Unmasking AsukaStealer: The $80 Malware Threatening Your Digital Security

Estimated reading time: 5 minutes

AsukaStealer, marketed on a Russian-language cybercrime forum by the alias ‘breakcore,’ has been exposed. The perpetrator offers its services for a monthly fee of $80, targeting individuals and organizations seeking to exploit its capabilities for malicious purposes.
Written in C++, AsukaStealer features customizable configurations and an intuitive web-based interface, enhancing its usability for cybercriminals seeking to deploy and manage malware efficiently.
It is a sophisticated malware designed to infiltrate a wide range of browsers, including popular ones like Mozilla Firefox, Google Chrome, and Microsoft Edge. It has the capability to extract valuable information such as extension data, internet cookies, and saved login credentials from these browsers, posing a significant threat to user’s privacy and security. With its ability to target both Gecko and Chromium-based browsers, Asuka ensures a broad reach across various browsing platforms, making it a potent tool for cybercriminals seeking to harvest sensitive data.
In addition to browser data, Asuka is equipped to target other applications and software commonly used by individuals and businesses. It seeks information related to cryptocurrency wallets, FTP clients like FileZilla, messaging platforms like Discord and Telegram, and gaming software like Steam.
Moreover, Asuka’s capabilities extend beyond data extraction to include exfiltrating files from infected systems and taking screenshots.

Technical Details
AsukaStealer r is a C++ custom malware. While analyzing the sample, it initially uses the API hashing technique.

Fig 1: API resolution done by malware

Upon our analysis, we found that Asuka has some base64-encoded and hexadecimal values.

It is utilizing “1d6f6623f5e8555c446dc496567bd86e” as the key and “WRBCFgwZHQZIAVcWAwMbUQEOBVRTBA==” as the base64-encoded C2 address

After decoding the c2c address is hxxp://5.42.66.25:3000/

Fig 2: Decoding c2c base 64 value with key

C2C download of config file

The most interesting fact is that it downloads configuration files from the c2c server hxxp://5.42.66.25:3000/ and tries to utilize them.

Fig 3: Configuration file

From the configuration file, we can see that it is utilizing browser and discord details.

Data Exfiltration

Fig 4: Desktop version and language ID check

It tries to collect desktop version and language ID and checks if they are from Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Uzbekistan, Ukraine, or Russia.

Fig 5: OS details capture

It also tries to capture CPU details, OS version, RAM, time zone, and other details.

Fig 6: Browser credential details

It also tries to collect login details like cookies, passwords, and web Data of browsers.

Fig 7: Chromium browser details

The above figure shows how it tries to steal data from the chromium browsers.

List of browsers it tries to steal are,

OperaGX
net
Chromium
Google
Google86
Opera
ChromiumPlus
Iridium
7Star
CentBrowser
Chedot
Vivaldi
Kometa
Elements
EpicPrivacyBrowser
Uran
Sleipnir5
Citrio
Coowon
liebao
QIPSurf
Orbitum
Amigo
Torch
YandexBrowser
Comodo
360Browser
Maxthon3
K-Melon
Sputnik
Nichrome
CocCoc
Uran2
Chromodo2
Atom
BraveSoftware
Edge
GeForceExperience
Steam
CryptoTabBrowser

It also tries to steal the following Crypto wallet details:

osmwallet
DogeLabsWallet
Safepal
KeplrWallet
Zecrey
LeapCosmosWallet
EthosSuiWallet
Nightly
Z3US
Bitski
ABCWallet
BitPay
AuroxWallet
WalletGuard
EOFinanceWallet
BitKeep-Wallet
CoreWallet
Crypto-Wallet
VenomWallet
BraavosWallet
SolflareWallet

Fig 8: Storing browsing data in database file

Then malware collects and transmits crucial files for decrypting browser data, including cookies.sqlite, logins.json, cert9.db, and key4.db.

Each file is associated with a unique UUID generated using the UuidCreate function, enhancing tracking and organization of the exfiltrated data. Notably, UuidCreate is also employed for other data extracted from the host, spanning cryptocurrency wallets, the Grabber module, Steam, Telegram, and additional sources, showcasing the malware’s comprehensive data exfiltration capabilities.

Downloads Coinminer

It also downloads the Coinminer file, saves it in a temp folder with the name tempik22814838.exe, and executes it.

C2c of Coinminer: hxxp://www.marrem.ee/altushka1488228pudge.exe

Fig 9: Coinminer downloaded and dropped in the temp folder

When we tried to check the c2c, we found the login page of AsukaStealer, where the attacker stored all the user’s details.

Fig 10: Login page of AsukaStealer malware

Mitre attack techniques:

Initial Access
TA0001

Execution
TA0002

Defense Evasion
TA0005

Credential Access
TA0006

Discovery
TA0007

Collection
TA0009

Command and Control

TA0011

Steal Application Token
T1528

Steal Web Session Cookie
T1539

Screen Capture
T1113

Exfiltration Over C2
T1041

Conclusion:

With the increasing number of malware and the prevalence of Malware-as-a-Service, it is becoming easier for threat actors to consume what is readily available without spending much time. Data is the most important commodity for an individual or a business, which threat actors can steal and sell on underground forums, resulting in massive breaches. So, it becomes more crucial to keep your antivirus up to date to avoid such circumstances.

IOCs:

24bb4fc117aa57fd170e878263973a392d094c94d3a5f651fad7528d5d73b58a   AsukaStealer

6b8277813999b908fc38eca68db5249fe0b76a8f652cb1a5a21d073247ed7dc4  Coinminer

Authors:

Soumen Burma

Rumana Siddiqui

The post Unmasking AsukaStealer: The $80 Malware Threatening Your Digital Security appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.

Leave a Reply