White Snake Stealer Attacking Windows & Linux Systems to Steal Login Credentials

White snake stealer, an info stealer which has enhanced features now able to target both Windows and Linux platforms posing a significant threat to user privacy and security. 

Information stealers are created in such a way to infiltrate into computer systems and extract critical data, including personal information, login credentials, financial details, etc 

The stolen data is usually sold on the dark web or used for illegal activities like identity theft, financial fraud, corporate espionage, or blackmail.  

As per the latest post on quick heal, the updated version of white snake stealer 1.6 has built up some of its features like browser support, email client compatibility, etc. 

 Features of updated White Snake Stealer 

  • The malware is compatible with Opera, CocCoc, CentBrowser, and Yandex, allowing it to extract sensitive data from a broader user base. 
  • It can be supported on the following email clients Outlook, Foxmail, and ‘The BAT!,’ 
  • Can target and extract information from 2FA apps and VPN applications 
  • Advanced features such as keylogging, webcam capture, and document grabbing have been incorporated, which allows it to easily compromise user data by recording keystrokes, capturing webcam footage, and collecting specific document types. 
  • It can establish communication with the C2 server allowing the receipt of instructions, the transmission of stolen data, and the download of additional payloads. 
  • Can collect and exfiltrate files of interest from the victim’s machine. 
  • Able to spread through USB devices by making copies on removable drives such as USB flash drives and external hard drives. 
  • Able to propagate among local users by copying itself to their startup folders, ensuring automatic execution upon user login or system restart and facilitating its spread within the compromised system. 

White Snake Stealer Obfuscation Techniques

Advanced code obfuscation techniques are incorporated into the malware to obscure. These intentional obfuscation techniques make the analysis of the stealer even more complex. 

During the execution of the stealer’s main () method, the Anti VM method is called to prevent the malware from running in a virtual environment.  

This function uses Windows Management Instrumentation (WMI) queries to retrieve the system’s “Manufacturer” and “Model” information. 

Later, it compares these details with predefined strings associated with VMs. If a match is detected, the malware terminates without proceeding. 

After that, the stealer duplicates itself in the Appdata directory and creates a scheduled task. Subsequently, it removes the original file to cover its tracks. 

The updated version of the stealer can now download and install TOR and utilizes the “HiddenServicePort 80” configuration directive. 

This directive specifies that incoming requests to the hidden service on port 80 will be redirected to a randomly generated port (2392) on the local machine.  

The malware utilizes this redirected port to run an HTTP listener service responsible for handling incoming requests. 

The beacon functionality is implemented by establishing a connection between TOR and an open port on the victim’s system.  

The onion address, which serves as the unique identifier for the hidden service, is generated and stored in a file within the directory specified by the “HiddenServiceDir” configuration directive in the TOR configuration file.  

The attacker connects to the hidden service using this onion address through the TOR network. 

The attacker can issue commands or exfiltrate stolen data through this communication channel facilitated by the HTTPListener(). 

Once the data was collected, the XmlSerializer was used to transform it into a serialized format. Then, the serialized data is compressed using the RSA encryption algorithm.  

Finally,it affixes tags, including the filename (e.g.,Username@Computername_report.wsr), to the gathered information.  

The malware establishes a connection to a predetermined server controlled by the attacker using the WebClient class’s ‘uploadData’ method with the PUT HTTP method. 

This allows the attacker to receive the stolen information from infected systems. The malware notifies the attacker through a Telegram chat by executing an HTTP GET request to the Telegram BOT API. 

Indicators of Compromise (IOCs) 


“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.