Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. To aid the industry in guarding against this threat, Aditya K Sood and Rohit Chaturvedi from the Advanced Threat Research Center of Excellence within F5's Office of the CTO present a 360 analysis of the Collector-stealer malware to unearth hidden artifacts covering binary analysis, its working, and the design of associated C&C panels.
Collector-stealer has become quite pervasive in a relatively short time. Stolen information resulting from the malware is generally made available through underground markets for nefarious purposes. Attackers primarily target European countries using Collector-stealer, but it also impacts users from other countries such as the U.S.A., China, and Cambodia.
Here are some of the highlights and interesting characteristics of Collector-stealer uncovered through this analysis:
- Collector-stealer uses multiple ways to initiate infection, including:
- Luring users to visit phishing portals hosting free-game downloads
- Windows activation/crack software packages
- Fake miner web-portal (web-portal that mimics similar content from cryptocurrency software provider portal to trigger drive-by downloads attacks)
- Collector stealer is written in C++ and infects the user machine for the purpose of stealing crucial data such as stored passwords, web data, cookies, screenshots, and more. Malware authors used obfuscation techniques in their code to frustrate researchers and make the code more complicated.
- Collector-stealer, before sending data to C&C server, checks internet connectivity on the victim’s machine by pinging Cloudflare DNS resolver IP address 1.1.1.1. If the ping request fails, it deletes the executable along with collected data from the victim machine and then silently exits. Otherwise, it sends collected data to the C&C server.
- Collector-stealer uses the HTTP protocol and POST method to send collected data. Before sending data, the malware compresses data into an archive .zip file which is then sent to the C&C server.
Collector-stealer gained popularity on underground forums due to broad malware features. We have seen many users show interest in buying this malware and some groups have even attempted to provide a cracked version. The "Hack_Jopi" Russian group has sold Collector-stealer on forums since October 2018.
The complete research detailing analysis of this malware has been released in Virus Bulletin. Get the research paper expanding on the above and other findings by visiting:
https://www.virusbulletin.com/virusbulletin/2021/12/collector-stealer-russian-origin-credential-and-information-extractor/
Enjoy!
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.