Estimated reading time: 5 minutes
AsukaStealer, marketed on a Russian-language cybercrime forum by the alias ‘breakcore,’ has been exposed. The perpetrator offers its services for a monthly fee of $80, targeting individuals and organizations seeking to exploit its capabilities for malicious purposes.
Written in C++, AsukaStealer features customizable configurations and an intuitive web-based interface, enhancing its usability for cybercriminals seeking to deploy and manage malware efficiently.
It is a sophisticated malware designed to infiltrate a wide range of browsers, including popular ones like Mozilla Firefox, Google Chrome, and Microsoft Edge. It has the capability to extract valuable information such as extension data, internet cookies, and saved login credentials from these browsers, posing a significant threat to user’s privacy and security. With its ability to target both Gecko and Chromium-based browsers, Asuka ensures a broad reach across various browsing platforms, making it a potent tool for cybercriminals seeking to harvest sensitive data.
In addition to browser data, Asuka is equipped to target other applications and software commonly used by individuals and businesses. It seeks information related to cryptocurrency wallets, FTP clients like FileZilla, messaging platforms like Discord and Telegram, and gaming software like Steam.
Moreover, Asuka’s capabilities extend beyond data extraction to include exfiltrating files from infected systems and taking screenshots.
Technical Details
AsukaStealer r is a C++ custom malware. While analyzing the sample, it initially uses the API hashing technique.
Fig 1: API resolution done by malware
Upon our analysis, we found that Asuka has some base64-encoded and hexadecimal values.
It is utilizing “1d6f6623f5e8555c446dc496567bd86e” as the key and “WRBCFgwZHQZIAVcWAwMbUQEOBVRTBA==” as the base64-encoded C2 address
After decoding the c2c address is hxxp://5.42.66.25:3000/
Fig 2: Decoding c2c base 64 value with key
C2C download of config file
The most interesting fact is that it downloads configuration files from the c2c server hxxp://5.42.66.25:3000/ and tries to utilize them.
Fig 3: Configuration file
From the configuration file, we can see that it is utilizing browser and discord details.
Data Exfiltration
Fig 4: Desktop version and language ID check
It tries to collect desktop version and language ID and checks if they are from Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, or Russia.
Fig 5: OS details capture
It also tries to capture CPU details, OS version, RAM, time zone, and other details.
Fig 6: Browser credential details
It also tries to collect login details like cookies, passwords, and web Data of browsers.
Fig 7: Chromium browser details
The above figure shows how it tries to steal data from the chromium browsers.
List of browsers it tries to steal are,
OperaGX
net
Chromium
Google
Google86
Opera
ChromiumPlus
Iridium
7Star
CentBrowser
Chedot
Vivaldi
Kometa
Elements
EpicPrivacyBrowser
Uran
Sleipnir5
Citrio
Coowon
liebao
QIPSurf
Orbitum
Amigo
Torch
YandexBrowser
Comodo
360Browser
Maxthon3
K-Melon
Sputnik
Nichrome
CocCoc
Uran2
Chromodo2
Atom
BraveSoftware
Edge
GeForceExperience
Steam
CryptoTabBrowser
It also tries to steal the following Crypto wallet details:
osmwallet
DogeLabsWallet
Safepal
KeplrWallet
Zecrey
LeapCosmosWallet
EthosSuiWallet
Nightly
Z3US
Bitski
ABCWallet
BitPay
AuroxWallet
WalletGuard
EOFinanceWallet
BitKeep-Wallet
CoreWallet
Crypto-Wallet
VenomWallet
BraavosWallet
SolflareWallet
Fig 8: Storing browsing data in database file
Then malware collects and transmits crucial files for decrypting browser data, including cookies.sqlite, logins.json, cert9.db, and key4.db.
Each file is associated with a unique UUID generated using the UuidCreate function, enhancing tracking and organization of the exfiltrated data. Notably, UuidCreate is also employed for other data extracted from the host, spanning cryptocurrency wallets, the Grabber module, Steam, Telegram, and additional sources, showcasing the malware’s comprehensive data exfiltration capabilities.
Downloads Coinminer
It also downloads the Coinminer file, saves it in a temp folder with the name tempik22814838.exe, and executes it.
C2c of Coinminer: hxxp://www.marrem.ee/altushka1488228pudge.exe
Fig 9: Coinminer downloaded and dropped in the temp folder
When we tried to check the c2c, we found the login page of AsukaStealer, where the attacker stored all the user’s details.
Fig 10: Login page of AsukaStealer malware
Mitre attack techniques:
Initial Access
TA0001
Execution
TA0002
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Collection
TA0009
Command and Control
TA0011
Steal Application Token
T1528
Steal Web Session Cookie
T1539
Screen Capture
T1113
Exfiltration Over C2
T1041
Conclusion:
With the increasing number of malware and the prevalence of Malware-as-a-Service, it is becoming easier for threat actors to consume what is readily available without spending much time. Data is the most important commodity for an individual or a business, which threat actors can steal and sell on underground forums, resulting in massive breaches. So, it becomes more crucial to keep your antivirus up to date to avoid such circumstances.
IOCs:
24bb4fc117aa57fd170e878263973a392d094c94d3a5f651fad7528d5d73b58a AsukaStealer
6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4 Coinminer
Authors:
Soumen Burma
Rumana Siddiqui
The post Unmasking AsukaStealer: The $80 Malware Threatening Your Digital Security appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.