Password Stealers refers to features in malware or a family of malware, around for more than a decade now. The antivirus may detect them as Password Stealers (PWS), Passwords (PSW) or Information Stealer. These kind of malware are legions. Some, like Pony, may be well known, but others like Azorult or Diamond Fox are almost unknown.
Regarding our recent incidents, this is still a common threat. It is important to note that a Password Stealer is not a Remot Access Trojan, this distinction is crutial. The only aim of a Password Stealer is to steal as many credentials as possible. They are able to steal them from internet browser, application configurations file or registry keys. Some even steal E-wallets and application serial numbers, everything accessible by the curent user. Some are also able to grap screenshot, do key logging or drop other malicious payloads on the infected target. No interactions between the attacker and the malware is needed and sadly, most of the time, nobody cares about them when they fire an antivirus inside a company.
To illustrate this, we will go throught a couple of Password Stealers that we have met, and propose an overview of the history and capabilities of this threat.
Pony aka FareIT, the most common
In 2013, we encountered Fareit, also named Pony – it is the real name given by the author. This threat is in the wild since 2012 and still widely used. The latest version v3.0 was released in December 2018.
This stealer is one of the most common, probably because source code of the version 2.0 was leaked in 2015. It is also popular because it supports an incredible amount of application. For example, It is capable to retrieve user credentials in the following software list: CoffeeCup Software, Directory Opus, FlashFXP, FileZilla, Total Commander, Bullet Proof FTP, TurboFTP, LeapFTP, SecureFX, FireFTP, 3DFTP, SoftX FTP Client, BlazeFTP, FTP Now, Far Manager, Cute FTP, Fling, Expandrive, Opera, FireFox, K-Meleon, Chrome/ium, IncredibleMail, Pocomail, Becky Internet Mail, The Bat!, WinMail, WindowsLiveMail…. More than 130 applications or variants are supported.
Some samples also includes a library of passwords used to brute force the local administrator password in order to harvest more credentials on the machine. Some other are even able to perform DDoS attacks.
Pony returns the stolen data to a Command and Control (CC) server called a Panel using HTTP. Most of the time, it is a POST to a page named gate.php.
Agent Tesla the most “professional”
This Password Stealer written in .NET is used since 2014. This one is in the category of «professional» key logger: Until end of the year 2018, It was sold online on hxxps://www.agenttesla.com from $12 to $35 per month, depending of the required features, payable in crytocurrency.
It is funny to note that the “official” vendor claims such a product is only for legal purposes. However, the same vendor gives hints for bypassing antiviruses and crafting malicious documents to deliver Agent Tesla. This is a good example of stealers economy with shameless vendors.
Agent tesla is able to report using SMTP, FTP and HTTP, it also has the ability to regularly grab screenshots when a predefined interesting process is in front windows. It grab credentials from 33 different applications.
On the panel side, the PHP code is obfuscaded using IonCube. IonCube is a legal tool used to protect and cypher PHP scripts on the server. This makes the analysis of the panel almost impossible.
Predator Pain, one of the laziest
Predator pain is also a stealer written in .NET. Adding to the classical HTTP reporting, it may also use directly SMTP and FTP as exfiltration channel. This features are inecffective and easily detectable in a corporate environment. The funny thing about this stealer is that the base code does not includes any line to steal credentials. Instead of developping complicated code to write and maintain, the author has decided to embedded and use WebBrowserPassView and Mail password recovery from Nirsoft. These two free software allow the backup of the credentials. The malware executes them directly in memory using another embedded DLL.
This is a good example of how easily one may build a malware to retrieve credentials.
Conclusion and good reactions
During our investigations, we have only seen three passwords stealers, but there are plenty of them. At CERT-XLM, we referenced more than 30 kind of different Password Stealers. From an attacker point of view, they are easy to find; some are leaked, some could be buy on cardings/malware forums and other even have their own web site.
Now the real problem is how to react. Most of the time when an antivirus fire up, people consider it as the end of the security incident. It is not, it is the beginning. For this kind of alert, one needs to identify the sample, sometimes it is not an easy task, since most on the time the antivirus detect only a “Generic Trojan”. One needs first to validate how far the malware has gone. The malware was it installed since days or was it in the process of installation ? And what kind of malware was that. With a stealer found you need to reset your credentials but you should also change the passwords on your servers since it was saved in your favorite ftp application.
We hope the impact of the execution of such “low threat” inside a company is more understanded now. If you want more information about stealers, you could refer to the presentation done by Paul Jung at the Botconf 2017 conference on this subject.