Poverty Stealer

Rule Signatures
1

Hey, and a few more rules for another stealer. I want to share with the community given the activity of the malware. Exfiltration is carried out through RAW TCP, port 2227.

image
image1316×700 73.8 KB

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Check-In";flow: established, to_server; dsize: 100<>768;stream_size: server, =, 1; stream_size: client, <, 768; byte_test: 1,<=,0x0a,0;byte_test: 1,>=,0x06,0;content: "|000000|"; offset: 1; depth: 3;content: "|000000|"; offset: 5; depth: 3;content: !"|0000|"; offset: 8; depth: 2;content: "|0000 0100 00|"; offset: 10; depth: 5;classtype: command-and-control; reference: md5, 3261ba172502ba9854cf74a60eb7a7e2; reference: url,app.any.run/tasks/616b1b06-b935-449d-af08-e55e9f4e61c4; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 1; rev: 1;)

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1";flow: established, to_server; stream_size: server, =, 1; content: "PK";depth: 2; classtype: credential-theft; reference:md5,84c61f974da85644011a6cd956bd0204; reference:url,app.any.run/tasks/b4761f9f-ab56-4fe6-b2e8-dd449acfaa52; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 2; rev: 1;)

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M2";flow: established, to_server; stream_size: server, =, 1; content: "PK";depth: 2; content: "$s.bmp";distance: 28; within:  6;classtype: credential-theft; reference:md5,84c61f974da85644011a6cd956bd0204; reference:url,app.any.run/tasks/b4761f9f-ab56-4fe6-b2e8-dd449acfaa52; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 3; rev: 1;)

Analysis 63c33b9d07ff4983194bedf7786cd23b.exe (MD5: 63C33B9D07FF4983194BEDF7786CD23B) Malicious activity - Interactive analysis ANY.RUN
Analysis 227a903567502c67ab7e53143950cb21.exe (MD5: 227A903567502C67AB7E53143950CB21) Malicious activity - Interactive analysis ANY.RUN
Analysis a39a78f6141c7aea6555b61ad6d44b94.exe (MD5: A39A78F6141C7AEA6555B61AD6D44B94) Malicious activity - Interactive analysis ANY.RUN
Analysis 17352aff34b28031f1f48214c7e817a9.exe (MD5: 17352AFF34B28031F1F48214C7E817A9) Malicious activity - Interactive analysis ANY.RUN
Analysis SecuriteInfo.com.Trojan.DownLoaderNET.688.4659.9090 (MD5: BE231D0B99FD570186881418144B8F43) Malicious activity - Interactive analysis ANY.RUN
Automated Malware Analysis Report for q4B165cujP.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for 4jzlpBI7l7.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for OE2HxS3lUt.exe - Generated by Joe Sandbox
Analysis 5ef552b6bb693a4a1fd4080dde4a0b15f3e16ed381002.exe (MD5: DD64D0BC1378B43F8B5B17327B4994CB) Malicious activity - Interactive analysis ANY.RUN
Analysis b0xsupp0rt_Transactions.exe (MD5: E0FB0A3E15BDFBA65A792E3E3463DCD5) Malicious activity - Interactive analysis ANY.RUN
Automated Malware Analysis Report for 2023-07-01-2023-07-15_Transactions.xll - Generated by Joe Sandbox

image
image1425×280 90.1 KB

Analysis https://fundovidaips.com/download/File_pass1234.7z Malicious activity - Interactive analysis ANY.RUN
Analysis file (MD5: 055D849A5DFE135C7535BBDEFA045F92) Malicious activity - Interactive analysis ANY.RUN
Analysis https://storedechuladas.com/wp-content/download/File_pass1234.7z Malicious activity - Interactive analysis ANY.RUN
Analysis file (MD5: CCBBA2AAC1CAE3A0BD29CB42203E20B4) Malicious activity - Interactive analysis ANY.RUN
Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox
Automated Malware Analysis Report for file.exe - Generated by Joe Sandbox

Best regards, Jane.

1 Like
2

I plan to finalize the rules, since the second includes the detections of the third.

3

I compared checkin from three new builds
Newbiuld, buildik1, build01
and make a mask:

image
image1655×505 78.7 KB

After that decided to take the selected fragment (mutex) and UUID plus the length of the packet for the first rule in order not to use the port. Leave the second rule unchanged, since there are two conditions - the port and the fact that the client’s package with the magic of the archive will be the first in the stream.
image

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] PovertyStealer Check-In";flow: established, to_server; stream_size: server, =, 1; dsize: 1079;pcre: "/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\x00/";content: "|00|LMR-001";offset: 36;depth:8; classtype: command-and-control; reference: md5, a39a78f6141c7aea6555b61ad6d44b94; reference: url,app.any.run/tasks/7bcdd299-9044-47f2-b8a0-9133e2e7728c; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 1; rev: 1;)

alert tcp any any -> any 2227 (msg: "ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1";flow: established, to_server; stream_size: server, =, 1; content: "PK";depth: 2; classtype: credential-theft; reference:md5,84c61f974da85644011a6cd956bd0204; reference:url,app.any.run/tasks/b4761f9f-ab56-4fe6-b2e8-dd449acfaa52; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family PovertyStealer, created_at 2023_08_04; sid: 2; rev: 1;)
1 Like
4

great analysis :fire: @Jane0sint! We’ll get these in tomorrow’s (2023/08/07) release.

5

2047066 - ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP
2047067 - ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1

For performance I modified PovertyStealer Exfiltration M1 to match on some of the folder structure within the .zip that is being exfil’d

1 Like
6

Detection on port 2227 is not enough, just discovered a build using port 2220

Analysis hightechnology.exe (MD5: 73BDAE97BBF9B332F0CCE73F9D6C21F7) Malicious activity - Interactive analysis ANY.RUN

No rule detection at this moment.
It is needed a more general detection on any port in premonition of a future behavior of this stealer using random ports.

1 Like
7

@g0njxa - thanks for the FN tip!

I took a look this morning and was was causing the FN was that the new sample has LMR-002 after the UUID as opposed to the original sample has LMR-001. I updated the rule so that it will alert regardless of what the three digits are after LMR-. The rule was already port agnostic with $HOME_NET any -> $EXTERNAL_NET any so there was no need to make changes there.

Updated sig will go out in Monday’s Release.

Old:

Screenshot 2023-08-12 at 7.57.53 AM
Screenshot 2023-08-12 at 7.57.53 AM692×50 5.09 KB

New:

Screenshot 2023-08-12 at 7.56.02 AM
Screenshot 2023-08-12 at 7.56.02 AM804×68 5.02 KB

2 Likes
8

Hi, can I ask you to add a link to this discussion in the rules 2047066?

reference:url,community.emergingthreats.net/t/poverty-stealer/;

9

The signature updates will go out today!

JT

2 Likes