Self Assessment

AILUROPHILE STEALER

Published On : 2024-09-06
Share :
AILUROPHILE STEALER

EXECUTIVE SUMMARY

At CYFIRMA, we are dedicated to delivering current insights into prevalent threats and malicious tactics targeting both organizations and individuals. This report examines a newly identified threat, dubbed “Ailurophile Stealer,” which has been discovered on GitHub. The stealer is designed to compromise the victim’s system by extracting sensitive browser data, including stored credentials, cookies, and browsing history. This report details the threat’s mechanisms, distribution methods, and potential impact on cybersecurity.

INTRODUCTION

The Ailurophile Stealer was first discovered on GitHub. The threat actor behind this malware operates a website shielded by Cloudflare, which promotes and supports its distribution. This site features a referral program and offers a free three-day trial to attract users. Additionally, it includes a web panel that allows users to customize and generate malware stubs, amplifying the malware’s reach and effectiveness.

KEY FINDINGS

● The stealer places Portable Executable (PE) files in the startup folder to ensure they run automatically with each system boot.
● The malware seeks to collect and exfiltrate browser data, such as browsing history and passwords.
● The stealer attempts to load any missing Dynamic Link Libraries (DLLs) that may be essential for its operation or to enhance its functionality.

ANALYSIS

Behavioral Analysis:

File Name Ailurophile_build_test.exe
File size 9.44MB
Signed Not signed
MD5 Hash 520e6676a4e53b73d9f8afab560767b9
SHA-256 Hash 5508e6e9f62af269f48301f4149cabfb7d421b39d94559ae88a96dc88ddf7501
First seen in the wild August 2024

The Analysis of the file established that it is packed with UPX-encrypted files.

Process Tree Analysis

Step 1: Initial Execution
Ailurophile_build_test.exe: The malware begins its execution when the user or system launches the executable. This is the primary process that initiates all subsequent activities. The executable is packed with the UPX packer, making it harder to analyze by compressing and obfuscating its contents.

Step 2: Command Prompt (cmd.exe) Initiation
Instance 1:
Command: cmd.exe /s /c “cls”: Clears the command prompt screen, possibly to remove traces of previous commands or to prepare for further actions without leaving obvious artifacts.

Instance 2:
Command: cmd.exe /s /c “wmic OS get Caption”: Executes a command to retrieve the operating system’s caption, which is part of the discovery process, helping the malware understand the environment it is operating in.

Instance 3:
Command: cmd.exe /s /c “wmic OS get Version” Queries the OS version, another step in the discovery process to tailor the malware’s behavior based on the specific OS version.

Step 3: Windows Management Instrumentation (WMIC) Execution
Instance 1:
Command: wmic OS get Caption: Retrieves the OS caption, as queried by the previous cmd.exe command. WMIC is a powerful tool for interacting with the Windows Management Instrumentation (WMI) to extract system details.

Instance 2:
Command: wmic OS get Version: Retrieves the OS version information, completing the discovery commands initiated earlier.

Step 4: PowerShell Execution
powershell.exe: Executes a PowerShell script that alters the execution policy and decrypts data using the Windows Data Protection API (DPAPI). The script likely retrieves sensitive information, such as decryption keys, which could be used to access encrypted data or files.

Step 5: Task List Retrieval
Command: cmd.exe /s /c “tasklist”: Executes the tasklist command to retrieve a list of currently running processes. This can be used by the malware to identify security software or other processes that might interfere with its operations.

Step 6: Console Host (conhost.exe) Interaction
The malware spawns a conhost.exe process, which acts as a console host for the cmd.exe processes. This is a normal system process, but its use here indicates that the malware is leveraging command-line interactions extensively.

Step 7: Network Communication Initiation
The malware initiates network communication, particularly sending HTTP GET requests to external domains like api.ipify.org to check the external IP address. This information could be used to tailor further actions based on the network environment.

Step 8: Command and Control (C2) Communication
The malware establishes communication with its external C2 server. This server connection is used to receive commands, exfiltrate data, and potentially download additional malicious payloads.

Step 9: Telegram API Interaction
The malware interacts with the Telegram API via api.telegram.org, likely as an alternative C2 channel. Telegram is used due to its encrypted communication, making it a stealthy method for attackers to manage the malware.

Resource Development:
The malware likely engaged in resource development by leveraging external infrastructure and APIs (api.telegram.org) to support its operations, including data exfiltration and communication with a command-and-control server. These resources would have been established prior to deployment to ensure the malware’s effectiveness in carrying out its objectives.

