fake icon. “hxxp://ohmycars[.]ru/general/ch3ckState” was used as the C2 by this variant.

The following week brought even more changes. This next variant (SHA256: 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337) gathered much more data:

  • Total/Free disk space on the C drive
  • Domain name
  • List of network ports the infected computer is currently using
  • List of currently running processes
  • List of installed programs in the Program_Files directory
  • systemUpTime
  • List of user’s programs, including the version number
  • Volume information such as CD-ROM and other drive letters

Figure 5. Additional data to be exfiltrated by 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337

While another variant (5D211C47612B98426DD3C8EAC092AC5CE0527BDA09AFA34B9D0F628109E0C796), compiled on Thu May 25 11:02:54 2023 GMT, gathered the same type of data, the main difference was with encoding. Instead of plaintext, the data it collected was encoded in hex. Over the past couple of months, we also spotted some variants that used internal IP addresses 10[.]10[.]30[.]36 in SHA256: 2008BDD98D3DCB6633357B8D641C97812DF916300222FC815066978090FA078F and 192[.]168[.]21[.]182 in SHA256: 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337) instead of an actual C2 server. This was perhaps due to testing new features and/or checking for AV detections.

Conclusion

Although there is no concrete evidence that ThirdEye infostealer was used in attacks, the malware is designed to collect information from compromised machines that is valuable for understanding and narrowing down potential targets. We believe this infostealer was designed for that purpose, and ThirdEye victims may be the subjects of future cyberattacks. Since most ThirdEye variants were submitted to a public scanning service from Russia, and the latest variant has a file name in Russian, the attacker may be looking to deploy malware to Russian-speaking organizations.

While ThirdEye is not yet considered sophisticated, our investigation found the attacker has put effort into improving the infostealer, such as recent samples collecting more system information compared to older variants. We expect that effort to continue.

Fortinet Protections

Fortinet customers are already protected from these APT and cyber-crime campaigns through FortiGuard’s AntiVirus, FortiMail, and FortiClient services, as follows:

 The following (AV) signatures detect the malicious documents mentioned in this blog:

  • W64/ThirdEye.A!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

Fortinet Webfiltering blocks all ThirdEye C2s identified in this blog.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

IOC

Malware

9db721fa9ea9cdec98f113b81429db29ea47fb981795694d88959d8a9f1042e6

Archive file containing ThirdEye Infostealer

5d211c47612b98426dd3c8eac092ac5ce0527bda09afa34b9d0f628109e0c796

ThirdEye Infostealer

f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494

ThirdEye Infostealer

3d9aff07e4cb6c943aec7fcd2d845d21d0261f6f8ae1c94aee4abdf4eef5924d

ThirdEye Infostealer

2008bdd98d3dcb6633357b8d641c97812df916300222fc815066978090fa078f

ThirdEye Infostealer

847cbe9457b001faf3c09fde89ef95f9ca9e1f79c29091c4b5b08c5f5fe48337

ThirdEye Infostealer

c36c4a09bccdeda263a33bc87a166dfbad78c86b0f953fcd57e8ca42752af2fc

ThirdEye Infostealer

0a798b4e7bd4853ec9f0d3d84ad54a8d24170aa765db2591ed3a49e66323742c 

ThirdEye Infostealer

a9d98b15c94bb310cdb61440fa2b11d0c7b4aa113702035156ce23f6b6c5eecf

ThirdEye Infostealer

263600712137c1465e0f28e1603b3e8feb9368a37503fa1c9edaaab245c63026

ThirdEye Infostealer

610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2

ThirdEye Infostealer

hxxp://shlalala[.]ru/general/ch3ckState          

ThirdEye Infosteler C2

hxxp://ohmycars[.]ru/general/ch3ckState

ThirdEye Infosteler C2

hxxp://anime-clab[.]ru/ch3ckState 

ThirdEye Infosteler C2

hxxp://glovatickets[.]ru/ch3ckState

ThirdEye Infosteler C2

YARA

FortiGuard Labs has created the following YARA rule to identify the ThirdEye Infostealer.


文章来源: https://feeds.fortinet.com/~/749128127/0/fortinet/blog/threat-research~New-FastDeveloping-ThirdEye-Infostealer-Pries-Open-System-Information
如有侵权请联系:admin#unsafe.sh