Phishing mail targeting Turkish companies has been detected. Mail attachment contains an RFQ file. Normally, a request for quotation (RFQ) is a company’s document to request pricing and packaging information from a potential supplier. This RFQ-looking file is actually a RAR file. It contains a malicious EXE file that is simply a Keylogger and Stealer. Threatmon Malware Research Team accessed the hacker’s C2 server and retrieved the stolen data.
FEATURES OF THE STEALER
- Accesses sensitive information from local browsers
- Found browser information locations related strings
- Tries to steal browser-sensitive information -file access-
- Tries to steal desktop applications information
- Queries process information
- Reads the active computer name
- Reads the windows installation language
- Tries to identify its external IP address by sending GET request to hxxps://checkip[.]dynds[.]org
- Malware is from Snake Keylogger Family
- Using Telegram as C2: hxxps://api[.]telegram[.]org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU
COMMUNICATING WITH THE C2 SERVER
The Stealer is using Telegram BOT API to communicate. We accessed the hacker’s C2 server and retrieved the stolen data. Here is an example:
