A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial espionage.
The actors use compromised websites to host their access panels. Luckily for us they made a mistake and left the ZIP file they dropped on the compromised site.
This enabled us to see how the back-end of the panel works. The Zip file contains five files:
The three files of interest are config.php, index.php, and install.php.
Config.php contains the password for the MySQL server they will set up.
Install.php creates the database and sets up the panel to store the passwords stolen by the malware. We found the following snippet in the code:
We did some searching and found that “Bilal Ghouri” was originally responsible for the PHP back-end of the popular PWS Hackhound Stealer, which was released in 2009.
We also found this warning at the end of the code:
Surely they would have remembered to delete this file!
The most important file is index.php. This file is responsible for storing the passwords uploaded by the malware and also enables the actors to search and export the data.
It is interesting that the script checks for a specific user agent, “HardCore Software For : Public.”
This user agent is used by the malware when uploading the stolen data. The PHP script checks if the user agent matches the hardcoded one before allowing any data to be uploaded.
The malware in use is ISR Stealer, a modified version of Hackhound Stealer. Our findings are confirmed by the comments in the preceding PHP code.
The PWS targets the following applications:
- Internet Explorer
- Yahoo Messenger
- MSN Messenger
- Internet Download Manager
The following screen of the original Hackhound Stealer shows options for building the malware:
This screen of the ISR Stealer builder was used by the actors behind the campaign.
ISR Stealer uses two executables to gather passwords stored on the machine: Mail PassView and WebBrowserPassView, both by Nirsoft. These apps gather passwords stored in mail clients and web browsers. Both of these files reside in the resources of the ISR Stealer. The panel location is also stored in the malware’s resources, in a simple encrypted form with SUB 0x02.
A decrypted URL.
We did some more digging and found that the actors responsible for this malware have been active since the beginning of 2016, with the first sample spotted in the wild in January.
The following spear-phishing emails were sent to entice targets to download and execute the PWS:
The actors have been busy for several weeks, although we saw no activity during the Easter holiday. After “Easter break,” we noticed that they had slightly changed the panel. It now includes the string “Powered By NEW LINE OF *** **U TEAMS VERSION 2.1.”
One compromised website had more than 10 access panels receiving stolen passwords from the PWS. We observed that some of the targets of the spear phishing are companies that deal with machinery parts. The actors used some of the following filenames:
- (RFQ__1045667machine-oil valves).exe
- BALL VALVE BIDDING.exe
- RFQ BALL VALVE.exe
- Ball Valves with BSPP conection.exe
These names lead us to believe that industrial espionage might be a motive of the actors.
We have also noticed that they are attaching the malware with a “.z” extension. This is likely because some popular ZIP file handlers will associate this file extension with their programs and allow users to extract it. Using .z also bypasses some popular cloud email file restrictions.
We contacted the website owners used by the actors and informed them of the compromise so that they could remove the panels.
McAfee detects this threat as PWS-FCGH. We advise you block .z file extensions at the gateway level. This step will prevent other malware from using this technique in their phishing campaigns.