Technical Analysis of the Eternity Stealer

  • Author: Mehardeep Singh Sawhney
  • Editor: Suchita Katira

Summary

Objective

The objective of this report is to give a clear understanding of the workings of Eternity stealer by providing a basic explanation of its techniques and methods.

The Eternity Stealer

This stealer is written in C# and is capable of stealing data from various well-known applications. This stolen data can either be used on its own to compromise user accounts or it can be used in coordination with other exploits. The key impact caused by this stealer is seen in the huge amount of PII stolen from users who are infected.

Basic Static Analysis

A quick strings and Portable Executable (PE) analysis on the sample yields a couple of hints. Strings such as mscoree.dll, and strings that contain the word stealer in them, were observed. PE analysis shows that the signature on the executable is .NET, which denotes that this is most likely a stealer written in C#.

Strings pointing towards a C# Stealer
Strings pointing towards a C# Stealer
PE analysis pointing towards a C# Stealer
PE analysis pointing towards a C# Stealer

Further analysis shows that most of the function names are obfuscated. Taking a look at the Main function, there is further obfuscation and noise, however, SSD and DS are two conspicuous functions, which seem to be widely used throughout the code.

Obfuscation used in the Main function
Obfuscation used in the Main function

Obfuscation

The SSD and DS functions use obfuscation to slow the analysis process down. The function SSD takes AES-encrypted arguments from the DS function and further encodes them. The strings that are obfuscated are encoded in Base64.

SDD function
SDD function
DS functions
DS functions

Upon deobfuscation of the string, it was deduced that the threat actor is constructing a link for the purpose of exfiltrating the data. The following parameters are used in the link for the communication:

Deobfuscated parameters
Deobfuscated parameters

 

Parameters Description
Pwds Passwords Stolen
Cards Credit Cards Stolen
Wlts Wallets Stolen
Files Files Stolen
User User Information Stolen
Comp Computer Information Stolen
IP Retrieves IP Information from third-party API
Country Retrieves Country from third-party API
City Retrieves City from third-party API
Tag Sets its value to Default (functionality is enigmatic)
Domains Domain Information Stolen
AD Active Directory Information

Data Stealing

After the initialization of handlers for different types of stolen data, an array is initialized using the Create() function. This is a crucial point in the code since the Create() function instantiates the data stolen by the stealer and creates an array for it. This array will be consumed by a function responsible for pushing data to the C2.

Create() function and a part of its contents
Create() function and a part of its contents

Many stealer methods are present in the function, each specific to a particular software or application. The Eternity stealer has the capability to steal data from multiple applications, including Discord, Telegram, Google Chrome, and NordVPN.

Create() function and a part of its contents
Create() function and a part of its contents

 

Applications Targeted by Eternity Stealer
Credential Managers Windows Vault, Credential Manager, KeePass, NordPass, 1Password, RoboForm
Gaming and Streaming Applications Steam, Twitch, OBS
FTP Applications FileZilla, WinSCP, CoreFTP, Snowflake
VPN Applications NordVPN, EarthVPN, WindscripeVPN, AzireVPN
Messaging and Email Applications Telegram, Discord, Pidgin, Outlook, FoxMail, MailBird, Viber, WhatsApp, Signal, Rambox
Wallets Binance, Monero, BitcoinCore, DashcoinCore, LitecoinCore, Electrum, Exodus, Atomic, TonWallet, Jaxx, Coinomi, Daedalus, Zcash, Guarda, Wasabi, BitWarden
Browsers Google Chrome, Firefox

Credential Managers

The Eternity stealer has specific functions responsible for stealing credentials from credential managers. One of these functions is EnumerateCredentials().

Windows Vault

Windows Vault is a protected storage mechanism used by Windows for storing passwords from browsers, system information, etc. Built-in functions are used by the stealer for accessing credentials stored in Windows Vault. Different functions like VaultGetItem_WIN7() and VaultGetItem_WIN8() are used for different versions of Windows. The stealer enumerates all Vaults by calling VaultEnumerateVaults().

Windows Vault enumeration
Windows Vault enumeration

Credential Manager

Credential Manager is another protected storage mechanism that is used in relatively newer versions of Windows. It allows the user to view and manage stored credentials, such as passwords used for website authentication. Similar to Windows Vault, Credential Manager has its own built-in functions for enumeration. One of the functions, CredEnumerate, is used by the stealer to enumerate user-specific credential sets. Since there is no filter set, the function returns all credentials. The stealer also creates ReadCredential() function to parse the data based on conditions.

Credential Manager Enumeration
Credential Manager Enumeration

Gaming and Streaming Applications

The Eternity stealer is capable of stealing data from various gaming and streaming applications, including Steam, Twitch, and OBS.

Steam Gaming Platform

Steam is a popular gaming application that allows users to purchase games and a variety of in-game items through its community feature. The stealer looks for particular file extensions in the Steam directory. The ssfn files can be used to bypass Steam’s Steam Guard service, which is responsible for two-factor authentication, provided that the attacker has the user’s credentials. Also, it steals files with the .vdf extension, which are game-specific files that contain metadata and game-related information like the in-game items owned by the user.

Steam Data Enumeration
Steam Data Enumeration

OBS

OBS is a popular screen recording and live-streaming application. The stealer exfiltrates data such as profile information, database information, etc., from the application.

Stealer making entries for OBS data
Stealer making entries for OBS data

FTP Applications

The Eternity stealer extracts credentials from many FTP applications, such as WinSCP, FileZilla, and CoreFTP.

WinSCP

WinSCP is an open-source FTP client. Credentials from WinSCP can be stored in an encrypted format, which the stealer is capable of decrypting.

Decryption routine created by the Stealer
Decryption routine created by the Stealer

CoreFTP

CoreFTP is a free FTP client that stores passwords in an encrypted format. The stealer has a function for decrypting the passwords.

Decryption routine created by the Stealer
Decryption routine created by the Stealer

VPN Applications

NordVPN

NordVPN is a well-known VPN service provider. The Eternity stealer decrypts and decodes the stolen credentials.

Decryption routine created by the Stealer
Decryption routine created by the Stealer

Messaging and E-Mail Applications

Telegram

Telegram is a popular messaging application. The files and data revealing sensitive Telegram information, like session details, are exfiltrated.

Telegram data stolen by the Stealer
Telegram data stolen by the Stealer

Outlook

Outlook is a popular e-mail and information management application by Microsoft. The stealer decrypts various stolen passwords gathered from Outlook by accessing critical information from registry keys.

Decryption routine created by the Stealer
Decryption routine created by the Stealer
Data stolen from registry keys
Data stolen from registry keys

Wallets

The Eternity stealer steals data from multiple Cryptocurrency wallets.

Bitcoin Core

Bitcoin Core is an open-source blockchain management system and wallet. The blockchain and wallet information is exfiltrated by accessing data from registry keys.

Stealer accessing registry data
Stealer accessing registry data

Electrum

Electrum is a popular cryptocurrency wallet for users well-versed in cryptocurrency. The Electrum configuration files and retrieves key-value pairs are extracted.

Stealing data from directories and retrieving key-value pairs
Stealing data from directories and retrieving key-value pairs

Browsers

Different types of data from popular browsers, such as passwords, credit card details, etc., are obtained by the stealer.

Google Chrome

Various types of saved data from Chrome, including passwords, credit card details, and AutoFill details, are compromised. The passwords are extracted by enumerating a domain user’s session information, which contains MasterKey information. This is then used to decrypt passwords.

Stealing MasterKey
Stealing MasterKey
Using MasteKey to decrypt passwords
Using MasteKey to decrypt passwords

Firefox

The stealer is capable of stealing and decrypting stolen passwords from Firefox.

Decryption routine created by the Stealer
Decryption routine created by the Stealer

WiFi Passwords

The Eternity stealer exfiltrates network passwords by executing two simple netsh commands, provided by Windows.

Network Enumeration
Network Enumeration

Active Directory Enumeration

The Eternity stealer enumerates Active Directory information. It uses the managementObject class to run a WMI query to enumerate domain information. This information is used to determine whether the infected machine belongs to a domain or not.

Command used to enumerate Active Directory information
Command used to enumerate Active Directory information

File Grabber

The stealer has file-grabbing functionality. It prioritizes files with the .txt extension and categorizes them as important.

File grabber prioritizing .txt files
File grabber prioritizing .txt files

Location Details

The stealer stores information about the victim’s location, including city, country, and IP address. The data is obtained using a website and is formatted accordingly.

Stealer getting and formatting information
Stealer getting and formatting information

Network Operations

A specific URL is used to store the stolen data, which indicates the use of a C2 server. Further analyses of the Main function shows that the stealer makes web requests. The previously initialized array with the stolen data is uploaded to the C2 server.

Deobfuscated proxy configuration
Deobfuscated proxy configuration
Stealer uploading data to C2 server
Stealer uploading data to C2 server

Indicators of Compromise (IoCs)

URLs
http://lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/stealer/
http://wasabiwallet.online:7777/

References

 

Extremely passionate about cyber security and it’s real application in protecting Information Assets. Love learning about new ways to exploit devices
Total Posts: 0
Sorry! The Author has not filled his profile.
×
Extremely passionate about cyber security and it’s real application in protecting Information Assets. Love learning about new ways to exploit devices
Latest Posts
  • Redeemer Ransomware