HookSpoofer: Amplifying Open Source Stealer Bundlers Gaining Momentum

Blog Author
Tejaswini Sandapolla

Research by: Shilpesh Trivedi and Tejaswini Sandapolla

 

The Uptycs Threat Research Team has discovered a new infostealer. Spread by multiple bundlers and new on cybercrime forums, HookSpoofer has keylogging and clipper abilities. (A bundler combines two or more files in a single package.) It sends its stolen data to a Telegram bot.

Uptycs threat research has determined that while it includes enhanced features, HookSpoofer is coded in C# and is inspired by StormKitty, an open source program found on GitHub.

 

Infection Vector

HookSpoofer is spread by bundlers (MD5: de90466d983da595e863339c34ee4b6b) named “Spotify proxyless checker 2022.rar.” It contains 17 files, with the main executable (the HookSpoofer stealer) being circulated as Spotify checker.exe.

 

HookSpoofer Infection Flow

 

Figure 1: Hookspoofer infection flow

Figure 1: Hookspoofer infection flow

 

Technical Analysis

The analyzed program has an md5 hash: 7FCE055A581C0B116A9679291BF89B7D. It’s .NET compiled and packed by Confuser, a .NET obfuscator.

 

Figure 2: Array initialization

Figure 2:  Array initialization

 

Looking at the file contents, a large chunk of data is stored in the variable array that is later decrypted and stored in array2.

 

Figure 3: Decryption loop

Figure 3: Decryption loop

 

The decrypt function then decrypts the long array2 object (fig. 3). The result is a GCHandle object; its content creates a “koi” module, after which one of its methods is invoked.

 

Figure 4: Code for memory loading of decrypted .net module

Figure 4: Code for Memory Loading of decrypted .Net Module

 

The figure 4 decryption logic is also related to Confuser. After decryption another .NET-compiled PE file is packed by Confuserex v1.0.0. Figure 4 shows how the “koi” module is loaded internally to the main stub.exe file inside memory.

After the module is loaded into the memory, there is a call to invoke a fake error message, (fig. 5) stored as a string in the “koi” module. This is done to divert the victim as the “koi” module performs its activity in the background. 

 

Figure 5: Fake error message

Figure 5: Fake error message

 

Figure 6 shows how the error message is invoked:

Figure 6: Code showing the error message

Figure 6: Code showing the error message 

 

Here’s an in-depth look into the “koi” module (md5: BD4345C3A7CC6F6E261986E1F5F1E8BC). As it’s packed by Confuserex, to ease our analysis we’ve removed the obfuscation to obtain an unpacked file (md5: 474E0CD6BC1F0FB71BBFFA1AE7DD8E66).

After the error message appears, the code creates a mutex, then checks if the file is in the Startup subfolder (it sets file attributes to Hidden if not there). The malware then checks for a hardcoded, obfuscated Telegram API and Telegram ID (as follows). If they’re not found it deletes itself, after which dependent DLLs (DotNetZip.dll and AnonFileApi.dll) are downloaded from the following locations:


hxxps://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll 


hxxps://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll respectively.

 

Figure 7: Self deletion code

Figure 7: Self deletion code

 

Figure 8 shows string_2 and string_3 that are hardcoded, obfuscated Telegram API and Telegram ID.

 

Figure 8: Obfuscated Telegram API and ID

Figure 8: Obfuscated Telegram API and ID

 

To deobfuscate the Telegram API and Telegram ID, the CRYPTED keyword is removed, base64 decoded, then the base 64 decoded hex bytes form an array that undergoes AES 256 decryption. It uses the same key and salt.


Key: {104,116,116,112,115,58,47,47,103,105,116,104,117,98,46,99,111,109,47,76,105,109,101,114,66,111,121,47,83,116,111,114,109,75,105,116,116,121}
 
Salt: { 255,64,191,111,23,3,113,119,231,121,252,112,79,32,114,156 }

 

After decryption; it forms: 
hxxps://api[.]telegram.org/bot6122846074:AAF6rJZMCIphpMPrSWQdU2PZSf14u6p4zeA/

 

Figure 9: Deobfuscated Telegram API and ID

Figure 9: Deobfuscated Telegram API and ID

 

Anti-Analysis Techniques

Various anti-analysis techniques are used to detect VirtualBox, SandBox, Debugger, VirusTotal, and Any.Run.

Debugger Checks

It checks if the sample is running inside a debugger via CheckRemoteDebuggerPresent.

Process Checks

It checks if processes (used by reverse engineers) such as process hacker, netstat, tcpview, and regmon are present. If detected, the program stops its execution.

 

Figure 10: Checks if the processes are running inside victims machine

Figure 10: Checks if the processes are running inside victims machine

Sandbox Checks

It checks for sandbox-related DLL files (e.g., SbieDll) are running.

Figure 11: Checks if the sandbox dll's are present

Figure 11: Checks if the sandbox dll’s are present

Virtualization Checks 

It uses the wmi query, "Select * from Win32_ComputerSystem" to check for vmware/VIRTUALBOX/Virtual, et al.

root\\CIMV2", "SELECT * FROM Win32_VideoController" to check vmware/vbox

Figure 12: Virtualization check

Figure 12: Virtualization check

Hosting Checks

Checks the system IP address and compares with IP addresses associated with sandbox environments such as VirusTotal, anyRun etc.


If any of the above are detected then it creates a log of below strings in %temp% and sends a fake error message with exit code showing runtime error.

Figure 13: Anti analysis detected

Figure 13: Anti Analysis detected

 

Figure 14 shows this error message:

Figure 14: Fake error message check

Figure 14: Fake error message check

 

 

Stealing Capabilities

 

It tries to steal the following data:

  • ProtonVPN, OpenVPN, NordVPN

    Figure 15: VPN Stealer

    Figure 15: VPN Stealer

  • Filezilla steals data from “recentservers.xml” and “sitemanager.xml”

    Figure 16: Filezilla hosts

    Figure 16: Filezilla Hosts



  • Information about processes running on the system, including process name, PID, path

    Figure 17: Info of the running processes

    Figure 17: Info of the running processes



  • Captures desktop screenshots

    Figure 18: Desktop screenshot

    Figure 18: Desktop screenshot



  • Uses the netsh wlan show profile command via cmd.exe to obtain info related to saved Wi-Fi modules and passwords along with scan networks around device (SSID, BSSID)

    Figure 19: Wifi passwords

    Figure 19: Wifi Passwords



  • File Grabber

    Figure 20: File grabber

    Figure 20: File grabber



  • Firefox.IE, Opera, and Edge browser history, cookies, login data, credit cards, et al.

    Figure 21: Edge web data, cookies, history, etc

    Figure 21: Edge web data, cookies, history, etc.



  • Messengers (Telegram, Discord, Pidgin, Outlook and Skype)

    Figure 22: Telegram and Skype Stealer

    Figure 22: Telegram and Skype stealer



  • Steam, Uplay, Battle.Net, Minecraft session gaming
  • Cryptocurrency wallets
  • Directories structure using filesystem info
  • Webcam screenshot

    Figure 23: Webcam screenshot

    Figure 23: Webcam screenshot



  • Product key
  • Card info

    Figure 24: Card info

    Figure 24: Card info



  • Keylogger

    Figure 25: Keylogger

    Figure 25: Keylogger



  • System info

    Figure 26: Systeminfo

    Figure 26: Systeminfo

  • Clipper

 

Stores all %AppData% folder info with the name <md5 of string concat current timedatestamp,  username, comp name, culture name, CPU name, GPU name>.

All collected data is again archived in a password protected Zip file having the password <md5 of string concat current timedate, username, comp name, culture name, CPU name, GPU name>.

 

Zip File 

The Zip file is uploaded on anonfile.com/<message_id>, where the message ID is processed by the Telegram bot. This link is sent to the Telegram bot shown above.

Figure 27: Anon file link

Figure 27:Anon file link 

 

Figure 28: Info if the report has been sent to telegram or not

Figure 28: Info if the report has been sent to telegram or not

 

Figure 29 shows the complete report being sent with the title “HookSpoofer.”

 Figure 29: Report contents

Figure 29: Report contents

 

StormKitty Similarities

Uptycs has discovered that the “HookSpoofer” code is inspired from open source StormKitty with a few enhanced features (e.g., error code popup, memory loading). Misuse of open source stealers has become common, with StormKitty code being observed earlier in Typhon, WorldWind stealer, and Prynt Stealer malware. Figure 30 shows their common generated report format.

Figure 30: Similarity

Figure 30: Similarity

Conclusion

Stealer bundlers can spread through various channels, including email attachments, fake software downloads, and social engineering techniques. To defend against malware attacks like Hookspoofer, Uptycs recommends:

 

  • Users should keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.
  • Businesses should ensure that all staff receive cybersecurity training, and implement measures such as two-factor authentication and data encryption to protect against data theft.

Uptycs EDR Detection

In addition to having YARA built-in, Uptycs EDR customers can easily scan for HookSpoofer since our tool is armed with other advanced detection capabilities. EDR contextual detection provides important details about identified malware. Users can navigate to the toolkit data section in the detection alert, then click on the name of a detected item to reveal its profile (fig. 31).

Figure 31: Uptycs EDR detection

Figure 31: Uptycs EDR detection

 

IOC

 

File name

SHA1 hash

Bundler

de90466d983da595e863339c34ee4b6b

Packed Hookspoofer

7fce055a581c0b116a9679291bf89b7d

Unpacked Hookspoofer

474e0cd6bc1f0fb71bbffa1ae7dd8e66