Analyzing the Command-and-Control Infrastructure of CollectorGoomba Data Theft Malware
The rise of spyware-as-a-service is letting criminals specialize, whether in making improved spyware, maximizing profits from stolen information, or working on infecting new victims. The business model for spyware-as-a-service means having an individual or a whole team developing spyware and organizing the infrastructure the malware runs on. The dev team may then sell the software to less technologically apt criminals who use it to further their goals.
Network defenses are often deployed by organizations to prevent spyware communications, often including network logging and intrusion prevention systems (IPS). The evolution of malware allows new threats to make parts of these defenses less useful. Security researchers can take new malware apart by setting it off in virtual machines or machines where they can be analyzed with software. Such analysis was recently performed by VMRay and we have reiterated much of their findings on CollectorGoomba.
Text of CollectorGoomba Author Explaining Benefits of the "product" - Source: VMRay.com
The author of CollectorGoomba describes the benefits of the product and the ability to steal information and the spyware changes to avoid defenses. The author also seems to claim they wrote the spyware-as-a-service they're offering.
Table of Contents
The Stolen Data
During the execution of the CollectorGoomba malware, it steals sensitive information from the infected device. The spyware reads sensitive data on the web browser of affected users, including their personal information, cookies, and login details saved in the autofill feature. The malware targets Firefox, Google Chrome, and Internet Explorer data files. Other applications that have their authentication data targeted by CollectorGoomba include Authy, NordVPN, FileZilla, Steam, Discord, and Pidgin.
The sample takes a screenshot of the desktop of a victim and adds the stolen data to a zip archive. The theft of login credentials means that the attackers can log in place of the infected user. They can further their goals by infiltrating an organization's network. Loss of personal information can devastate a user or an organization. Such issues could lead to extortion, banking fraud, identity theft, stalking, and more. As part of the spyware-as-a-service, criminals can trade the stolen information to other criminals who specialize in exploiting it.
Password Security
Web browser autofill may be very convenient for users, but it is also dangerous to use, as login credentials may be saved in cleartext. Password managers may be installed with the same functionality in mind, but they offer encryption of information through a master password. If attackers manage to steal the files that contain the login data, it will be encrypted and unusable.
Network Traffic Analysis
CollectorGoomba uses high-level networking to retrieve a file that contains the domain name of the collection server. Once the target domain acquires the spyware, it attempts to upload the stolen data to the collection server. The sample uses API functions in Wininet.dll, a Windows library meant for high-level network communication. The functions are easy to use and make the programming of the spyware simpler for the devs. The network traffic generated by the spyware uses the InternetReadFile() function, which reads a text file in a publicly-hosted GitHub repository.
The generated traffic appears in the packet capture as a DNS query for a legitimate GitHub domain called raw.githubusercontent.com, one used for direct download of files. Once the IP address is received, the infected device downloads the nyun.txt file from that domain. It contains the details of the spyware domain where the sample is instructed to upload the stolen data.
The program then checks for a valid response and confirms the InternetReadFile() function didn't return a zero. It then checks if the number of bytes returned was not zero as well. If either condition is met, then the sample assumes it failed to retrieve the nyun.txt file and uses a hardcoded domain for data exfiltration.
When the spyware acquires its target domain, it exfiltrates the zip archive with the stolen data. The code calls the high level networking functions HttpSendRequest() and InternetWriteFile() to send HTTP POST to u667503srd[.]ha004[.]t[.]justns[.]ru/collect[.]php. On the spyware C2 server, collect.pho is waiting for incoming connections from the malware. The platform developers for this spyware-as-a-service say the attacker clients can connect to the server and access the stolen data. Once the data is exfiltrated, the spyware deletes any temporary files it makes, freeing up the memory and finishing its execution.
Taking down the Command and Control
VMRay Labs researchers sent their analysis on the C2 traffic back to GitHub and were able to work together to remove the malicious repository. The attackers no longer use that file to send data stolen by the malware to their data exfiltration server. The spyware attempts to get the file from GitHub, but it receives an error message. Any malware depending on that repository, should now fail to upload the stolen data. The threat actors behind CollectorGoomba moved on and updated their code to rely on text files hosted on upaste.me instead. Instances of CollectorGoomba compiled before that update should fail to upload the stolen data.