Skip to content
Request Your Demo
    March 16, 2023

    HookSpoofer: The Modified Open Source Stealer Bundlers Making the Rounds

    Research by: Shilpesh Trivedi and Tejaswini Sandapolla

     

    The Uptycs Threat Research Team has discovered a new infostealer. Spread by multiple bundlers and new on cybercrime forums, HookSpoofer has keylogging and clipper abilities. (A bundler combines two or more files in a single package.) It sends its stolen data to a Telegram bot.

    Uptycs threat research has determined that while it includes enhanced features, HookSpoofer is coded in C# and is inspired by StormKitty, an open source program found on GitHub.

     

    Infection Vector

     

    HookSpoofer is spread by bundlers (MD5: de90466d983da595e863339c34ee4b6b) named “Spotify proxyless checker 2022.rar.” It contains 17 files, with the main executable (the HookSpoofer stealer) being circulated as Spotify checker.exe.

     

    HookSpoofer Infection Flow

     

    Figure 1: Hookspoofer infection flow

    Figure 1: Hookspoofer infection flow

     

    Technical Analysis

     

    The analyzed program has an md5 hash: 7FCE055A581C0B116A9679291BF89B7D. It’s .NET compiled and packed by Confuser, a .NET obfuscator. 

     

    Figure 2: Array initialization

    Figure 2:  Array initialization

     

    Looking at the file contents, a large chunk of data is stored in the variable array that is later decrypted and stored in array2.

     

    Figure 3: Decryption loop

    Figure 3: Decryption loop
                                                           

    The decrypt function then decrypts the long array2 object (fig. 3). The result is a GCHandle object; its content creates a “koi” module, after which one of its methods is invoked.

     

    Figure 4: Code for memory loading of decrypted .net module

    Figure 4: Code for Memory Loading of decrypted .Net Module

     

    The figure 4 decryption logic is also related to Confuser. After decryption another .NET-compiled PE file is packed by Confuserex v1.0.0. Figure 4 shows how the “koi” module is loaded internally to the main stub.exe file inside memory.

    After the module is loaded into the memory, there is a call to invoke a fake error message, (fig. 5) stored as a string in the “koi” module. This is done to divert the victim as the “koi” module performs its activity in the background. 

     

    Figure 5: Fake error message

    Figure 5: Fake error message

     

    Figure 6 shows how the error message is invoked:

    Figure 6: Code showing the error message

    Figure 6: Code showing the error message 

     

    Here’s an in-depth look into the “koi” module (md5: BD4345C3A7CC6F6E261986E1F5F1E8BC). As it’s packed by Confuserex, to ease our analysis we’ve removed the obfuscation to obtain an unpacked file (md5: 474E0CD6BC1F0FB71BBFFA1AE7DD8E66).

    After the error message appears, the code creates a mutex, then checks if the file is in the Startup subfolder (it sets file attributes to Hidden if not there). The malware then checks for a hardcoded, obfuscated Telegram API and Telegram ID (as follows). If they’re not found it deletes itself, after which dependent DLLs (DotNetZip.dll and AnonFileApi.dll) are downloaded from the following locations:


    hxxps://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll 


    hxxps://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll respectively.

     

    Figure 7: Self deletion code

    Figure 7: Self deletion code

     

    Figure 8 shows string_2 and string_3 that are hardcoded, obfuscated Telegram API and Telegram ID.

     

    Figure 8: Obfuscated Telegram API and ID

    Figure 8: Obfuscated Telegram API and ID

     

    To deobfuscate the Telegram API and Telegram ID, the CRYPTED keyword is removed, base64 decoded, then the base 64 decoded hex bytes form an array that undergoes AES 256 decryption. It uses the same key and salt.


    Key: {104,116,116,112,115,58,47,47,103,105,116,104,117,98,46,99,111,109,47,76,105,109,101,114,66,111,121,47,83,116,111,114,109,75,105,116,116,121}
     
    Salt: { 255,64,191,111,23,3,113,119,231,121,252,112,79,32,114,156 }

     

    After decryption; it forms: 
    hxxps://api[.]telegram.org/bot6122846074:AAF6rJZMCIphpMPrSWQdU2PZSf14u6p4zeA/

     

    Figure 9: Deobfuscated Telegram API and ID

    Figure 9: Deobfuscated Telegram API and ID

     

    Anti-Analysis Techniques

    Various anti-analysis techniques are used to detect VirtualBox, SandBox, Debugger, VirusTotal, and Any.Run.

    Debugger checks

    It checks if the sample is running inside a debugger via CheckRemoteDebuggerPresent.

    Process checks

    It checks if processes (used by reverse engineers) such as process hacker, netstat, tcpview, and regmon are present. If detected, the program stops its execution.

     

    Figure 10: Checks if the processes are running inside victims machine

    Figure 10: Checks if the processes are running inside victims machine

    Sandbox checks

    It checks for sandbox-related DLL files (e.g., SbieDll) are running.

    Figure 11: Checks if the sandbox dll's are present

    Figure 11: Checks if the sandbox dll’s are present

    Virtualization checks 

    It uses the wmi query, "Select * from Win32_ComputerSystem" to check for vmware/VIRTUALBOX/Virtual, et al.

    root\\CIMV2", "SELECT * FROM Win32_VideoController" to check vmware/vbox

    Figure 12: Virtualization check

    Figure 12: Virtualization check

    Hosting checks

    Checks the system IP address and compares with IP addresses associated with sandbox environments such as VirusTotal, anyRun etc.


    If any of the above are detected then it creates a log of below strings in %temp% and sends a fake error message with exit code showing runtime error.

    Figure 13: Anti analysis detected

    Figure 13: Anti Analysis detected

     

    Figure 14 shows this error message:

    Figure 14: Fake error message check

    Figure 14: Fake error message check

     

    Stealing capabilities

     

    It tries to steal the following data:

    • ProtonVPN, OpenVPN, NordVPN

      Figure 15: VPN Stealer

      Figure 15: VPN Stealer

    • Filezilla steals data from “recentservers.xml” and “sitemanager.xml”

      Figure 16: Filezilla hosts

      Figure 16: Filezilla Hosts



    • Information about processes running on the system, including process name, PID, path

      Figure 17: Info of the running processes

      Figure 17: Info of the running processes



    • Captures desktop screenshots

      Figure 18: Desktop screenshot

      Figure 18: Desktop screenshot



    • Uses the netsh wlan show profile command via cmd.exe to obtain info related to saved Wi-Fi modules and passwords along with scan networks around device (SSID, BSSID)

      Figure 19: Wifi passwords

      Figure 19: Wifi Passwords



    • File Grabber

      Figure 20: File grabber

      Figure 20: File grabber



    • Firefox.IE, Opera, and Edge browser history, cookies, login data, credit cards, et al.

      Figure 21: Edge web data, cookies, history, etc

      Figure 21: Edge web data, cookies, history, etc.



    • Messengers (Telegram, Discord, Pidgin, Outlook and Skype)

      Figure 22: Telegram and Skype Stealer

      Figure 22: Telegram and Skype stealer



    • Steam, Uplay, Battle.Net, Minecraft session gaming
    • Cryptocurrency wallets
    • Directories structure using filesystem info
    • Webcam screenshot

      Figure 23: Webcam screenshot

      Figure 23: Webcam screenshot



    • Product key
    • Card info

      Figure 24: Card info

      Figure 24: Card info



    • Keylogger

      Figure 25: Keylogger

      Figure 25: Keylogger



    • System info

      Figure 26: Systeminfo

      Figure 26: Systeminfo


    • Clipper

     

    Stores all %AppData% folder info with the name <md5 of string concat current timedatestamp,  username, comp name, culture name, CPU name, GPU name>.

    All collected data is again archived in a password protected Zip file having the password <md5 of string concat current timedate, username, comp name, culture name, CPU name, GPU name>.

     

    Zip file 

    The Zip file is uploaded on anonfile.com/<message_id>, where the message ID is processed by the Telegram bot. This link is sent to the Telegram bot shown above.

    Figure 27: Anon file link

    Figure 27:Anon file link 

     

    Figure 28: Info if the report has been sent to telegram or not

    Figure 28: Info if the report has been sent to telegram or not

                                                              

    Figure 29 shows the complete report being sent with the title “HookSpoofer.”

       Figure 29: Report contents

    Figure 29: Report contents

     

    StormKitty Similarities


    Uptycs has discovered that the “HookSpoofer” code is inspired from open source StormKitty with a few enhanced features (e.g., error code popup, memory loading). Misuse of open source stealers has become common, with StormKitty code being observed earlier in Typhon, WorldWind stealer, and Prynt Stealer malware. Figure 30 shows their common generated report format.

    Figure 30: Similarity

    Figure 30: Similarity

    Conclusion

     

    Stealer bundlers can spread through various channels, including email attachments, fake software downloads, and social engineering techniques. To defend against malware attacks like Hookspoofer, Uptycs recommends:

    • Users should keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.
    • Businesses should ensure that all staff receive cybersecurity training, and implement measures such as two-factor authentication and data encryption to protect against data theft.

     

    Uptycs EDR Detection

     

    In addition to having YARA built-in, Uptycs EDR customers can easily scan for HookSpoofer since our tool is armed with other advanced detection capabilities. EDR contextual detection provides important details about identified malware. Users can navigate to the toolkit data section in the detection alert, then click on the name of a detected item to reveal its profile (fig. 31)

     

    Figure 31: Uptycs EDR detection
    Figure 31: Uptycs EDR detection

     

    IOC

     

    File name

    SHA1 hash

    Bundler

    de90466d983da595e863339c34ee4b6b

    Packed Hookspoofer

    7fce055a581c0b116a9679291bf89b7d

    Unpacked Hookspoofer

    474e0cd6bc1f0fb71bbffa1ae7dd8e66

     

     

    Tejaswini Sandapolla

    Other posts you might be interested in