Malware Development Competition Fuels Creation of 20+ Malware

EXECUTIVE SUMMARY

In this report, we discuss the recently observed XSSLite Stealer that is being discussed within multiple hacking communities. It was released as part of a malware development competition (XSSWare) hosted by the infamous Russian hacking community; XSS. The developer of the stealer has shared the source code of the project and hinted that he is moving on to another project. After the launch of XSSLite on a Russian forum, we have also seen the stealer being distributed on Chinese hacking communities. We will explore the capabilities of this infostealer along with more details on how these competitions urge financially motivated malware developers to create and distribute different types of malwares.

INTRODUCTION

The CYFIRMA research team has observed a sharp rise in malware being distributed on a Russian hacking forum at no cost. The forum administrators had announced a malware development competition on 1st November 2023.

Since then, we have seen 20+ malware developers post under the topic, contending for the prize money. Amongst these entries, we have observed that a user has come up with 3 different malware – an infostealer, a crypto seed phrase checker and a Metamask wallet bruter. For the sake of this report, we will take a look at the infostealer, XSSLite.

KEY FINDINGS

XSSLite:

• is written in C# and the web panel is written in Python Flask. The developer is believed to be re-writing the stealer in C++.
• abuses Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
• uses DLL sideloading technique, directly side-loading its payloads by planting then invoking a legitimate application that executes their payload(s).
• queries sensitive device information, allocates memory with a write watch, contains long sleeps to detect/evade sandboxes.
• reads the hosts file to find out remotely accessible endpoints from the infected machine.
• fingerprints the victim by checking the public IP of the victim using ipinfo.
• uses timestomp and obfuscation techniques for defense evasion.
• dumps credentials from browsers and captures keystrokes.
• has the instructions to setup the build to send stealer logs to a private C2 before compilation.

Sandbox Evasion and Anti-Debugging
The stealer evades sandbox analysis by looking for VMware and Hyper-V related infrastructure.

Additionally, the malware uses WMI to query device information to detect if its running on a VM. It also uses Windows memory manager to maintain a “write watch” on allocations for debugging and profiling purposes.

The web panel for XSSLite (which can be hosted on a private server) can be used to receive the stealer logs on an open port of the attacker’s choice.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

In the last week of January 2024, we noticed a post by a user on XSS; a Russian hacking forum. The post was created under the thread for “XSSWare competition”.

The developer claims that the project was initially meant to be a malware with infostealer and RAT capabilities. However, looking at the competition, the developer decided to rewrite the stealer in C++, while making the C# project accessible to everyone.

More malware, FOR FREE!
The malware development competition has motivated multiple contenders to create functional malware and post them at no cost on the forum. We have seen crypto brute force software, spyware, botnets and information stealers being disseminated for free.

The developer of XSSLite has shared a seed phrase checker for crypto wallets and a META wallet bruter. A seed phrase is a sequence of 12, 18 or 24 random words that provide the information required to recover (or in this case, takeover) a cryptocurrency wallet.

This can help attackers hijack cryptocurrency wallets of unsuspecting users. It supports BTC, LTC, DASH and DOGECOIN.

CONCLUSION

This report sheds light on the escalating risk landscape fuelled by underground malware development competitions — motivating malicious actors to create and share potent tools freely. A hefty prize pool shows just how much these administrators earn by running the cybercriminal forum. Competitions attract a larger audience, fostering increased participation and engagement within the forum. This comradeship can lead to more sustained and meaningful interactions, contributing to the overall health of the forum. With another month to go, we expect the number of malwares seen in the competition to experience a steep rise, likely resulting in increased campaigns by threat actors using those respective tools.

RECOMMENDATIONS

Strategic:

• Foster threat intelligence sharing within industry sectors to enhance collective defense against emerging threats.
• Invest in employee education on phishing awareness and safe online practices to minimize the risk of initial infections.
• Develop incident response plans tailored to malware attacks, ensuring swift and effective response measures.

Management:

• Allocate resources for continuous monitoring and analysis of forums and platforms where malware developers congregate.
• Collaborate with law enforcement and industry peers to dismantle hacking communities and disrupt malware distribution networks.
• Conduct regular cybersecurity audits to assess the organization’s resilience against evolving threats and adjust security strategies accordingly.

Tactical:

• Implement robust endpoint protection with advanced threat detection capabilities to identify and mitigate risk posed by malware.
• Regularly update and patch software to address vulnerabilities exploited by malware.
• Employ network segmentation to contain potential infections and limit lateral movement.

APPENDIX1

MITRE Mapping

IOCs