![]() ![]() Operations include stealing victim files, harvesting browser data, stealing data from crypto extensions, stealing chat session data, and taking screenshots. Next, the malware creates a folder under the previously created folder using the following leverages multithreading to steal victim data, with each thread used for a different operation. ![]() PennyWise then decrypts two strings that were encrypted using the Rijndael algorithm, possibly containing the threat actor’s username and C2 information. It also terminates if any of the following processes are detected: This includes detection of virtual machines and checking for antivirus and sandbox environments. PennyWise also uses multiple methods for anti-analysis and anti-detection, so the malware is not executed in a controlled environment. It is interesting to note that the malware terminates execution if the victim is based in Russia, Ukraine, Belarus, or Kazakhstan. The generated hash value is used to name a folder with hidden attributes created in AppData\Local to save the stolen information. Mutex_name-Username-Machine_Name-Loanguage_code-Processor_name-Graphics_Driver_Name It uses the following syntax to create a string to generate an MD5 hash: This data includes the victim’s username, machine name, system language, timezone, graphics driver, and processor names. PennyWise steals and exfiltrates data to the threat actor’s C2. PennyWise creates a mutex to ensure only one copy runs on a victim’s machine and terminates if the mutex already exists. NET binary named “AppLaunch.exe,” which is the PennyWise payload. Once executed, the loader uses process hollowing to inject PennyWise into a legitimate. Cyble found over 80 YouTube videos used to promote PennyWise. HOW TO DETECT RAT USING TCPVIEW INSTALLThe threat actors staged a VirusTotal link of an unrelated sample to trick victims into believing the file is legitimate and tricked users into disabling antivirus software to install and execute the malware. An unaware victim downloads the “software”, which is a zipped and passworded malware installer. HOW TO DETECT RAT USING TCPVIEW DOWNLOADPennyWise is promoted as a free Bitcoin mining software, using a YouTube video with a download link. While Cyble did not identify the threat actor responsible for PennyWise, they did discover the initial infection vector used to spread the malware. PennyWise leverages multithreading to steal data, using over 10 threads for fast execution and stealing. PennyWise is built using a previously undiscovered crypter, making debugging difficult. Wallets targeted include Zcash, Armory, Bytecoin, Jaxx, Ethereum, Exodus, Electreum, Atomic Wallet, Guarda, and Coinomi. Browsers targeted include over 30 Chrome-based browsers, more than 5 Mozilla-based browsers, Opera, and Microsoft Edge. It targets over 30 browsers and cryptocurrency applications, such as crypto wallets and crypto browser extensions. PennyWise is an infostealer recently discovered by researchers at Cyble.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |