Uncovering the Phemedrone Stealer: Analyzing the Threat and Detection Methods
Recently, the cybersecurity world has been abuzz with discussions about Phemedrone, a newly emerged stealer exploiting the CVE-2023-36025 vulnerability in Microsoft Windows Defender SmartScreen. The project was most recently available on GitHub; however, the project was taken down, and the associated account was removed. Active development still occurs via Telegram.
Phemedrone distinguishes itself as a sophisticated stealer, adept at extracting sensitive data from platforms such as Steam and Discord, retrieving browser data (particularly from Chrome) and extracting details from various cryptocurrency wallets. Its proficiency in evading traditional defense mechanisms and its organized approach to data collection and exfiltration underscore its significance as a noteworthy stealer.
In the following blog, the Splunk Threat Research Team will dissect the Phemedrone Stealer. We’ll explore the stealer’s configuration settings and its associated tactics and techniques, including those it uses for data harvesting evading detection. Additionally, we’ll highlight the indicators and detection opportunities our team has identified, offering insights into the stealer’s operational patterns.
Phemedrome Stealer’s Configuration Settings
Phemedrone Stealer, like other .NET Trojan Stealers, employs configuration settings stored within its .cctor class, initialized first and utilized throughout its codebase. To extract these settings, the Splunk Threat Research Team wrote a Python script, phemdrone_extractor_s.py, tailored to extract configuration data from this malware strain. We also extracted 150+ Phemedrome malware configuration settings to identify common tags that might be related to its campaign, the common C2 framework it uses, files it tries to collect and many more. Below is a short demo and presentation of this tool.
Figure 1: configuration extraction
(For a larger resolution of this diagram visit this link)
After ingesting the extracted JSON-formatted configuration settings and creating a simple Splunk dashboard, our analysis revealed that the most common tag among the extracted samples is “default.” Additionally, we observed that the primary command and control (C2) framework identified across our dataset is Telegram.
Figure 2.1: Phemedrone Tag Statistic
(For a larger resolution of this diagram visit this link)
In addition to the configuration settings, the malware targets various file types on the compromised host, including .txt files, Windows documents, PDFs, DAT files, KeePass databases, images, and more. This comprehensive approach indicates the malware’s ability to harvest a wide range of sensitive data formats from the victim’s system.
Figure 2.2: Phemedrone File Collection Statistic
(For a larger resolution of this diagram visit this link)
Phemedrome Stealer’s Tactics and Techniques
Defense Evasion
This .NET Compiled Trojan Stealer employs a series of defense evasion techniques upon execution, tailored to its configuration settings. The Phemedrone Trojan Stealer employs a mutex checker to ensure singular execution and incorporates three distinct methods to circumvent analysis or sandbox environments.
The initial technique involves a Virtual Machine Check, achieved through the execution of a WMI command:
SELECT * FROM Win32_VideoController
It retrieves the “Name” field and checks if it matches any recognized virtual machine identifiers, including “Virtualbox,” “Vbox,” “VMware Virtual,” “VMware,” and “Hyper-V Video.” Upon detecting a match with any of these names, the process execution is promptly terminated.
Figure 3: Virtual Machine Check
Similarly, if the “InstalledInputLanguages” of the compromised host’s operating system matches any of the languages associated with the Commonwealth of Independent States (CIS), as indicated in Figure 4, the process will be terminated.
Figure 4: is CIS
Then lastly, if “wireshark” and “httpdebbugerui” processes are running in the compromised host, the process execution will be terminated.
System Information Discovery
After the execution of Phemedrone Stealer defense evasion function, it will prepare a MemoryStream Dynamically that will be used for transferring all system information and collected data from the compromised host back to its server side.
Figure 5 illustrates the system information targeted for collection, which will subsequently be sent to its C2 server.
Figure 5: System Information
The majority of this information collection relies on executing WMI commands or parsing the registry, as detailed in the table below.
| System Information | Technique |
|---|---|
| Get AV Product Installed Information | “root\\SecurityCenter2”, “SELECT * FROM AntivirusProduct” |
| Get CPU Information | “SELECT * FROM Win32_Processor” |
| Get Geo Information | hxxp[://]ip-api[.]com/json/?fields=11827 |
| Get GPU | “SELECT * FROM Win32_VideoController” |
| Get Hardware Information | “SELECT * FROM Win32_Processor” “SELECT * FROM Win32_DiskDrive” |
| Get Total RAM | “SELECT * FROM Win32_ComputerSystem” |
| Windows | “HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion” , “ProductName” |
Figure 6 displays the formatted “information.txt” data that was transmitted to the C2 panel server during our testing and analysis conducted in the Splunk Attack Range.
Figure 6: Information.txt
Data Collection Tactics
Discord and Steam
Similar to other Trojan Stealers, Phemedrone Stealer targets sensitive information associated with the Steam application. Steam, developed by Valve Corporation, serves as a digital platform predominantly utilized for purchasing, downloading, and engaging in video games.
This particular Trojan Stealer employs various tactics to gather Steam account data and activities. It begins by querying the registry key “HKEY_CURRENT_USER\Software\Valve\Steam,” that contains crucial configuration and user data pertaining to the Steam client. This data can encompass login credentials, game library details, settings, and more.
Furthermore, this malware attempts to harvest files with specific substrings in their names, such as “ssfn” and “\config\*.vdf.” These files, once located, are read and streamed into memory for subsequent transmission to the C2 server. Among these files are configurations vital for Steam’s operation, including user preferences, game settings, and potentially sensitive account-related information.
Figure 7: Steam Information Collection
This malware also endeavors to harvest and decrypt Discord database files typically situated in the Discord directory “\discord\Local Storage” or “\Discord\Local State.” These files contain valuable information like usernames and passwords, which the malware seeks to steal for malicious purposes.
Browser Information
This malware is equipped with a class tailored to extract sensitive data from web browsers, particularly Chrome or Chromium. It commences by locating two critical files from Chrome profiles: namely, “%userprofile%\Appdata\Local\Google\Chrome\User data\Local State” and “%userprofile%\Appdata\Local\Google\Chrome\User data\Default\Login Data”. Subsequently, it parses the “Local State” file to acquire the encoded and encrypted master key necessary for decrypting the stored passwords within the “Login Data” file. The master key undergoes Base64 encoding and is then encrypted using the Windows CryptProtectData() API.
This technique has been observed in various Trojan Stealers, including the Amadey malware, which has been analyzed by the Splunk Threat Research Team in our blog.
Figure 7: Decrypt Chrome Database
In addition to decrypting Chrome credentials and potentially extracting credit card information, this malware also targets specific Chrome file extensions associated with second-factor authentication, cryptocurrency management, and password management. These extensions may contain sensitive data crucial for securing accounts, managing digital assets, and storing passwords. The table below lists the targeted chrome extensions it attempts to collect information from and send back to its C2 server.
| “Authenticator” | “bhghoamapcdpbohphigoooaddinpkbai” |
During our testing, we installed certain targeted Chrome extensions within the Splunk Attack Range environment and populated them with dummy autofill credentials. This allowed us to observe how the Phemedrone Stealer parses this information. By configuring the C2 panel and executing the client-side Phemedrone stealer, we received two files: “password.txt” and “Cookies_Chrome[Default].txt”. These files contain the extracted usernames and passwords from the Chrome database, as well as information pertaining to all installed targeted Chrome extensions.
Figure 8.1: Password.txt
Figure 8.2: Cookies_Chrome[Default].txt
Screenshots
Phemedrone Stealer has a screenshot capability, allowing it to discreetly capture images of the victim’s screen and send it to its C2 server named as “screenshot.png”. This functionality enables this malware to gather visual information from the infected device, potentially revealing sensitive data or user activities.
Figure 9: Phemedrone Stealer Screenshot Function
Crypto Wallets
In addition to its capabilities mentioned in previous sub-heading, Phemedrone Stealer targets sensitive data and files associated with various cryptocurrencies, including Armory, Atomic, Bytecoin, Coinomi, Jaxx, Electrum, Exodus, and Guarda wallets. For instance, it attempts to extract data from specific directories such as “atomic\Local Storage\leveldb” for Atomic wallet and “Coinomi\Coinomi\wallets” for Coinomi wallet, among others. These database files are typically used by cryptocurrency wallets to store various kinds of data, including transaction records, account information, and cryptographic keys.
Figure 10: Phemedrone Stealer Targeted Crypto Wallet
Command and Control
Once Phemedrone Stealer has gathered and formatted all desired data and sensitive information, such as information.txt and password.txt, it proceeds to archive it into a zip file. The archive is named following a specific format:
- -Phemedrone-Report.zip
This systematic naming convention aids in organizing and identifying the archived data.
Figure 11: Phemedrone Stealer Archiving Steal Data
On the C2 server, we can observe how Phemedrone Stealer formats the stolen files from the compromised host. Figure 12 displays the file tree of the .zip archive received by the server from the Phemedrone Stealer client agent. This visualization illustrates the organized structure of the stolen data, aiding in analysis and understanding of the compromised system’s contents.
Figure 12: report.zip file tree
Indicators and Detection Opportunities
Atomic Indicators
While researching Phomedrone, we were able to capture many publicly available hashes that we’d like to share with the community here.
Splunk Security Content
The Splunk Threat Research Team has created relevant detections and tagged them to the
