Self Assessment

BIZFUM STEALER

Published On : 2024-12-13
Share :
BIZFUM STEALER

EXECUTIVE SUMMARY

CYFIRMA remains committed to providing timely insights into emerging threats, such as the recently uncovered “BIZFUM STEALER” on GitHub. This sophisticated malware collects browser credentials, files, and Discord tokens and stores all data in an advanced RSA-encrypted format. After encryption, it sends the data securely to an attacker’s Telegram bot.

INTRODUCTION

Upon execution on a victim’s machine, Bizfum Stealer carries out a series of actions to compromise and exfiltrate various types of private information, including login credentials, cookies, saved passwords, browsing history, and files, specifically targeting browsers such as Chrome, Firefox, Edge, Opera, Brave, and Yandex to extract login details, cookies, and passwords. Additionally, the malware collects clipboard content. It also has the capability to take screenshots of the victim’s desktop, further enabling attackers to gather visual data about the victim’s activities.

Bizfum Stealer is primarily written in C language which is a low-level programming language that provides direct access to the Windows operating system. This allows the malware to interact efficiently with system components, execute malicious actions like file manipulation and credential harvesting, and evade detection. By leveraging the power of these languages, Bizfum can operate stealthily, accessing various system resources, and making it more difficult to detect or neutralize by traditional security software. Additionally, Bizfum Stealer uses RSA encryption to secure the stolen data, employing techniques to upload this data to remote servers, while ensuring the information is sent to an attacker-controlled destination.

BASIC DETAILS

File name bizfum-verbose.exe
File Size 231.93 KB
File Type Win32 EXE
Signed Not signed
MD5 Hash 12e7646799731a7d2d487a9ebb06f110
SHA 256 ce08c38979f668890c545730aab7269f742011013aac624112efd7dac9514bf6
First seen in wild October 2024

SOURCE CODE ANALYSIS

Extracts important files from the infected system:
Bizfum Stealer has been designed to search for and exfiltrate specific files from a user’s system without their knowledge or consent, scanning directories recursively and searching for files with particular extensions such as .jpg, .docx, .pdf, .csv, .txt, and others that could contain valuable or sensitive data. Once these files are identified, they are copied to a StolenFiles Directory within Temporary folder, for later theft or misuse. This process occurs silently in the background, with no visible notification to the user.

Infected system screenshots
The stealer captures screenshots of the entire screen and saves it as a BMP file with a timestamped filename. It starts by generating a unique filename based on the current time and then creating a compatible memory device context for capturing the screen to retrieve the screen’s width and height. The Screenshot(temp) function is called in the main function, passing the temp directory [C:\Users\<username>\AppData\Local\Temp\bizfum] where the screenshot will be saved.

Clipboard text theft
The Clipboard function is designed to steal sensitive information from a user’s clipboard, retrieving any text data stored there, such as passwords, private messages, or other sensitive information. The function then saves this data to a file (clipboard-data.txt) in an attacker-specified folder, enabling the attacker to collect and exfiltrate the stolen information. The process begins by opening the clipboard, retrieving the content in the CF_TEXT format, and saving it without the user’s consent. Furthermore, this function does not inform the user or request permission, operating silently in the background.

Browser’s passwords; cookies stealer:
The stealer exfiltrates sensitive data from multiple web browsers, including Chrome, Edge, Firefox, Brave, Yandex, and Opera. The attacker targets user data stored within the default browser directories, extracting critical information, such as passwords, and session cookies. This data is then secretly copied to [C:\Users\<username>\AppData\Local\Temp\bizfum\Browsers].
By compromising these browsers, the attacker can potentially hijack user accounts through stolen login credentials and cookies, which could grant unauthorized access to online services and applications.

Discord token stealer:
Bizfum stealer steals Discord account tokens from the victim’s machine. It searches for token data stored in the leveldb folder of Discord’s local storage, which contains sensitive authentication tokens used by the Discord app. The code scans all files in the directory, extracts tokens from each file, and stores them in a predefined list. These stolen tokens are then written to a file, “Account-Tokens.txt,” within a temporary directory. This attack allows unauthorized access to user accounts by hijacking their session tokens, potentially granting attackers full access to Discord accounts and the ability to impersonate the user.

Compression and encryption of stolen data
Stolen data is compressed and stored in a temporary folder within a zip file, bundling all the collected files together and hiding them using RSA encryption to eliminate traces of the attack, the original files are deleted after encryption.

Data exfiltration to Telegram bot

First Uploads Stolen Data to the Gofile server to create a download link of the Zip file:

The stealer uploads stolen files to a remote server (in this case, GoFile.io), facilitating covert data transfer by uploading files to an anonymous file-sharing service. By extracting a download link from the server’s response, the attacker can easily retrieve the stolen data at a later time. The use of a third-party service like GoFile helps evade detection by avoiding direct communication with the attacker’s server, making it harder to trace the origin and destination of the exfiltrated data.

Once the data is successfully exfiltrated and encrypted, Bizfum stealer sends the download link of the stolen data to the attacker’s Telegram bot using the Telegram API.

