Newly discovered Windows-based malware steals sensitive information (July 5, 2023)

Ref# AL2023_55 | Date: Jul 5th 2023

Description  

Researchers from Fortinet recently discovered a previously unseen infostealer they dubbed Thirdeye, capable of stealing various sensitive information from compromised devices that can be used as steppingstones for future attacks.  

Details 

Investigations began when the researchers discovered a Russian-named archive file called .zip, which stands for time sheet in English. The archive file contains two files, both of which are double extension; for example, filename.pdf.exe or filename2.xlsx.exe. The first file is called CMK .pdf.exe which is QMS Rules for issuing sick leave in English and the second file is called .xls.exe which is time sheet, the same name used for the archive. These files execute the ThirdEye infostealer, which harvests various information such as BIOS and hardware information and also enumerates files, folders, running processes and network information. This information is gathered and sent to the malwares command and control (C2) server hosted at hxxp://shlalala[.]ru/general/ch3ckState. 

The researchers noticed a unique string used by the malware called 3rd_eye which it decrypts and uses with a hash value to identify itself to the C2 server and this is how the name was derived for the malware. 

Based on the traits of the two samples examined, the researchers managed to trace back to the very first sample of the now ThirdEye malware. The old sample was submitted to a public file scanning service on April 4th, 2023, and did not harvest much information as the recent ThirdEye sample. It collected the client_hash, OS_type, host_name, user_name of the compromised device and exfiltrated it to the C2 server hxxp://glovatickets[.]ru/ch3ckState. 

A newer sample was then discovered to have been released in later April which has been updated to collect more data from compromised devices. The additional data included BIOS release date and vendor, number of CPU, cores and RAM size, file list of the users desktop, network interface data and the list of usernames registered to the infected computer. However, this sample crashed on certain virtual machines because of missing hardware information. The threat actors behind the malware were aware of this and released an updated version a day later, fixing the crash issues and replacing the icons of the malware file. This variant used the C2 server hxxp://ohmycars[.]ru/general/ch3ckState. 

A week later, another variant was discovered, bringing about some more changes to the data collected. The new variant now checks for Total/Free disk space on the C drive, Domain name, list of network ports the infected computer is currently using, list of currently running processes, list of installed programs in the Program_Files directory, systemUpTime, list of users programs, including the version number and the volume information such as CD-ROM and other drive letters.  

The number of variants discovered ascertains that the threat actors are actively updating this malware and even though there is no solid evidence of it being used in attacks, the malware is designed to collect information from compromised machines of potential targets. It is believed that this infostealer was designed for that purpose, and ThirdEye victims may be the subject of future cyberattacks.  

Indicators of Compromise 

Below is the list of IOCs including sample hashes and C2 URLs associated with the ThirdEye malware: 

IOC 

Malware 

9db721fa9ea9cdec98f113b81429db29ea47fb981795694d88959d8a9f1042e6 

Archive file containing ThirdEye Infostealer 

5d211c47612b98426dd3c8eac092ac5ce0527bda09afa34b9d0f628109e0c796 

ThirdEye Infostealer 

f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494 

ThirdEye Infostealer 

3d9aff07e4cb6c943aec7fcd2d845d21d0261f6f8ae1c94aee4abdf4eef5924d 

ThirdEye Infostealer 

2008bdd98d3dcb6633357b8d641c97812df916300222fc815066978090fa078f 

ThirdEye Infostealer 

847cbe9457b001faf3c09fde89ef95f9ca9e1f79c29091c4b5b08c5f5fe48337 

ThirdEye Infostealer 

c36c4a09bccdeda263a33bc87a166dfbad78c86b0f953fcd57e8ca42752af2fc 

ThirdEye Infostealer 

0a798b4e7bd4853ec9f0d3d84ad54a8d24170aa765db2591ed3a49e66323742c 

ThirdEye Infostealer 

a9d98b15c94bb310cdb61440fa2b11d0c7b4aa113702035156ce23f6b6c5eecf 

ThirdEye Infostealer 

263600712137c1465e0f28e1603b3e8feb9368a37503fa1c9edaaab245c63026 

ThirdEye Infostealer 

610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2 

ThirdEye Infostealer 

hxxp://shlalala[.]ru/general/ch3ckState 

ThirdEye Infostealer C2 

hxxp://ohmycars[.]ru/general/ch3ckState 

ThirdEye Infostealer C2 

hxxp://anime-clab[.]ru/ch3ckState 

ThirdEye Infostealer C2 

hxxp://glovatickets[.]ru/ch3ckState 

ThirdEye Infostealer C2 

Remediation 

The attack vector used by this malware seems to be in the form of phishing emails or spear phishing emails. It is therefore recommended to be wary of suspicious emails with potential malicious attachments or links. Delete suspicious emails and always scan any attachments downloaded from emails with a reputable anti-virus software. It would also be wise to conduct cybersecurity drills and exercises to learn more about phishing emails and how to identify them.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Newly discovered Windows-based malware steals sensitive information.pdf

References