![]() However, looking at the code the important parameters for sending an email are encrypted. Screenshot routine Cracking the Encrypted CredentialsĪfter collecting all the needed information it will continue in preparing the email to be sent to the attacker. ![]() The malware also has the feature to take a screenshot of the victim’s computer.įigure 06. To be able to get the credentials stored in Firefox it takes the ke圓.db, logins.json, and signons*.txt files. Sample of the stolen passwords from chrome browser:Ĭyperine also takes credentials from the browsers Firefox. The malware utilizes Chromepass to be able to view the usernames and passwords stored in Google Chrome Web browser. The ProduKey utility is executed to retrieve the Product ID and the CD-key of Microsoft Office, Windows, Exchange Server, and SQL servers installed on the computer. Next, it will use free tools from Nirsoft like ProduKey and Chromepass which was embedded in its binary to easily retrieve the needed information from the victim. These files are needed to gain access to stolen steam accounts even with Steam Guard enabled. If found it will look for all ssfn* and loginusers.vdf files and copy them. It starts on searching the steam directory in the victim’s computer. In addition, file attachments that can be included in the email are the following:Ĭyperine collects all the information and files needed into one folder %Appdata%\Cyperine and after this will be sent as an attachment to the attacker’s email address. The message sent is base64 encoded this message can include the following: Taking a look at the network activity we see that Cyperine sends the stolen information by email. %Appdata%\Cyperine – folder to store all stolen data ![]() %Temp%\ChromePass.exe – tool to retrieve stored username and passwords %Temp%\ProduKey.exe – tool to retrieve stored product keys To have a quick look at the behaviour of this malware we ran it in a controlled environment and observed the following. No need to remind that no matter how advanced is your security adoption within your own company, customer accounts sold to access your online services can’t be controlled once in the wild as of today there is still no bullet proof way to protect people from themselves. ![]() The attackers then sell these online stolen accounts for prices varying from $1 to $5. The program cost USD $5 for a one week trial and USD $35 for a lifetime. The seller also provides a skype account for convenient means of communication to prospected buyers. It steals SSFN steam’s authentication files, stored passwords from browsers, user logins, and software product keys installed in the victim’s computer. Cyperine version 1.0 was first released in December 2014, and on Jversion 2.0 was released. NET info stealing malware advertised in hacking forums to retrieve information from victims and sends it to whichever email is entered in the builder. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |