By Igal Lytzki, Incident Response Analyst, Perception Point
Over the past few weeks our team of ‘white hat’ cyber threat experts uncovered a particularly worrying and sophisticated phishing attack that posed a unique, twofold threat to its unsuspecting victims.
The attack used a malware called Doenerium to harvest victims’ personal data through open-source code left lingering on Github – including crypto wallets, as well as browser data such as cookies, passwords, history, and bookmarks. But what made this malware unique was a hidden backdoor within the attack code. Any information that a hacker gleaned while using Doenerium was secretly and automatically made available to the malware’s initial author. The victims’ data, stolen first by a hacker, would immediately be scooped up by the creator of Doenerium as well, to grow his own crypto mining operation.
The model of hacked data-sharing is not new – hackers have long sold stolen data to the highest bidder. But with Doenerium, the hackers themselves were made unsuspecting victims: the hackers that utilize this malware to steal sensitive data are actually being hacked themselves by the malware author.
Here are the key components that make this attack and the malware’s capabilities so dangerous, as well as best practices for individuals and organizations looking to avoid its consequences.
Part One: Illicit Business as Usual
This attack, like so many others, begins with an email titled, “Important Windows Defender Update!” formatted in a believable faux-Windows Defender template replete with official-looking graphics and MSL logos. The recipient is warned that Windows Defender has recently detected malicious software on the user’s computer and is then prompted to download additional software for removing the malware. After clicking the link, the recipient is then redirected to a spoofed landing page for the malware itself.
The landing page offers links to two fictitious ‘software removal tools,’ one for a 32-bit system and the second one for a 64-bit system. Both links yield the same malicious results, but present two further options in order to establish legitimacy, which fools users into continuing the process.
These links lead to a shared drive containing a ZIP archive with two files inside: first, a README.txt file that, when opened, explains how to use the tool, and second, the actual malware, a 64 bit C++ PE, compiled using Node.js with the size of 102mb. When running the malware, analysts searched for unique strings and found an unusual one:
<================[t.me/doenerium]>================>
The unusual string is actually a short URL to a Telegram server, which leads to a Github repository called doenerium created by the user doener2323. This is but one of many instances of malware being hosted on Github.
Because the user’s profile remained available for some time, with the malware publicly available, we were able to review its source code and analyze the malware. In this instance, the malware had two main capabilities – harvesting individuals’ personal data and mining their crypto wallets.
It does so by first identifying the CPU of the victim’s computer – information found in the victim’s profile – that is sent to the hacker’s Discord server. The malware then creates an exfiltration folder on the victim’s computer, which is saved in the TEMPdirectory. Every directory entry contains the victim’s computer name concatenated with an underscore and “36 char UUID” (universally unique identifier).
The malware then searches for crypto wallets housed in the victim’s computer and creates a folder called “Wallets” within the exfiltration folder to store any crypto wallets discovered. Additionally, it creates a small text file that summarizes the findings.
Next, the malware hunts for Discord tokens, decrypts them, and tries to validate them before finally harvesting the rest of the browser data to look for passwords, cookies, bookmarks, history, autofill, and more.
After the malware has harvested all the data, it creates a complete virtual profile for the victim, which is archived and uploaded to gofile.io – a free file sharing and storing platform. The malware author leverages gofile.io to host the archive and share it with the hacker.
Part Two: The Backdoor Twist
Further research into the attack revealed that doener2323, the malware author, had also created a second Github repository called 1337wtf1337. Both accounts were linked using a technique known as “Dual Hooking” – in addition to the webhook that the hacker applies to the malware (where exfiltrated data is copied), the malware contains an additional Discord webhook associated with doener2323.
In other words, everything a hacker achieved using this malware was automatically shared with doener2323.
The dual hook was removed on September 3, 2022, but not before Doener created a separate, completely obfuscated javascript file. When decoded, this file led to an open Discord server for sharing the active hackers’ profits and updating the users about new features and fixes.
Initially, Doener2323 and their partners weren’t shy about informing other Discord users about their goal. They openly explained that the purpose was monetization and that the webhook was part of a bigger crypto mining operation for Doener2323, which infects any victims that are lured by active hackers using Doenerium.
When other users started catching on, Doener became less enthusiastic about the possibility that they might share in the spoils, and removed them from the Discord chat.
Recommendations
This attack (and its double-crossing backdoor) teaches us that nothing comes free – not even the stolen fruits of malware. The hackers who utilized this publicly accessible malware to steal sensitive data were ultimately themselves hacked in turn by a malware author growing their own crypto mining operation.
Like many dangerous phishing attacks, this sophisticated attack began with a simple email. Considering about 1 in 5 phishing attempts evade Microsoft’s default security offering and actually get to users’ inboxes, it is integral that security leaders ensure that their organizations are provided with the most advanced safeguards.
The first line of defense for protecting against this type of attack must be user education around email security – regular email security drills can help employees better identify genuine suspicious content and remind them not to open strange files, links, or attachments and double-check the identity of the sender. Organizations should also establish a standardized process for employees to follow when they receive a suspicious email or link.
Security teams would do well to deploy an advanced email security solution that prevents phishing emails from reaching users; without this, any business could be destroyed by ransomware, and sensitive information can be stolen.
Publicly outing suspicious behavior alerts bad actors that their misdeeds do not go unnoticed. Several weeks after we shed light on the campaign, Doener realized that threat detection teams were catching onto their ruse. By November 5, 2022, Doener had purged the Discord server previously used to communicate with other hackers using Doenerium malware, and also removed the link to the malware from the official Github repository. Despite this, a few weeks still allows ample time for hackers to win big, further demonstrating the need for advanced email security solutions that will stamp out threats instantly.
In the nefarious world of cybercrime, there are no Robin Hoods – only robbers. As these bad actors continue to push the envelope, we must all be able to recognize the difference between good email and bad email, even before they arrive in our inboxes.
About the Author
Igal Lytzki is currently a Cybersecurity Analyst on Perception Point’s Incident Response team. Prior, he served as a Commander in the Israeli Air Force’s Iron Dome division. With his background in programming and cyber, Igal has become an expert on all thing’s malware, his interest fueled by the curiosity of understanding hackers and their methods. In his spare time Igal can be found on Twitter @0xToxin hunting malware.
Igal can be reached online at https://www.linkedin.com/in/igal-lytzki-99bb0721a/ or https://twitter.com/0xToxin at our company website https://perception-point.io/