Affected platforms: Windows
Impacted parties: Windows Users
Impact: The information collected can be used for future attacks
Severity level: Medium

FortiGuard Labs recently came across files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEye”. While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks.

This blog post analyzes the behavior and evolution of this new infostealer.

Meet the ThirdEye

Our investigation began when we spotted an archive file with a file name in Russian, “Табель учета рабочего времени.zip” (“time sheet” in English). This zip file contains two files our experience immediately identified as up to no good. Both files have a .exe extension preceded by another document-related extension (double extension). And one of the files is “CMK Правила оформления больничных листов.pdf.exe” (“QMS Rules for issuing sick leave” in English, which is an executable instead of a document, as the title suggests). The file has a SHA2 hash value of f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

The ThirdEye infostealer has relatively simple functionality. It harvests various system information from compromised machines, such as BIOS and hardware data. It also enumerates files and folders, running processes, and network information. Once the malware is executed, it gathers all this data and sends it to its command-and-control (C2) server hosted at (hxxp://shlalala[.]ru/general/ch3ckState). And unlike most other malware, it does nothing else.

One interesting string unique to the ThirdEye infostealer family (from which we derived its name) is "3rd_eye", which it decrypts and uses with another hash value to identify itself to the C2.

The second item in the archive is “Табель учета рабочего времени.xls.exe”, which shares the same file name with the parent file. This file is a ThirdEye infostealer variant designed to perform the same activities as f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.

Based on the traits we saw in those ThirdEye infostealer samples, we managed to trace the very first sample to 610aff11acce8398f2b35e3742cb46c6a168a781c23a816de2aca471492161b2, which was first submitted to a public file scanning service on April 4^th, 2023. Our analysis of that oldest sample uncovered that it did not harvest as much information as recent samples. The earliest sample we found has a compilation timestamp of Mon Apr 03 12:36:37 2023 GMT and collects the following data:

• client_hash
• OS_type
• host_name
• user_name

It calculates a “client_hash”, which is used as an identifier. During exfiltration, the collected data is sent to the C2 server with a custom web request header:

Cookie: 3rd_eye=[client_hash value]

This variant uses hxxp://glovatickets[.]ru/ch3ckState as a C2 server.

No significant changes were made to the malware family until a few weeks later. A variant (SHA256: A9D98B15C94BB310CDB61440FA2B11D0C7B4AA113702035156CE23F6B6C5EECF) with a compile timestamp of Wed Apr 26 09:56:55 2023 GMT collected additional data, such as:

• BIOS release date and vendor
• Number of CPU cores and RAM size
• File list of the user’s desktop
• Network interface data
• List of usernames registered to the infected computer

However, this version would crash in certain virtual machines due to missing hardware information. An updated variant was released one day later (SHA256: C36C4A09BCCDEDA263A33BC87A166DFBAD78C86B0F953FCD57E8CA42752AF2FC). The only change here was the use of a PDF icon. Prior to this, none of the samples we found used a custom/fake icon. “hxxp://ohmycars[.]ru/general/ch3ckState” was used as the C2 by this variant.

The following week brought even more changes. This next variant (SHA256: 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337) gathered much more data:

• Total/Free disk space on the C drive
• Domain name
• List of network ports the infected computer is currently using
• List of currently running processes
• List of installed programs in the Program_Files directory
• systemUpTime
• List of user’s programs, including the version number
• Volume information such as CD-ROM and other drive letters

While another variant (5D211C47612B98426DD3C8EAC092AC5CE0527BDA09AFA34B9D0F628109E0C796), compiled on Thu May 25 11:02:54 2023 GMT, gathered the same type of data, the main difference was with encoding. Instead of plaintext, the data it collected was encoded in hex. Over the past couple of months, we also spotted some variants that used internal IP addresses 10[.]10[.]30[.]36 in SHA256: 2008BDD98D3DCB6633357B8D641C97812DF916300222FC815066978090FA078F and 192[.]168[.]21[.]182 in SHA256: 847CBE9457B001FAF3C09FDE89EF95F9CA9E1F79C29091C4B5B08C5F5FE48337) instead of an actual C2 server. This was perhaps due to testing new features and/or checking for AV detections.

Conclusion

Although there is no concrete evidence that ThirdEye infostealer was used in attacks, the malware is designed to collect information from compromised machines that is valuable for understanding and narrowing down potential targets. We believe this infostealer was designed for that purpose, and ThirdEye victims may be the subjects of future cyberattacks. Since most ThirdEye variants were submitted to a public scanning service from Russia, and the latest variant has a file name in Russian, the attacker may be looking to deploy malware to Russian-speaking organizations.

While ThirdEye is not yet considered sophisticated, our investigation found the attacker has put effort into improving the infostealer, such as recent samples collecting more system information compared to older variants. We expect that effort to continue.

Fortinet Protections

Fortinet customers are already protected from these APT and cyber-crime campaigns through FortiGuard’s AntiVirus, FortiMail, and FortiClient services, as follows:

 The following (AV) signatures detect the malicious documents mentioned in this blog:

• W64/ThirdEye.A!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.

Fortinet Webfiltering blocks all ThirdEye C2s identified in this blog.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

YARA