Analytics Story: Crypto Stealer

Date: 2024-12-17 ID: 71efef85-aec7-46c7-bdaa-693b9d2bef4b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Crypto Stealer is a malware strain designed to exfiltrate cryptocurrency-related data from compromised systems. It scans the infected machine for wallet files, clipboard activity, and other cryptocurrency artifacts, focusing on intercepting sensitive information like private keys or transaction details. The malware communicates with a command-and-control (C2) server to transmit the harvested data and can dynamically adapt its behavior based on instructions received. Detection indicators include unusual network activity to suspicious IP addresses, unauthorized file access targeting cryptocurrency wallet directories, and anomalous clipboard usage associated with cryptocurrency strings (e.g., wallet addresses). Security solutions should monitor for these behaviors and implement heuristic analysis to identify deviations from normal system operations. Users are encouraged to maintain updated endpoint protection and avoid downloading files from untrusted sources to mitigate the risk posed by Crypto Stealer.

Why it matters

In the ever-evolving landscape of cybercrime, Crypto Stealer emerges as a sophisticated malware targeting the lucrative world of cryptocurrency. By exploiting system vulnerabilities, the malware actively scans for wallet files, clipboard data, and other digital assets, focusing on intercepting sensitive information like private keys and transaction details. Once deployed, Crypto Stealer communicates with a command-and-control (C2) server to exfiltrate stolen data and receive updated instructions for further exploitation. Notably, it often works in tandem with other malicious components, such as XMRig, a widely abused cryptocurrency miner that hijacks system resources for illicit mining operations, and ClipBanker, which manipulates clipboard activity to replace wallet addresses in transactions with those controlled by attackers. These combined tactics maximize the attack's profitability while minimizing the victim's ability to detect the theft. Indicators of compromise include unauthorized access to cryptocurrency wallet files, suspicious clipboard behavior, and outbound connections to known malicious IP addresses. By understanding and recognizing these patterns, defenders can develop effective strategies to detect and mitigate threats like Crypto Stealer before significant damage occurs.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Detect Password Spray Attack Behavior On User Password Spraying, Brute Force TTP
Detect Rare Executables User Execution Anomaly
Download Files Using Telegram Ingress Tool Transfer TTP
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Icacls Deny Command File and Directory Permissions Modification TTP
ICACLS Grant Command File and Directory Permissions Modification Anomaly
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Anomaly
Permission Modification using Takeown App File and Directory Permissions Modification TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Windows Account Access Removal via Logoff Exec Account Access Removal, PowerShell, Command and Scripting Interpreter Anomaly
Windows AutoIt3 Execution Command and Scripting Interpreter TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Anomaly
Windows Disable or Modify Tools Via Taskkill Impair Defenses, Disable or Modify Tools Anomaly
Windows DNS Query Request by Telegram Bot API Bidirectional Communication, DNS, Application Layer Protocol, Web Service Anomaly
Windows File and Directory Enable ReadOnly Permissions Windows File and Directory Permissions Modification TTP
Windows File and Directory Permissions Enable Inheritance Windows File and Directory Permissions Modification Hunting
Windows File and Directory Permissions Remove Inheritance Windows File and Directory Permissions Modification Anomaly
Windows Obfuscated Files or Information via RAR SFX Encrypted/Encoded File Anomaly
Windows Office Product Spawned Rundll32 With No DLL Phishing, Spearphishing Attachment TTP
Windows Powershell Logoff User via Quser Account Access Removal, PowerShell, Command and Scripting Interpreter Anomaly
Windows Remote Management Execute Shell Windows Remote Management Anomaly
Windows Screen Capture in TEMP folder Screen Capture TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Service Deletion In Registry Service Stop Anomaly
Windows Service Stop By Deletion Service Stop TTP
Windows Set Account Password Policy To Unlimited Via Net Service Stop Anomaly
Windows System File on Disk Exploitation for Privilege Escalation Hunting
Windows System User Discovery Via Quser System Owner/User Discovery Hunting
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1