Research by: Shilpesh Trivedi and Tejaswini Sandapolla

Infection Vector

HookSpoofer is spread by bundlers (MD5: de90466d983da595e863339c34ee4b6b) named “Spotify proxyless checker 2022.rar.” It contains 17 files, with the main executable (the HookSpoofer stealer) being circulated as Spotify checker.exe.

HookSpoofer Infection Flow

Figure 1: Hookspoofer infection flow

Technical Analysis

The analyzed program has an md5 hash: 7FCE055A581C0B116A9679291BF89B7D. It’s .NET compiled and packed by Confuser, a .NET obfuscator. 

Figure 2:  Array initialization

Looking at the file contents, a large chunk of data is stored in the variable array that is later decrypted and stored in array2.

Figure 3: Decryption loop
                                                       

The decrypt function then decrypts the long array2 object (fig. 3). The result is a GCHandle object; its content creates a “koi” module, after which one of its methods is invoked.

Figure 4: Code for Memory Loading of decrypted .Net Module

Figure 5: Fake error message

Figure 6 shows how the error message is invoked:

Figure 6: Code showing the error message 

hxxps://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll 

hxxps://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll respectively.

Figure 7: Self deletion code

Figure 8 shows string_2 and string_3 that are hardcoded, obfuscated Telegram API and Telegram ID.

Figure 8: Obfuscated Telegram API and ID

To deobfuscate the Telegram API and Telegram ID, the CRYPTED keyword is removed, base64 decoded, then the base 64 decoded hex bytes form an array that undergoes AES 256 decryption. It uses the same key and salt.

Salt: { 255,64,191,111,23,3,113,119,231,121,252,112,79,32,114,156 }

After decryption; it forms: 
hxxps://api[.]telegram.org/bot6122846074:AAF6rJZMCIphpMPrSWQdU2PZSf14u6p4zeA/

Figure 9: Deobfuscated Telegram API and ID

Anti-Analysis Techniques

Various anti-analysis techniques are used to detect VirtualBox, SandBox, Debugger, VirusTotal, and Any.Run.

Debugger checks

It checks if the sample is running inside a debugger via CheckRemoteDebuggerPresent.

Process checks

It checks if processes (used by reverse engineers) such as process hacker, netstat, tcpview, and regmon are present. If detected, the program stops its execution.

Figure 10: Checks if the processes are running inside victims machine

Sandbox checks

It checks for sandbox-related DLL files (e.g., SbieDll) are running.

Figure 11: Checks if the sandbox dll’s are present

Virtualization checks 

It uses the wmi query, "Select * from Win32_ComputerSystem" to check for vmware/VIRTUALBOX/Virtual, et al.

root\\CIMV2", "SELECT * FROM Win32_VideoController" to check vmware/vbox

Figure 12: Virtualization check

Hosting checks

Checks the system IP address and compares with IP addresses associated with sandbox environments such as VirusTotal, anyRun etc.

If any of the above are detected then it creates a log of below strings in %temp% and sends a fake error message with exit code showing runtime error.

Figure 13: Anti Analysis detected

Figure 14 shows this error message:

Figure 14: Fake error message check

Stealing capabilities

It tries to steal the following data:

• ProtonVPN, OpenVPN, NordVPN

  

  Figure 15: VPN Stealer

• Filezilla steals data from “recentservers.xml” and “sitemanager.xml”

  

  Figure 16: Filezilla Hosts

• Information about processes running on the system, including process name, PID, path

  

  Figure 17: Info of the running processes

• Captures desktop screenshots

  

  Figure 18: Desktop screenshot

• Uses the netsh wlan show profile command via cmd.exe to obtain info related to saved Wi-Fi modules and passwords along with scan networks around device (SSID, BSSID)

  

  Figure 19: Wifi Passwords

• File Grabber

  

  Figure 20: File grabber

• Firefox.IE, Opera, and Edge browser history, cookies, login data, credit cards, et al.

  Figure 21: Edge web data, cookies, history, etc.

• Messengers (Telegram, Discord, Pidgin, Outlook and Skype)

  Figure 22: Telegram and Skype stealer

• Steam, Uplay, Battle.Net, Minecraft session gaming
• Cryptocurrency wallets
• Directories structure using filesystem info
• Webcam screenshot

  Figure 23: Webcam screenshot

• Product key
• Card info

  Figure 24: Card info

• Keylogger

  Figure 25: Keylogger

• System info

  Figure 26: Systeminfo

  
  
• Clipper

Zip file 

The Zip file is uploaded on anonfile.com/<message_id>, where the message ID is processed by the Telegram bot. This link is sent to the Telegram bot shown above.

Figure 27:Anon file link 

Figure 28: Info if the report has been sent to telegram or not

Figure 29 shows the complete report being sent with the title “HookSpoofer.”

Figure 29: Report contents

StormKitty Similarities

Figure 30: Similarity

Conclusion

Stealer bundlers can spread through various channels, including email attachments, fake software downloads, and social engineering techniques. To defend against malware attacks like Hookspoofer, Uptycs recommends:

• Users should keep their operating system and security software up to date and avoid downloading files or clicking links from unknown sources.
• Businesses should ensure that all staff receive cybersecurity training, and implement measures such as two-factor authentication and data encryption to protect against data theft.

Uptycs EDR Detection

In addition to having YARA built-in, Uptycs EDR customers can easily scan for HookSpoofer since our tool is armed with other advanced detection capabilities. EDR contextual detection provides important details about identified malware. Users can navigate to the toolkit data section in the detection alert, then click on the name of a detected item to reveal its profile (fig. 31)

IOC