White Snake Stealer, an advanced information stealer, has recently evolved with enhanced features, making it capable of targeting both Windows and Linux platforms. This poses a significant threat to user privacy and security. In this article, we explore the capabilities and techniques employed by this malicious software, shedding light on its potential dangers.
The Menace of Information Stealers
Information stealers are designed to infiltrate computer systems and extract critical data, including personal information, login credentials, and financial details.
The stolen data is often sold on the dark web or exploited for illicit activities such as identity theft, financial fraud, corporate espionage, or blackmail.
Upgraded Features of White Snake Stealer 1.6
The latest version of White Snake Stealer, version 1.6, has introduced several notable enhancements:
- Browser and Email Client Compatibility:
- The malware is now compatible with Opera, CocCoc, CentBrowser, and Yandex, expanding its reach and enabling the extraction of sensitive data from a broader user base.
- It can target and extract information from popular email clients like Outlook, Foxmail, and ‘The BAT!’.
- Advanced Information Extraction:
- White Snake Stealer can now target and extract information from 2FA apps and VPN applications, raising the stakes for user security.
- It incorporates advanced features such as keylogging, webcam capture, and document grabbing, enabling it to compromise user data by recording keystrokes, capturing webcam footage, and collecting specific document types.
- Communication and Spreading Mechanisms:
- The malware establishes communication with a C2 server, allowing it to receive instructions, transmit stolen data, and download additional payloads.
- It can collect and exfiltrate files of interest from the victim’s machine.
- White Snake Stealer spreads through USB devices by making copies on removable drives like USB flash drives and external hard drives.
- It can also propagate among local users by copying itself to their startup folders, ensuring automatic execution upon user login or system restart, and facilitating its spread within the compromised system.
White Snake Stealer’s Obfuscation Techniques
White Snake Stealer incorporates advanced code obfuscation techniques, making it challenging to analyze. These deliberate obfuscation methods add complexity to the stealer’s structure and operation.
- Anti VM Method:
- During execution, the stealer’s main() method calls the Anti VM method to prevent it from running in a virtual environment.
- The Anti VM function uses Windows Management Instrumentation (WMI) queries to retrieve the system’s “Manufacturer” and “Model” information.
- It then compares these details with predefined strings associated with virtual machines (VMs). If a match is detected, the malware terminates without proceeding.
- TOR Integration:
- The updated version of the stealer can now download and install TOR (The Onion Router) and utilize the “HiddenServicePort 80 127.0.0.1:2392” configuration directive.
- This directive redirects incoming requests to the hidden service on port 80 to a randomly generated port (2392) on the local machine.
- The malware utilizes this redirected port to run an HTTP listener service responsible for handling incoming requests.
- By establishing a connection between TOR and an open port on the victim’s system, the malware implements beacon functionality.
- The malware generates and stores an onion address, acting as a unique identifier for the hidden service, in a file within the directory specified by the “HiddenServiceDir” configuration directive in the TOR configuration file.
- The attacker can connect to the hidden service using this onion address through the TOR network. This connection serves as a communication channel, allowing the attacker to issue commands and exfiltrate stolen data via the HTTPListener().
Data Collection and Encryption
Once the data is collected by White Snake Stealer, it undergoes a series of transformations and encryption processes to evade detection and protect its integrity.
- Serialization and Compression:
- The stolen data is serialized using the XmlSerializer, converting it into a compressed format.
- The RSA encryption algorithm is then applied to further secure the serialized data.
- Tagging of Gathered Information:
- To organize the stolen information, White Snake Stealer affixes tags to the data.
- Tags typically include the filename format, such as “Username@Computername_report.wsr,” allowing for easy identification and retrieval.
Transmission and Alert Mechanisms
White Snake Stealer establishes a connection to a predetermined server controlled by the attacker. It utilizes the WebClient class’s ‘uploadData’ method with the PUT HTTP method to send the stolen information to the attacker.
- The malware employs an HTTP GET request to the Telegram BOT API, notifying the attacker through a Telegram chat.
- This mechanism ensures that the attacker promptly receives updates and notifications regarding the stolen information.
White Snake Stealer has evolved into a formidable threat, capable of targeting both Windows and Linux platforms.
With its enhanced features, such as browser and email client compatibility, advanced information extraction, and spreading mechanisms, this malware poses a significant risk to user privacy and security.
Its incorporation of obfuscation techniques and TOR integration further complicates detection and analysis. Understanding the capabilities and techniques employed by White Snake Stealer is crucial for implementing effective defense strategies against this evolving threat.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.