0 Replies Latest reply: Jul 24, 2014 10:14 AM by kbechtel RSS

Stealer Malware


Recently we were made aware of a piece of malware being called “Stealer.”    I've gone through the Joint Indicator Bulletin on the topic from DHS/NCCIC US CERT/FBI and have written notes that would be very useful for Tenable’s SecurityCenter users who need to see if any of these indicators are on their networks.  


From the report:In December 2013, a group of highly sophisticated hackers targeted a U.S. Company with an unidentified piece of malware that was later identified as ‘Stealer.’ While the exact nature of the attack has not been fully determined, it is known that these hackers were after technical systems manuals maintained by a U.S. Company. The ‘Stealer’ malware was obtained after U.S. Company employees logged into a spoofed web portal that was under the hackers’ control.”

Looking for Created Files

Due to the complexity of this malware it requires multiple files. All these files can be found by leveraging the Nessus plugin 70329. In addition to searching for the existence of the files, a user could search both the Log Correlation Engine (LCE) logs--for evidence of this in the processes execution summary--and the list of running processes that Nessus compiles in its audits.  The list of known files is in the following table:



MD5: feb6341a1e0f7c2f886e3644620a4cfe

SHA1: c92b4ca5743ff868fa2848e3dba5eb9f788ce068



MD5: c90da996c9d1192ef2b603b4ce027f49

SHA1: 19a4a8179f56c92ab307b5eea793f8ff4351ae94



MD5: cf71d3f95a46b3e2e9551db8cd2f4146

SHA1: 4d45c2ef4c0d2f6142459fd0694c5482cf6deb9c


other related files


Path: %APPDATA%\IntelRapidStart\AppTransferWiz.dll

MD5: fb952ee5bea868b99d74b93d82fdf71f

SHA1: 12aba6681f2f7a121688a76e121d3200bf210186


Path: %APPDATA%\IntelRapidStart\DelphiNative.dll

MD5: 05ea4103354c54489a542a6ee3696e5e

SHA1: 2abb898917d04772682e1d5c1bd5fe798a40edf6


Looking for Network Traffic

The malware has a single identified Command and Control (C&C) and an upload server. The upload server prefix does change per infected machine, but the domain and communications remain the same. These two servers are identified as:


Host: intel-update.com 21/TCP

Type: FTP traffic

User: neol

Pass: nativemanager


Host: office.windows-essentials.tk 80/TCP

Type: FTP traffic

User: windows

Pass: Microsoft

Organizations who have been logging this sort of network traffic over time can search for communications to, or originating from, either the domains or IP addresses.  Also consider auditing this log for anomalies and look for odd communication patterns.


Custom File Hash Searches

Nessus can be used to search for these custom hashes as part of your audits.  The following SHA1 hashes have been identified as files known to be associated with the malware. The MD5 hashes are listed above with the file information.


SHA1: c92b4ca5743ff868fa2848e3dba5eb9f788ce068

SHA1: 19a4a8179f56c92ab307b5eea793f8ff4351ae94

SHA1: 4d45c2ef4c0d2f6142459fd0694c5482cf6deb9c

SHA1: 12aba6681f2f7a121688a76e121d3200bf210186

SHA1: 2abb898917d04772682e1d5c1bd5fe798a40edf6


Searching for Rogue Applications

Keep in mind that:

Nessus plugin 74442 identifies any Microsoft Windows Known Bad AutoRuns / Scheduled Tasks.

Nessus plugin 70628 identifies any unique AutoRun settings that are also unique to any other scanned hosts.

Nessus plugin 11154 identifies any network services that are not identifiable. We use this for our customers to send us information about new services, but it is also an excellent way to find malware running their own proprietary protocols.

Nessus plugin 70768 identifies all running processes that have an unknown reputation.


Registry Entries

Look in the registry for the modification of entries, or new entries as shown below:


Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: IntelRapidStart

Value: %APPDATA%\IntelRapidStart\IntelRS.exe

Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name: IntelRapidStart

Value: %APPDATA%\IntelRapidStart\IntelRS.exe


Auditing for the Rogue Service

Nessus records all running services in many different plugins. The main one is plugin 10456 which enumerates all services.

If a Windows LCE client is running on your systems and you have a group policy logging all process execution and service events, you can search your normalized logs.


Additional Suggestions

  • Although the report didn't mention the creation of new user accounts specifically, I would find it very surprising if part of the malware expansion did not steal an account or try to crack passwords. As such, you should audit any New_User_Source events for any new trust pair.
  • Look for any log anomalies from your systems. Any anomalies in network traffic, detected changes or errors could be your fingerprint of the malware.
  • Audit the list of commands that have run on your suspect systems. The LCE summarizes this for each device and each user on a daily basis.