Immortal information stealer

by [email protected] on March 14, 2019

Recently, the Zscaler ThreatLabZ team came across new information-stealer malware called Immortal, which is written in .NET and designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions. This blog provides an analysis of the data Immortal steals from browsers, the files it steals (and the applications it steals from), and what it does with the stolen data. Immortal starts its infection by creating a directory with a random name in a temp folder. Next, it creates a password.log file in “\%Temp%\{Random_DirName}\password.log”. Immortal writes the malware name, author’s name, and telegram address of the author in a password.log file. Date: Current date and time “MM/dd/yyyy HH:mm:ss” Windows Username: Username HWID: MachineGuid System: Operating system name Browser info stealing Immortal steals data from 24 browsers. It steals stored credentials, cookies, credit card data, and autofill data from the targeted browsers. When the user saves a username and password in the targeted browser, it stores the data in a “Login Data” file in an SQLite database format, and the browser-stored cookie information in the “Cookies” file. It also stores autofill data, credit card data, and other web information in the “Web Data” file. Below are the file paths for those files: “\%AppData%\Local\{Browser}\User Data\Default\Login Data” “\%AppData%\Local\{Browser}\User Data\Default\Web Data” “\%AppData%\Local\{Browser}\User Data\Default\Cookies” List of targeted browsers: Chrome Yandex Orbitum Opera Amigo CentBrowser Torch Comodo Go! ChromePlus Uran BlackHawk CoolNovo AcWebBrowser Epic Browser Baidu Spark Rockmelt Sleipnir SRWare Iron Titan Browser Flock Vivaldi Sputnik Maxthon Credential stealing The malware fetches credentials from the “Login Data” file and stores them in the password.log file as per the format below: Path: ” \%Temp%\{Random_DirName}\password.log”. SiteUrl: Website URL Login: Username Password: Password Program: Targeted browser Cookie stealing Immortal fetches cookie data from the cookies file and stores it in {Browsername}_cookies.txt file. Path: “\%Temp%\{Random_DirName}\Cookies\{Browsername_cookies.txt}”. The format is shown below. Credit card data Immortal fetches credit card data from the “Web Data” file and stores it in the {Browsername}_CC.txt file. Path: “\%AppData%\{Random_DirName}\CC\{Browsername_CC.txt}”. The format is shown below. Autofill data The autofill feature of a browser allows the user to store commonly entered information in web forms. This information might include username, email, password, address, and credit card information. So, when the user opens a web page, it will automatically fill in the information already saved by the browser. The autofill information is stored in the “Web Data” file. Immortal fetches autofill data from the “Web Data” file and stores it in the {Autofill}_CC.txt file. Path: “\%AppData%\{Random_DirName}\Autofill\{Browsername_Autofill.txt}”. The format is shown below. File stealing Immortal steals files from many different applications. The details are below. Minecraft launchers The malware steals user data files and sessions from Minecraft launcher applications. The malware copies those applications’ files into “%Temp%\{Random_DirName}\Applications\{AppName}\”. The following is a list of the applications: MinecraftOnly McSkill LavaCraft MinecraftLauncher VimeWorld RedServer Steam The malware steals files for the Steam application. Steam is an application for playing, discussing, and creating games. The files stolen by Immortal are as follows: SSFN (2 files) VDF files from the config folder Config.vdf loginusers.vdf Telegram and Discord Immortal also steals session-related files from Telegram and Discord. Telegram is a cloud-based instant messaging and voice over IP service. Discord is the cross-platform voice and text chat application designed to help gamers talk to each other in real time. Immortal copies those files into “%Temp%\{Random_Name}\Applications\{AppName}\”. File Path: %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\ %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map0 %AppData%\Telegram Desktop\tdata\D877F783D5D3EF8C1\map1 %AppData%\discord\\Local Storage\\https_discordapp.com_0.localstorage FileZilla Immortal steals files that contain FileZilla credentials. FileZilla is a known FTP tool used for file transfer. The malware copies the below files into “\%Temp%\{Random_DirName}\FileZilla\”. \%AppData%\Filezilla\recentservers.xml \%AppData%\Filezilla\sitemanager.xml Bitcoin-Qt wallet Immortal steals wallet.dat files from Bitcoin-Qt, a free and open-source Bitcoin wallet software. Below is a screenshot of the code for fetching the wallet path from the registry. The malware copies the wallet.dat file in “%Temp%\{Random_DirName}\”. Desktop files Immortal also goes through every file in the desktop folder on the victim’s system. It steals extension files (listed below) and copies them into “%Temp%\{Random_DirName}\Files\”. Txt Log Doc Docx sql Screenshot & Webcam Immortal takes a screenshot of the desktop of the infected system and saves it in “\%AppData%\{Random_DirName}\desktop.jpg”. It also captures a webcam snapshot and saves in it “\%AppData%\{Random_DirName}\CamPicture.jpg”. Network communication The malware stores all the stolen data in the directory “\%Temp%\{Random_DirName}\”. After that, it compresses all the files in a ZIP archive and saves the compressed file in \%Temp%\{Random_filename}.zip. Further, it sends {Random_filename}.zip to its command-and-control server as shown below. It also deletes the “\%Temp%\{Random_DirName}\” before sending the ZIP file. User = User name Hwid = MachineGuid At the time of analysis, the command & control panel for this stealer was live. We found the Immortal stealer being advertised and sold with different build-based subscriptions. The following is a screenshot of a page that describes all of Immortal’s functionality and cost per build. A per-post price for one build is $30. IOCs Md5: 1719ff4ff267ef598a1dcee1d5b68667 Downloading URL : www.appleidservice[.]jp/stealer/files/svhost.exe NetworkURL: www.appleidservice[.]jp/stealer/files/upload.php