Gremlin Stealer: Strings decryption + Where data is uploaded

 Introduction

This is a quick static analysis blog post. @solostalking shared with me on twitter a sample of a new stealer this morning. I decided to take a quick a look at it. Found how it decrypts the strings. It can be automated. I'll just showcase the algorithm.

sample: https://app.any.run/tasks/69325fa1-b37e-41dc-a1f8-bb0038345a3d

Decrypting the strings

Since it's a .NET sample. Let's open it in DnSpy.

Skimming through the methods of the main module, I found this one



Obviously, seeing a loaded resource and some obfuscation + it returns a string, you think it's a string decryption method.

It loads an encrypted resource. Uses the first and second parameters to calculate an offset. And finally a decryption routine.

Notice how all the elements of the array are xored with the SAME INTEGER which is the third parameter.

 We can make use of Cyberchef's XOR bruteforce and bulk decrypt everything in resource.



We can recognize some strings such as chrome.exe etc...

But the result is very big to be skimmed through.

I'll save it to a file and look for thing like "http" and ".com" etc...




This is the link to the C2 Panel.


A telegram link



It most likely belongs to the author of the malware



Searching for occurences of the string ".com" gives us many domains


minergate.com is a mining pool. So, it's very likeley that the malware implements mining functionalities.

You also find several other domain related to blockchain including cryptonator.com .




Which was seized by the autorities


Can also find wwh-club which was some cybercrime marketplace.




You can call it the Lumma effect, but whenever I find a steam profile in a sample I suppose it's using it for Fallback C2's .


Where data is uploaded ?

Once I found the C2 Panel http://207.244.199.46/ , I went and fuzzed its files and directories. And found the /uploads directory . 

Second opsec failure after the XOR blunder ?


This directory contains all zip files of stolen data from each machine.

Conclusion

Obviously, more work needs to be done to check whether there are other C2's and to find the full steam profile link and other stuff. I wanted to share these findings, maybe it could help someone

Comments