Key Takeaways

• Cyble Research and Intelligence Labs (CRIL) encountered an executable file obtained from a deceptive URL masquerading as a fake Russian government site, possibly distributed via spam emails.  
• The downloaded executable file is identified as SapphireStealer, disguised with a PDF icon, designed to deceive users into believing it is a PDF document. 
• Upon execution, the executable file drops and displays the embedded lure PDF document within it, leading the user to believe that they have opened a genuine PDF file. 
• The lure PDF contains scanned images of documents, one resembling a guideline for enforcing a court order against a debtor, while the other mimics a subpoena summoning an individual as a witness in a Russian administrative violation case. 
• However, in the background, SapphireStealer collects sensitive information, including login credentials from various browsers, web data, local state, network cookies, and more from the victim’s device. 
• Finally, the malware sends the pilfered data to a Command-and-Control (C&C) server in the form of a compressed ZIP file. 
• The Threat Actor (TA) behind this campaign remains unknown due to the lack of available information. 

Overview

In late February, CRIL observed a campaign that targets Russian individuals with the information stealer malware known as “SapphireStealer.”  The SapphireStealer is an open-source information-stealing tool previously documented by Talos researchers. Since its initial public release in December 2022, it has been increasingly seen across various public malware sources. 

Threat Actors (TAs) responsible for this campaign remain unidentified. We suspect the campaign begins with a spam email containing a link that leads to downloading an executable file (disguised with a PDF icon to deceive the recipient into thinking it is a PDF document) from a fake Russian government website URL.  

The downloaded executable is identified as SapphireStealer that propagates from a counterfeit Russian government website (govermentu[.]ru) and is downloaded from the following URL: 

• hxxp://govermentu[.]ru/media/FederalnoeUpravlenie_postanovlenie_o_vozbuzdenie_ispolnitelnogo_proizvodstava[.]exe 

Figure 1 – Legitimate & Fake Russian government website 

The translated name of the downloaded file indicates that it relates to a resolution issued by a federal administration regarding the initiation of executive proceedings. 

Upon running the executable file, it drops and opens a PDF document named “Постановлениe.pdf” (translated as: Resolution.pdf) while concurrently doing a covert data stealing operation in the background.  

The lure pdf contains a scanned image of the document, which serves as a guideline for the recipient to carry out their duties in enforcing the court order against the debtor, as shown in the figure below. 

Figure 2 – Lure PDF document 

The following image displays another bait PDF utilized in this campaign named “Повестка.pdf” (translated as: Agenda.pdf), which is dropped and opened upon the execution of the “FederalnoeUpravlenie.exe” file.  

This lure PDF also contains a scanned image of the document, which is a subpoena issued by a court in Russia, summoning an individual as a witness in a case involving an administrative violation. 

Figure 3 – Lure PDF document 

TAs are using deceptive legal documents in this campaign, which are used to implant fear and urgency in recipients, compelling them to take immediate action. These documents often contain threats of legal consequences with the fabricated legal matters. Recipients may be psychologically manipulated into opening attachments or clicking on links, exposing themselves to malware or phishing attempts. 

Technical Analysis

The file “FederalnoeUpravlenie.exe” is a .NET executable, protected and obfuscated using .NET Reactor. It bears a PDF icon and has an approximate size of 1MB, as shown in the figure below.

Figure 4 – Icon of the Stealer file 

Upon execution of the exe file, it begins by running the Main() function. This function initially retrieves an embedded PDF content from the .NET resource, saves it with the filename “Повестка.pdf”, and subsequently opens it using Process.Start(). This action displays the deceptive PDF document to the user, creating the illusion that they have opened a genuine PDF file, as shown in the below process tree. 

Figure 5 – Process tree 

The figure below shows the code snippet of the de-obfuscated Main() function, which drops and executes the lure PDF document for the victims. 

Figure 6 – Main() function of the Stealer 

The following figure depicts an embedded lure PDF content within the .NET resource named “Повестка_от_390”. 

Figure 7 – Embedded lure PDF inside malware file resource section 

After dropping and displaying the deceptive PDF, the malware commences its covert stealing operations by using the method, Class1.Log() in the background, unbeknownst to the victim, as shown below. 

