A new stealer dubbed PennyWise by its developers has appeared recently, exposed by Cyble Research Labs. The researchers observed multiple samples of the malware in the wild, making it an active threat. The threat focuses on stealing sensitive browser data and cryptocurrency wallets, and it comes as the Pentagon has raised concerns about the blockchain.
An unusual way of spreading: YouTube
The malware pretends to be a free Bitcoin mining application, which advertises and can be downloaded via a Youtube video (Figure A).
While this screen capture shows a very limited number of visitors, Cyble has observed over 80 videos on YouTube for mass infection, all stored on the threat actor’s YouTube channel.
As the users watch the video, they are enticed to download a password-protected archive file, which contains the advertised Bitcoin mining software, but which is in fact the PennyWise malware.
EES: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The use of a password-protected archive is a known social engineering method for enforcing trust, as users tend to be less suspicious when content is password-protected.
In an additional attempt to appear more legitimate, the threat actor adds a link to VirusTotal which shows antivirus results for a clean file that is not the malware. The threat actor also mentions the user might need to turn off his antivirus if he is not allowed to download the file but that it is completely safe (Figure B).
The archive file contains an installer for PennyWise, which executes it before the malware starts communicating with its command and control server.
PennyWise malware characteristics
The malware is obfuscated with an unknown crypter tool and uses multithreading to be more efficient in stealing data.
Once running, the malware obtains the path for several different browsers it targets:
- More than 30 Chrome-based browsers
- More than 5 Mozilla-based browsers
- Microsoft Edge
The malware then grabs the username, the machine name, the system language and timezone from the victims operating system. The timezone is converted to Russian Standard Time.
Another geographical characteristic comes when the malware tries to identify the victim’s country. It completely stops all operations if the country is one of the following:
This could be an indication that the threat actor might want to avoid law enforcement agencies in these particular countries.
In addition, the malware grabs the graphic driver and processor name and saves everything in a hidden folder in the AppDataLocal directory.
Once this is done, the malware attempts to determine in which kind of environment it is running by using anti-analysis and anti-detection tricks. If it runs in a virtual machine, it stops.
More checks are done to determine what antivirus or sandbox might be running, and the malware checks a predefined list of process names related to analysis tools such as wireshark, fiddler and tcpview.
How PennyWise steals data
Once the malware has done all the checks, it starts multithreading for efficiency. Over 10 threads are created, each one in charge of a different operation.
The malware only steals RTF, DOC, DOCX, TXT and JSON files smaller than 20kb. The files are saved in a folder “grabber” in the hidden folder infrastructure created by the malware.
The malware also lists all installed software on the system.
All known browser data is stolen if the malware detects a browser it knows, including login credentials, cookies, encryption keys and master passwords.
Discord tokens and Telegram sessions are also stolen, and a screenshot of the user’s screen is taken.
The registry is then queried in a hunt for cryptocurrency wallets such as Litecoin, Dash and Bitcoin before targeting cold storage wallets such as Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic Wallet, Guarda and Coinomi. Wallet files are stolen from a list of predefined folders. Cryptocurrency extensions in Chrome-based browsers are also targeted.
Once all the collection is done, it is compressed and sent over to an attacker-controlled server before being deleted from the computer.
How to protect yourself from this threat
Software should never be downloaded from unverified or untrustworthy sources. Software should always be downloaded from legitimate websites after a careful check from the user.
Users should also never disable their antivirus for the purpose of installing a new application. A malicious detection from the antivirus should be a serious warning to the user. The antivirus or security product running on the computer should always be kept patched along with all other software and the operating system itself.
The storage of credentials should be avoided in the browser. Instead, a password manager should be used, with one different password for every website or online service. Multi-factor authentication should be deployed when possible so that when a cybercriminal is in possession of valid credentials, they could not use it to use any online service.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.