White Snake Stealer Attacking Windows & Linux Systems to Steal Login Credentials

White snake stealer, an info stealer which has enhanced features now able to target both Windows and Linux platforms posing a significant threat to user privacy and security. 

Information stealers are created in such a way to infiltrate into computer systems and extract critical data, including personal information, login credentials, financial details, etc 

The stolen data is usually sold on the dark web or used for illegal activities like identity theft, financial fraud, corporate espionage, or blackmail.  

As per the latest post on quick heal, the updated version of white snake stealer 1.6 has built up some of its features like browser support, email client compatibility, etc. 

 Features of updated White Snake Stealer 

  • The malware is compatible with Opera, CocCoc, CentBrowser, and Yandex, allowing it to extract sensitive data from a broader user base. 
  • It can be supported on the following email clients Outlook, Foxmail, and ‘The BAT!,’ 
  • Can target and extract information from 2FA apps and VPN applications 
  • Advanced features such as keylogging, webcam capture, and document grabbing have been incorporated, which allows it to easily compromise user data by recording keystrokes, capturing webcam footage, and collecting specific document types. 
  • It can establish communication with the C2 server allowing the receipt of instructions, the transmission of stolen data, and the download of additional payloads. 
  • Can collect and exfiltrate files of interest from the victim’s machine. 
  • Able to spread through USB devices by making copies on removable drives such as USB flash drives and external hard drives. 
  • Able to propagate among local users by copying itself to their startup folders, ensuring automatic execution upon user login or system restart and facilitating its spread within the compromised system. 

White Snake Stealer Obfuscation Techniques

Advanced code obfuscation techniques are incorporated into the malware to obscure. These intentional obfuscation techniques make the analysis of the stealer even more complex. 

During the execution of the stealer’s main () method, the Anti VM method is called to prevent the malware from running in a virtual environment.  

This function uses Windows Management Instrumentation (WMI) queries to retrieve the system’s “Manufacturer” and “Model” information. 

Later, it compares these details with predefined strings associated with VMs. If a match is detected, the malware terminates without proceeding. 

After that, the stealer duplicates itself in the Appdata directory and creates a scheduled task. Subsequently, it removes the original file to cover its tracks. 

The updated version of the stealer can now download and install TOR and utilizes the “HiddenServicePort 80 127.0.0.1:2392” configuration directive. 

This directive specifies that incoming requests to the hidden service on port 80 will be redirected to a randomly generated port (2392) on the local machine.  

The malware utilizes this redirected port to run an HTTP listener service responsible for handling incoming requests. 

The beacon functionality is implemented by establishing a connection between TOR and an open port on the victim’s system.  

The onion address, which serves as the unique identifier for the hidden service, is generated and stored in a file within the directory specified by the “HiddenServiceDir” configuration directive in the TOR configuration file.  

The attacker connects to the hidden service using this onion address through the TOR network. 

The attacker can issue commands or exfiltrate stolen data through this communication channel facilitated by the HTTPListener(). 

Once the data was collected, the XmlSerializer was used to transform it into a serialized format. Then, the serialized data is compressed using the RSA encryption algorithm.  

Finally,it affixes tags, including the filename (e.g.,Username@Computername_report.wsr), to the gathered information.  

The malware establishes a connection to a predetermined server controlled by the attacker using the WebClient class’s ‘uploadData’ method with the PUT HTTP method. 

This allows the attacker to receive the stolen information from infected systems. The malware notifies the attacker through a Telegram chat by executing an HTTP GET request to the Telegram BOT API. 

Indicators of Compromise (IOCs) 

b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b
b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
bc7536cb39c4dc0ef7522b46efbc97b87edd958248267932c46cdda2d571a72b
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910
0d5996e68d654bb1ab31c89ae0a5b3c810f9f761f20df825d4ab5bba3d510bde
c219beaecc91df9265574eea6e9d866c224549b7f41cdda7e85015f4ae99b7c7
b133fccfd54e62681e3549c6947ca1521417745cc7f376c362ba118bcc0de39b
e76e206e8ae24f95a329b4f6ecdf1f22b76b07a8c628c0619b781bdba2d85732
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
138a262303b34cf0da63a5a8d32217db66f97ef5873dbac0f51ada3659c8cb3f
fdc83f58a30b80240c5887c6646324600f3896421059b80caddacfdb196287ea
0000028f80066ad99544cc7a79caa649ee72eca2711b1b1128df61ffd13b0657
f8fd7b7eabb7b70e3f5a13bf8526eb620522a3c0aac6caf05b4db83d13e1e625
0c6705665e94b4d7184fe34185d0ea2706c745ddb71bb45bb194c96ebe2d7869
df78f7993dc9aaee7666a06a6dae52ba0fc6e63e01376474fa96af360cf566de
a4191e00cd9dfeda78901ef9dae317e23c73408e7b4c1eeef8de6a8c70fe9db7
b4c9d3abd4fe5b4be84884c933e8d9a6a80ce326e05432a7ecb8a7c28f393941

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.