Written by ARC Labs contributors, Adam Paulina
Binary Defense ARC Labs researchers recently investigated what appears to be a novel infostealer discovered in the wild and named it MalenuStealer.
An infostealer is a type of malicious software crafted to gather personal data (usernames, passwords, and payment information) from victims. Discord, on the other hand, is a popular online platform where gamers and various communities come together to chat via text, voice, or video. Because of its massive user base and built-in trust between friends, cybercriminals often see Discord as a prime attack vector to achieve their goals.
In this particular scheme, attackers use already-compromised Discord accounts to send out phishing messages. The hook is simple yet effective: they claim to be game developers looking for quick help testing a new game. Excited by the prospect, users download what appears to be a harmless beta. In reality, it’s an infostealer. This tactic leverages the trust people have in messages from online friends, as well as the appeal of trying out something “new,” making it a dangerous blend of social engineering and malware delivery.
Attackers used the compromised Discord accounts to send out a phishing message that linked to a blogspot page. This page showcased a few screenshots and a brief description of what looked like a “game,” plus a direct download link. However, the “game” was really just an encrypted RAR file. The decryption key was shared in the phishing message itself, with the excuse that the password was necessary because the game was “still in beta.” In reality, the encryption was likely intended to slip past antivirus engines and keep the file hidden from security researchers.
Once extracted, the folder contained a self-extracting exe “installer”, which would extract and run the stealer in the background while purporting to install the “game”. Malicious code is executed as part of an obfuscated javascript file contained in the resources folder. The “game executable” is actually just a renamed electron.exe – electron is a common exe wrapper for javascript. Binary Defense researchers are in the process of conducting static analysis on the highly obfuscated script. Dynamic analysis of the malware sample was performed in a lab environment to identify behavioral TTPs and the following hunts were developed, with suggested queries at the end of the report.
The first hunt searches for instances of Electron being run with a process name other than electron.exe.
The second hunt attempts to identify a behavior where taskkill is called to close multiple active browsers and messaging programs in close succession, which MalenuStealer does in order to access their files without needing to deal with “file in use” locks.
The third hunt searches for events in which a chromium-based browser is reopened with a remote-debugging-port set. In the specific case of this campaign, it set the port to 2352 and the domain to localhost. However, remote debugging via a chromium-based browser is a common TTP across multiple threat groups and thus the hunt was generalized.
When MalenuStealer is done grabbing data, it bundles up the information it exfiltrates into a zip file to be sent off to its C2 server. The fourth hunt attempts to identify this behavior by searching for the creation of a zip file containing the name of the machine, using the hard coded naming convention.
You can find detections queries at https://github.com/BinaryDefense/ARC-Labs-Hunting-Queries/tree/main/MalenuStealer