Agniane Stealer Targeting Users to Steal Financial Data

Threat actors use stealers to collect sensitive information from unsuspecting users covertly.

These tools are favored for their ability to infiltrate systems, remain undetected, and extract valuable data, which threat actors can exploit for financial gain and several malicious purposes.

Stealers offer a low-risk and high-reward method for threat actors to access valuable assets without a direct fight.

Cybersecurity researchers at Cisco recently discovered and warned of Agniane stealer attacking users to steal financial data.

Agniane Stealer Attacking Users

Agniane Stealer is a crypto-targeting malware that surged in August 2023. Researchers recently uncovered new insights into its URL pattern, file collection methods, and C2 protocol.


Live Account Takeover Attack Simulation

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

The malware was actively marketed on Telegram (@agnianebot) and uses ConfuserEx Protector with a unique C2 method.

In November 2023, researchers’ threat hunting revealed passbook.bat.exe, a named PowerShell binary linked to Agniane Stealer.

Infections start with ZIP downloads from legit websites, following this URL pattern:-

http[s]://<domain name>/book_[A-Z0-9]+-\ 

Extracted files drop passbook.bat with obfuscated payload by spawning passbook.bat.exe. This renamed PowerShell binary executes a series of obfuscated commands.

Execution chain (Source – Cisco)

Then, it dynamically builds and invokes an XORing payload from a BAT file by decompressing and loading it into memory reflectively. 

Besides this, reversing the payload helps in getting the objectives of the threat actors.

The payload triggers a C# assembly that results in an executable with hash 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df. 

The file was unknown to online sandboxes, and emulating its activity on Cisco Secure Malware Analytics revealed anti-sandbox techniques. 

However, the binary, which was obfuscated with ConfuserEx, restricts the dynamic analysis.

Content of the passbook.bat file (Source – Cisco)

The sample lacked a ConfuserEx signature but had similar obfuscation. On reversing, another binary that emerged in its resources was loaded reflectively. 

This C# sample held the final payload, which was obfuscated directly with ConfuserEx.

The Passbook.bat.exe executes PowerShell to deobfuscate passbook.bat, then runs the tmp385C.tmp (header file name). This, in turn, reflectively loads the _CASH_78 C# app, which concludes with the Agniane Stealer.

Malware execution chain (Source – Cisco)

The Agniane Stealer steals credentials and files via a basic C2 protocol. It checks domain availability by requesting a specific URL and adds active C2 domains to a list. Then, it gathers file extensions from a C2 URL pattern.

Afterward, it requests a remote json file for error details and progresses based on the response.

The stealer employed many obfuscation and anti-detection methods to collect and exfiltrate files, credentials, passwords, credit cards, and wallets.

Moreover, its evasion tactics and broad data targeting could lure more threat actors to exploit its capabilities in the future.


IoCs (Source – Cisco)

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *