Summary:
a new malware called "Creal" that is targeting cryptocurrency users through phishing sites. Creal is a type of stealer malware that is designed to steal sensitive information, including cryptocurrency wallets and passwords. Creal is distributed through phishing emails that are designed to look like legitimate emails from cryptocurrency exchanges or wallets. The emails contain a link to a fake website that looks like the real website of the exchange or wallet. When users enter their login credentials or other sensitive information on the fake website, Creal steals the information and sends it to a command-and-control server.
The stealer malware checks if it's being executed in a controlled environment by obtaining the victim's username and comparing it against a list of blacklisted usernames. It also checks if the victim's machine's MAC address is listed in a blacklist, and if the public IP address is on a "sblacklist". If a match is found in any of the blacklists, the malware terminates instantly using the termination function.
The stealer sets global variables such as keyword, cookiWords, paswWords, CookiCount, P4sswCount, WalletsZip, GamingZip, and OtherZip, and assigns values to them. The keyword variable contains a specific list of names and their corresponding domain names that the stealer targets. Using this list, the stealer proceeds to collect login credentials and cookies from the victim's browsers. It uses the threading module in Python to carry out data-stealing operations and obtains the victim's geolocation information by sending a GET request to a URL. The stolen data is then saved using the file-writing function and exfiltrated using a Discord webhook via a POST request. The malware uses a dictionary object to contain the headers for the HTTP request.
Creal Stealer's source code and builder are both freely accessible on GitHub, making it simple for threat actors to adapt the code to suit their particular requirements. Users are put in grave danger as a result of this because numerous new Creal Stealer variants with different features may be created. Cybercriminals are increasingly using open-source code in malware because it is affordable and makes it easier to create complex, personalised attacks.
Threat Profile:
| Tactics | Technique Id | Technique |
| Execution | T1204 | User Execution |
| Persistence | T1547 | Boot or Logon Autostart Execution |
| Credential Access | T1555 | Credentials from Password Stores |
| T1539 | Steal Web Session Cookie | |
| T1528 | Steal Application Access Token | |
| Discovery | T1087 | Account Discovery |
| T1518 | Software Discovery | |
| T1057 | Process Discovery | |
| T1124 | System Time Discovery | |
| T1007 | System Service Discovery | |
| T1614 | System Location Discovery | |
| Command and Control | T1071 | Application Layer Protocol |
| T1102 | Web Service | |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
References:
The following reports contain further technical details: