g0njxa
July 11, 2023, 8:51am
1
Hello Team,@AnFam17 for verifying such statement.
Who said what on Twitter: “So this seems to be something new spotted on YT! #Root Team Stealer Uploading logs at temp linx server http://5.42.66.26/ (Same behaviour as for example Darth Project Stealer) Sandbox log: http://5.42.66.26/mk7nl8q3y3.zip
Data from infected host is exfiltrated via http://5.42.66.26/upload GitHub - xtrafrancyz/linx-server: Self-hosted file/code/media sharing website ). This behavior is similar to previous Darth Project Stealer, so maybe some rules can be reused to detect this threat.
(2) Who said what on Twitter: “hxxps://github.com/zxcCitrus/tochnonefor/releases/download/gay/Download.zip Infostealer campaign spreading over Youtube C2
One issue appeared with rule detection as this threat is actually being detected as Bandit Stealer, triggering rule 2045867 - ET MALWARE Bandit Stealer Reporting Attempt (malware.rules)
You can find examples on AnyRun Public Submissions, tag: rootteam
Thanks to suyog41 for hashes
0e8d5189077b3bca3ce62d881a5adf54
I believe this kind of threats im sharing isn’t Bandit Stealer, they are RootTeam Stealer and this rule needs to be rewritten.VirusTotal - File - 1b7e000c9cd800ca324537aa0532acd8dd497b67d07cdb522d1a4379a4a7b51e 185.250.151.78 - urlscan.io
Hope this issues can be verified by ET Labs Team and would love to see if @Jane_0sint can help rewriting rules for Bandit Stealer and writing new rules for RootTeam Stealer
4 Likes
hey @g0njxa
Thanks the additional intel! I’ve got that signature renamed in today’s release and found some additional traffic from the Any.Run detonation you shared in your tweet. Below is a summary of what changes/new signatures went out today. Let me know if anything looks off
2046806 - Win32/RootTeam Stealer CnC Exfil M2. # Detects POST to /api/report
2046807 - Win32/RootTeam Stealer CnC Response # Detects CnC Response to PUT/POST /upload/
2046808 - DNS Query to File Sharing Domain (drop .xtrafrancyz .net) # DNS sig for demo links-server
2046809 - Upload to Links-Server File Sharing Server # Hunting sig for other links-server traffic
2045867 - Win32/RootTeam Stealer CnC Exfil M1 # Updated Name from Bandit Stealer
2 Likes
g0njxa
August 17, 2023, 5:10pm
3
a new variant has discovered of this stealer, currently there’s no rule detection. CnC exfil changed now log is being uploaded as base64 in a single request.
I dont know why 2046806 - Win32/RootTeam Stealer CnC Exfil M2. # Detects POST to /api/report is not being pushed
OLD:Analysis Launcher.exe (MD5: 525ECA0E85C3325ECA5B5B3CFEACD241) Malicious activity - Interactive analysis ANY.RUN
NEW:Analysis LaLauncher.exe (MD5: 43A3997C24E25E4B25F66AFF503ACE89) Malicious activity - Interactive analysis ANY.RUN
the other PE file being dropped by this stealer is a clipper that now is being loaded by the new variants too
1 Like
Hi!
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/RootTeam Stealer User-Agent";flow: established, to_server; http.method; content: "POST"; http.user_agent; content: "Mozilla/5.0 (Windows NT 123.9|3b| WOW64) AppleWebKit / 537.36 (KHTML, like Gecko) Chrome / 83.0.4.121 Safari/537.36"; http.header_names; content:!"Referer|0d 0a|"; reference: md5,6bb365fb7263551c97317f071aa73276; reference: url,app.any.run/tasks/616ca90b-9f70-4d8c-ab9b-68ae70ab65d2; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RootTeam, reated_at 2023_08_17; classtype: trojan-activity; sid: 8000686; rev: 1;)
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/RootTeam Stealer CnC Exfil M3";flow: established, to_server; http.method; content: "POST"; http.header; content: "Content-Type: application/json"; http.header_names; content:!"Referer|0d 0a|"; http.request_body;content: "{|22|log|22|:|22|UEs";content: "|22|,|22|passwords|22|:|22|"; distance: 0; content: "|22|,|22|cookies|22|:|22|"; distance: 0; content: "|22|,|22|wallets|22|:|22|"; distance: 0; content: "|22|,|22|name|22|:|22|"; distance: 0; content: "|22|,|22|inC|22|:|22|"; distance: 0; content: "|22|,|22|nickname|22|:|22|"; distance: 0; reference: md5,6bb365fb7263551c97317f071aa73276; reference: url,app.any.run/tasks/616ca90b-9f70-4d8c-ab9b-68ae70ab65d2; metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RootTeam, created_at 2023_08_17; classtype: trojan-activity; sid: 8000687; rev: 1;)
Best regards, Jane.
1 Like
Thank you both for the report, we will have the rules in for tomorrows release!
JT
2047671 - ET MALWARE [ANY.RUN] Win32/RootTeam Stealer Related User-Agent
Went out today, thanks again!
JT
1 Like
Hi, let’s modify the rules for exfiltration:
alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] Win32/RootTeam Stealer CnC Exfil M3";flow: established, to_server; http.method;content: "POST"; http.header;content: "Content-Type: application/json"; http.header_names;content:!"Referer|0d 0a|"; http.request_body;content: "|22|log|22|:|22|UEs";content: "|22|,|22|passwords|22|:|22|"; content: "|22|cookies|22|:|22|"; content: "|22|wallets|22|:|22|"; content: "|22|name|22|:|22|"; content: "|22|nickname|22|:|22|"; reference: md5,6bb365fb7263551c97317f071aa73276;reference: url,app.any.run/tasks/616ca90b-9f70-4d8c-ab9b-68ae70ab65d2;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family RootTeam, created_at 2023_08_17; classtype: trojan-activity;sid: 8000687; rev: 2;)
Best regards, Jane
Thanks, we will get this in for todays release!
JT
2 Likes
#Darth Project Stealer 5.42.66.26 
(linx-server to upload temp files) Not a new stealer, but interesting to see it 