Figure 8 – Code snippet responsible for Stealer functionalities 

The malware incorporates several encrypted strings. Throughout its code, the stealer employs the StringCipher.Decryptasdfasdfasdfs() function to decrypt and access necessary strings such as the name of folders created by the malware, file extensions to target, paths of browsers for stealing sensitive data, etc. This function decrypts ciphertext utilizing AES encryption, employing a specific key derived from a random number and salt, ultimately returning the decrypted plaintext.  

The figure below shows the code snippet of the Decryptasdfasdfasdfs() function. 

Figure 9 – Code used to decrypt the encrypted strings used by the stealer 

When the function Class1.Log() is executed, it primarily invokes another significant method named Log2() within the class named “InstanceOfClass,” as shown in the figure below. This method carries out the core activities of the stealer, including the extraction of sensitive data, which is subsequently sent to the threat actor. 

Figure 10 – SapphireStealer Operation code snippet 

The steps detail the operations performed by the InstanseOfClass().Log2() method are outlined below. 

• Initially, it acquires the path for the Temp folder and establishes a directory named as “sapphire” (designated as malware directory). 
• Following that, within the malware directory, it creates subfolders titled “GrabbingFiles” and “FileZilla.” 
• Then, it calls the method Class4.smethod_0() which verifies the existence of a specific directory (Telegram Desktop/tdata). If the directory exists, it copies key data files from it. Subsequently, it creates a new folder named “Telegram” within a malware directory and saves the copied files. 
• Afterward, it calls upon the method Class6.smethod_0(), responsible for copying files such as Login Data, Web data, Local State, and Network Cookies from installed browsers on the system and creating folders named <browsername1> and <browsername2> within the “sapphire” directory to save the copied files. The figure below shows the targeted browser by the SapphireStealer malware. 

Figure 11 – Targeted browsers & their paths of the Stealer 

• Next, it invokes the function Class3.smethod_0(), which retrieves files with the extension shown in the below figure from the Desktop folder and copy them to the “GrabbingFiles” folder within the malware directory. 

Figure 12 – Targeted extension for Grabbing files operation 

• In addition to grabbing desktop files, the stealer gathers all files within the FileZilla folder located at “Environment.SpecialFolder.ApplicationData” and the .ssh folder from the path “Environment.SpecialFolder.UserProfile”. It then copies these files to their corresponding folders within the malware directory. 

Figure 13 – SapphireStealer malware directory

• Subsequently, it iterates through all the copied files within the malware directory, generating an XML summary file as shown below, and compresses it into a ZIP archive. It creates a GUID and saves the ZIP file with that ID name. 

Figure 14 – Summary of the stolen details 

• After that, it collects user system information like IP address, MAC address, and Hostname. Finally, it sends the ZIP archive file with the above victim’s system information to the TAs Command-and-Control (C&C) server and deletes the ZIP archive file, as shown in the code snippet below. 

Figure 15 – Code snippet for Exfiltration 

The network traffic depicted in the following figure illustrates the communication between the victim’s system and the remote server, facilitating the exfiltration of the stolen data. 

Figure 16 – Network details of Exfiltration to C&C 

Conclusion

Threat Actors choose sensitive or official documents as lures due to their ability to manipulate emotions, create an illusion of authenticity, and attract a wide range of targets. This calculated use of social engineering techniques enhances the success of malware campaigns by helping attackers evade detection, as they masquerade as trustworthy and benign entities.  

In this malware campaign, TAs are focusing on Russian individuals, utilizing a masqueraded Russian government website to distribute the malware, along with deceptive PDF documents written in Russian to mislead victims. Upon successful execution, the user becomes infected with the SapphireStealer, which then proceeds to extract sensitive information and send it to a remote server. 

CRIL meticulously monitors the latest phishing or malware variants circulating, delivering timely analyses with actionable insights. This data aids users in fortifying their defenses against potential threats and attacks. 

Our Recommendations

• The initial entry point may originate via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments. 
• When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious. 

• Deploy strong antivirus and anti-malware solutions to detect and remove malicious executable files. 
• Enhance the system security by creating strong, distinct passwords for each of the accounts and, whenever feasible, activate two-factor authentication. 
• Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches. 
• Regularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the most current phishing and social engineering methods employed by cybercriminals. 

MITRE ATT&CK® Techniques

Indicators of Compromise (IOC)

References

https://blog.talosintelligence.com/sapphirestealer-goes-open-source

Related