Sends the Download Link to a Telegram Bot

DYNAMIC ANALYSIS
After execution, Bizfum Stealer operates in multiple stages to steal sensitive data, including files, browser passwords, and other critical information. The stolen data is then compressed into an encrypted format and uploaded to a GoFile server, and, once the upload is complete, a download link is generated. The malware then decodes the encoded Telegram bot token and sends the download link to the attacker via the Telegram bot.

Execution Flow and Data Exfiltration Process of the Bizfum Stealer Malware

  • Initialization and Setup:
    The code defines function pointers for NTAPI functions (such as loading and unloading DLLs) and cryptographic functions (from bcrypt.dll). It includes a GetHandleNTAPI function that loads ntdll.dll dynamically and retrieves the address for critical NTAPI functions (LdrLoadDll, LdrUnloadDll, and LdrGetProcedureAddress).
  • Disk Space Check:
    The malware checks the available disk space on the system (C: drive). If there is at least 8 GB of free space, it proceeds to steal documents. If not, it skips the file data theft process.
  • Data Collection:
    Screenshot: Captures a screenshot and saves it to the temporary directory.
    Clipboard Data: Steals any clipboard content and saves it.
    Browser Data: Extracts saved passwords and other sensitive information from the user’s browsers.
    Discord Tokens: Extracts any stored Discord tokens.
  • Data Compression and Encryption:
    After collecting the data, the malware compresses and encrypts it using the Compress and Encrypt Data function, generating an encrypted file.
  • Uploading the Data:
    The malware identifies the best GoFile server for uploading and then uploads the encrypted file, generating a download link.
  • Sends the Link to Telegram:
    The malware decodes the Telegram bot token and sends the generated download link to the attacker’s Telegram bot.
  • Cleanup:
    After sending the link, the malware removes any traces of the stolen data and cleans up the temporary files created during the operation.

EXTERNAL THREAT INTELLIGENCE MANAGEMENT

BIZFUM is a sophisticated malware stealer with advanced capabilities, identified as a tool designed to covertly harvest a broad spectrum of sensitive information from compromised systems. Alarmingly, this stealer is hosted on GitHub, disguised as a harmless project.

Although the project is presented as open-source and shared for educational purposes, its promotion on platforms like X/Twitter increases the risk of attracting malicious users who may exploit it for harmful objectives. Since the project is open source, anyone with malicious intent can easily access and use it.

Originally developed as a proof-of-concept (PoC) to explore a different aspect of hacking, the Bizfum Stealer was never intended for legitimate use, but rather for malicious purposes. Unfortunately, this trend reflects a broader issue where malware authors exploit platforms like GitHub, masking their projects as ‘educational,’ which ultimately contributes to the spread of cyber threats. The creator provides a builder to compile the binary and share the source code, enabling potential threat actors to modify and weaponize it for malicious activities.

MITRE FRAMEWORK
Tactic ID Technique
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Discovery T1083 File and Directory Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1114 Email Collection
Collection T1115 Clipboard Data
Command and Control T1071 Application Layer Protocol

DIAMOND MODEL

CONCLUSION

Bizfum Stealer is a cyber threat that steals sensitive information like credentials, files, and tokens while staying under the radar with techniques such as encryption and stealthy data transfer via Telegram bots. This highlights the need for organizations to stay proactive with cybersecurity, continuously monitor for emerging threats, and raise awareness. By staying vigilant and implementing strong defenses, organizations can protect their sensitive information from being exploited by cybercriminals.

RECOMMENDATIONS

Strategic Recommendations

  • Enhance Threat Intelligence Integration: Incorporate the shared IoCs into your threat intelligence platforms to ensure real-time detection and proactive response.
  • Strengthen Endpoint Security Posture: Deploy advanced endpoint detection and response (EDR) solutions to identify and neutralize file manipulation, credential harvesting, and exfiltration attempts.
  • Continuous Security Awareness Training: Educate employees on identifying phishing attempts and the risks of downloading unverified tools from open-source platforms.

Tactical Recommendations

  • IoC-Based Monitoring: Implement continuous monitoring using the IoCs provided in the report to detect Bizfum-related activities, such as suspicious file uploads to external servers or abnormal Telegram API usage.
  • Advanced Behavioral Analysis: Utilize behavioral analytics to detect unusual activities, including unauthorized access to clipboard content, browser files, and temporary directories.
  • Secure Communication Channels: Restrict outbound connections to unauthorized file-sharing platforms (e.g., GoFile) and monitor traffic for signs of encrypted data exfiltration.

Operational Recommendations

  • Update Detection Rules: Ensure the SOC updates SIEM rules to flag the presence of Bizfum indicators, including file creation in temporary folders, execution of screen capture functions, and Discord token extraction.
  • Enhance Incident Response: Run simulation exercises focusing on Bizfum-like malware scenarios to test and improve your SOC’s incident response capabilities.
  • Regular Patch Management: Ensure all systems and software, especially browsers and communication platforms like Discord, are up-to-date to minimize exploitation risks.

LIST OF IOCS

Sr NO INDICATOR REMARK
1 ce08c38979f668890c545730aab7269f742011013aac624112efd7dac9514bf6 Block