White Snake spotted in emails: the stealer was disguised as official state requirements

BI.ZONE
6 min readAug 8, 2023

--

Any threat actor with $140 can utilize this malware. For that price, they get a complete end-to-end attack kit:
i) a builder to create malware samples,
ii) access to the control panel of compromised devices,
iii) updates and messenger support. Keep reading for more information about the popular stealer targeting people at Russian companies.

Stealers are a significant occurrence in today’s threatscape and one of the most popular ways to obtain legitimate login credentials as initial access to corporate networks. In February 2023, the White Snake stealer first appeared on the darknet. It is actively advertised as an easy solution for launching targeted attacks and obtaining stored passwords as well as file copies, keystrokes, and remote access to the compromised device.

Specialists from BI.ZONE Cyber Threat Intelligence discovered a White Snake distribution campaign targeting Russian organizations. The stealer is distributed via phishing emails under the guise of some requirements from Roskomnadzor (Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media).

Key findings

  • A successful stealer attack can allow threat actors to gain access to multiple corporate resources, such as email and CRM.
  • The ability to rent or purchase this type of malware can significantly reduce the skill level required to execute targeted attacks.
  • The damage from a successful attack may not be necessarily: attackers often resell the data collected by the stealers.

Campaign

The victim would receive a phishing email with an archive that contained several files:

  • Требование РОСКОМНАДЗОР № 02-12143.odt (ROSKOMNADZOR requirement No. 02-12143.odt)
  • Attachment to the ROSKOMNADZOR requirement
  • РОСКОМНАДЗОР.png

The first file (fig. 1) is a phishing document that aims to lure the victim into opening the second file, which is the White Snake stealer.

Fig. 1. Text from the phishing document

The message from Roskomnadzor urges the reader to promptly open the attached materials and provide reasoned explanations for the alleged visits to prohibited Internet resources.

The White Snake stealer appeared on popular dark forums in February 2023 and was positioned as a tool for implementing targeted attacks (fig. 2).

Fig. 2. A White Snake thread on a popular underground forum

In addition to the underground forums, the stealer also has its own Telegram channel (fig. 3), which can be used to follow all its updates.

Fig. 3. Message from the White Snake channel in Telegram

A monthly fee for the stealer is just $140, unlimited access can be purchased for $1,950. Payments are made in one of the cryptocurrencies (fig. 4).

Fig. 4. White Snake stealer price list

After payment, the customer receives a builder for creating malware samples and access to the compromised devices control panel.

The builder (fig. 5) allows criminals to configure the stealer features (e.g., add a Telegram token to save the extracted data, select the data encryption method, define the set of extracted data, edit the icon of the executable file, etc.).

Fig. 5. White Snake builder

The control panel (fig. 6) enables the threat actors to monitor compromised devices, interact with them, and execute commands. In addition, the control panel allows access to all the data collected by the stealer.

Fig. 6. White Snake control panel

After launching from the archive, the executable performs the following actions:

  • creates a mutex (according to the configuration)
  • if the feature is enabled, verifies that the startup is not in a virtual space
  • if enabled, copies all files to the directory C:\Users\[user]\AppData\Roaming\[config_folder_name], and executes the command below depending on the user's permissions. If the user is an administrator, the command will be executed with HIGHEST privileges. Otherwise it will be executed with LIMITED privileges.
/C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "[task name]" /sc MINUTE /tr "[file path in the created folder]" /rl [launch permissions] /f && DEL /F /S /Q /A "[previous file path]" && START "" "[file path in the created folder]"
  • initializes a Tor network node on a random port between 2000 and 7000
  • initializes the module to retrieve user data and send it to the server
  • if the feature is enabled, creates its copies on external media and in the autoloader (C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup) for other system users
  • if the feature is enabled, initializes the keylogger module

When sending data to the C2 server, the executable collects the following information about the system:

  • country and IP (using a request http://ip-api.com/line?fields=query,country)
  • operating system version
  • username
  • device name
  • screen dimensions
  • processor name
  • video card name
  • hard drive sizes
  • total size of physical memory
  • device manufacturer
  • device model
  • Base64 encoded screenshot
  • list of running processes
  • installed applications

The configurations for retrieving user data are contained in an XML file and feature the following data types:

  • relative paths to Chromium-like browsers
  • relative paths to Firefox-like browsers
  • file masks to be collected
  • registry sections to extract data from

Since the stealer can persist on a compromised system, attackers can gain access to it, record screen video, execute commands, and download additional malware.

Conclusions

The dark segment of the Internet offers more and more high-quality tools for targeted attacks that not only bypass legacy defenses, but also provide attackers with all the means to achieve their goals. As such malware is easy to buy and operate, the number of targeted attacks increases inevitably. In order to effectively protect against such threats, it is not enough to deploy cybersecurity solutions. It is also necessary to respond to incidents on time and investigate them.

How to detect traces of White Snake

  1. Monitor network communications with ip-api.com from non-typical processes.
  2. Pay attention to the newly created suspicious tasks in the scheduler and executables added to the startup.
  3. Monitor executable files created in subfolders C:\Users\[user]\AppData\Roaming.

YARA rule

rule WhiteSnake {
meta:
author = "BI.ZONE CTI"
date = "13/07/2023"
strings:
$xml_struct1 = "filename"
$xml_struct2 = "filedata"
$xml_struct3 = "filesize"
$xml_struct4 = "createdDate"
$xml_struct5 = "modifiedDate"
$xml_struct6 = "commands"
$xml_struct7 = "name"
$xml_struct8 = "args"
$xml_struct9 = "Commands"
$xml_struct10 = "report"
$xml_struct11 = "files"
$xml_struct12 = "information"
$xml_struct13 = "key"
$xml_struct14 = "value"

condition:
all of ($xml_struct*)
}

MITRE ATT&CK

Indicators of compromise

5f1136c386c7fc99395b608d8db8f8cab0c0f23356f6d33730d352b12b43c234
e786b4bb8a7eed06d42e37f62434d911c34c572a58a92aaf1171cbb84f864cdd hxxp://167.86.115[.]218:9090
hxxp://185.189.159[.]121:8001

More indicators are available with BI.ZONE ThreatVision.

Phishing emails are one of the main ways to gain initial access in a targeted attack. To protect against this, we recommend using specialized solutions that block spam and malicious emails. One such solution is BI.ZONE CESP. If you detect signs of compromise, contact our experts immediately to investigate and shut down access to your IT infrastructure before the attackers cause damage.

--

--

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age