Execution:
The malware executes its payload by launching processes such as cmd.exe and powershell.exe to run system commands and scripts, which allows it to initiate its malicious activities. The invocation of these processes indicates that the malware directly interacts with the system to carry out its tasks, such as modifying settings and downloading additional payloads.

Credential Access:
The malware likely harvests browser information, which could include stored credentials such as passwords and session tokens. This data is then exfiltrated to the attacker’s server, providing them with access to the victim’s accounts and sensitive information.

Discovery:
The use of WMIC.exe by the malware suggests that it conducts system discovery to gather information about the operating environment. This might include querying system configurations, running processes, and installing software, which can inform subsequent actions or targeting decisions.

Collection:
The malware is designed to collect sensitive information, including browser data, which is then sent to its command-and-control server. This collected data may include credentials, browsing history, and other personal information, which could be used for further exploitation or sold on illicit markets.

Command and Control:
The malware establishes command-and-control communication with external servers, such as api.telegram.org, to receive instructions and exfiltrate stolen data. This connection allows the attacker to maintain control over the infected system and dynamically adjust the malware’s behavior based on real-time commands.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

During our investigation, we discovered that the Ailurophile Stealer was first established on GitHub in August 2024.

It has also been identified that the threat actor is likely based in Vietnam. This assessment is supported by the IP address 103.252.123.135 associated with http.favicon.hash:-145938113 which provides medium confidence in confirming the threat actor’s location.

The time zone indicated in the screenshot indicates Vietnam.

Using the icon hash, additional domains that resemble the login pages of the Ailurophile Stealer website are identified:

The threat actor behind the Ailurophile Stealer has also created a repository on Giter.Club, where they have shared details about the Ailurophile Stealer. The information shared on this platform includes specifics about the malware and potentially other technical or operational details related to its deployment and functionality.

Diamond Model

CONCLUSION

Ailurophile Stealer poses a significant threat to both organizations and individuals by targeting sensitive browser data, such as stored credentials and browsing history. Utilizing various system processes and communication channels, the malware efficiently exfiltrates data while maintaining command-and-control communication. Its distribution through GitHub and a referral-based web platform amplifies its reach. To mitigate such threats, organizations should strengthen data protection policies, enhance threat intelligence capabilities, and deploy robust anti-malware solutions.

RECOMMENDATIONS

Strategic Recommendations

  1. Enhance Threat Intelligence Capabilities: Establish continuous monitoring and intelligence-gathering processes to identify emerging threats like the Ailurophile Stealer. Invest in AI-driven analytics and threat-hunting tools to proactively detect and mitigate potential cybersecurity risks.
  2. Strengthen Data Protection Policies: Implement and enforce strict data protection policies, focusing on securing sensitive information, such as browser data and credentials. Adopt encryption and multi-factor authentication (MFA) for all critical systems and data.
  3. Collaboration and Information Sharing: Engage in information-sharing initiatives with industry peers, cybersecurity organizations, and government bodies to stay informed about the latest threats and best practices in defending against similar malware.

Management Recommendations

  1. Security Awareness and Training: Conduct regular cybersecurity awareness training for all employees, emphasizing the importance of recognizing phishing attempts, suspicious software, and secure browsing habits.
  2. Incident Response Planning: Develop and regularly update an incident response plan that includes specific procedures for handling data breaches caused by stealer malware. Ensure all stakeholders are aware of their roles and responsibilities in the event of an incident.
  3. Third-Party Risk Management: Evaluate and enhance third-party risk management processes to ensure that any vendors, partners, or software providers are following robust security practices, reducing the risk of supply chain attacks.

Tactical Recommendations

  1. Deploy Anti-Malware Solutions: Implement advanced anti-malware solutions across all systems to detect and block the Ailurophile Stealer and similar threats. Ensure these tools are regularly updated to address new malware variants.
  2. Monitor and Analyze Network Traffic: Set up continuous monitoring of network traffic to detect unusual or unauthorized connections, particularly to external command-and-control servers. Use intrusion detection systems (IDS) to identify and respond to suspicious activities.
  3. Restrict Execution of Unverified Software: Configure security settings to block the execution of unverified or unsigned software, particularly in startup folders. Utilize application whitelisting to ensure that only trusted applications are allowed to run on critical systems.

LIST OF IOCS

No Indicator Remarks
1 520e6676a4e53b73d9f8afab560767b9 Block
2 103[.]252[.]123[.]135 Monitor
3 58bd748483b75a3a6470075e2e57d679 Block