Jai Minton

Jai Minton

Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone. Content is licensed under the Creative Commons Attribution 4.0 International License.

Duvet Stealer - Malware Analysis Lab

27 minute read

Technical Analysis of Duvet Stealer

Overview (AI generated from video):

Summary

A malware called “Duvet Stealer” is bundled within an electron application to evade detection by antivirus software. It steals Discord and browser tokens and passwords, targets gamers, and may be distributed through platforms like Discord.

Timestamps

[00:00] 🕑 The malware was undetected by antivirus vendors until recently due to its use of an electron application.
[02:15] 🕑 The malware is digitally signed but with a broken chain, posing as Windows update and specifying Microsoft for legitimacy.
[06:40] 🕑 The malware steals Discord tokens, browser cookies, and autofill data, potentially accessing financial and personal information.
[11:30] 🕑 The malware checks for virtual machines and kills certain processes to hinder analysis efforts.
[15:00] 🕑 The malware can be configured for different components and may be a variant of the Epsilon stealer.
[17:45] 🕑 The malware injects malicious code into the Discord client and may be distributed through phishing in Discord DMs.
[20:15] 🕑 The malware targets gamers and may be distributed through gaming-related platforms like Discord.

Key Insights

[00:00] 💡 The malware’s use of an electron application makes it difficult for antivirus vendors to detect, as most of the code is benign.
[06:40] 💡 The malware’s ability to steal Discord tokens and browser data presents a significant privacy and security risk to users.
[11:30] 💡 The malware’s evasion tactics, such as killing processes and checking for virtual machines, indicate a sophisticated approach to avoid detection and analysis.
[15:00] 💡 The malware’s flexibility in configuration suggests it can be customized for different purposes, potentially making it a versatile tool for cybercriminals.
[17:45] 💡 The malware’s injection of malicious code into the Discord client highlights the potential for widespread impact and the use of social engineering techniques.
[20:15] 💡 The malware’s targeting of gamers and distribution through gaming-related platforms like Discord demonstrates the importance of security awareness in the gaming community.

Transcript (AI generated from video):

00:00:00	this malware right here is almost completely undetected by AV vendors up until about a few minutes ago when it was scanned one malicious signature assigned by AV vendors this is actually a bit interesting the way that the malware works because it is bundled within an electron application in order to remain undetected on an endpoint so the majority of the code that is actually there is benign electron application code making it more difficult for AV vendors to Signature let's take a bit more of a look at what
00:00:33	this malware is and how it functions and just on a side note if you are interested in electron based malware samples and this sample here definitely go and check out subatomic on hack the box as this is a new shlock that's being released with some challenges associated with an electron based malware sample first off it was uploaded by someone on malware bizaar and it is said to have a command and control of elit magnetic. site now elit magnetic is some sort of kpop song or music and it was downloaded from this
00:01:06	other website called serenit therapy doxyz now a scan of that seems to be maybe a game so it's possible that this is targeting Gamers and maybe is being distributed through something like Discord another servers commonly used by Gamers but let's dive a bit more deep in the details of this malware something is a bit interesting number one it's digitally signed but it doesn't verify so the chain is broken and it's not a valid signature this actually has something specified as a SPC SP Opus info within the digital signature you
00:01:45	can provide supplement information about the signed software within this signature that then can be displayed now this actually has the name Windows update assistant and specifies Microsoft where you can go in get more information so this is doing something a bit strange where it's not only posing as this Serenity therapy game or whatever software this is but it's also posing as Windows update and then specifying Microsoft where you can go to get more information now obviously this is not the case and
00:02:24	this is not accurate valid signature that you would expect to see on something like this if if we look at the creation Tim stamp that's specified here it was apparently created back in 2018 which just doesn't seem right so maybe it's been time stomped as well the signature date is also 2022 so maybe this is a signature that has been stolen from a legitimate Microsoft piece of software or update and has been embedded on this installer but let's dive a bit deeper so first off this is nsis so using detected easy we
00:03:00	can determine that this is the no soft scriptable install system installer which means that we have the ability to use something like szip to extract the files contained within this installer now if we look into that there is a plugins directory an uninstaller directory and an NSI that specifies how the installer is going to function so we could review this NSI file and take a look at what it's going to be doing when it installs the executable so of interest is show install details never show so nothing is really going to be
00:03:38	shown in that regard if we go down further we can also see reference to the particular mutexes anything that's going to happen where it's going to be installed but there is also mention of the installer directory so when we're talking about noft installers being used something that is of interest is that they can contain both the uninstaller so in this case we have it here and the installer itself so you have to be careful that the uninstaller that you have is not also going to be running malware so it could install as software
00:04:14	or adware or pop whatever you are classifying it as malware and then if you use the uninstaller maybe it will kick off even more malware now let's dive a bit deeper into how this is functioning you will notice the shortcuts being created such as the serenity therapy installer.exe so this is really where I want to Target the next part of my analysis so if we go back and we look in the plugins directory there is this app 32. 7zip file now this is going to be a core part of what we need to investigate I'm going
00:04:49	to unzip this using seven zip and this is going to give us the components required for this installation to occur so looking within it you can see now the serenity therapy installer.exe and this is quite large this is 135 megabytes which is not surprising for an electron application that has to bundle essentially a lot of the capabilities that you would find in a web browser we can actually tell that this is an electron application number one by this icon this icon is indicative of an electron application we can also
00:05:23	see license. electron dotex which if we open up in notepad we'll talk about electron contributors and essentially have the copyright information we can be pretty sure that this is actually some sort of electron application now if we look at the resources as well and dive in there you will notice that there is this app. Asar file and Elevate exe now where we want to focus our efforts is the app. ASA file CU we can actually essentially decompile the scripts that's going to be running whenever this
00:05:56	malware functions so we have to remember that this is going to work similar to a web browser and it's going to be interpreting scripts so malicious scripts is where we should focus a lot of our efforts in reversing there's a couple of ways that we can get the contents of this Asar package we could use a szip extension but we could actually use the node package manager in order to install the Asar module and then use that in order to extract this Asar package so let's just open up a command prompt and what we're going to
00:06:30	do is we're going to use npx and we're going to be looking at an electron package and it's going to be the As and we are just going to use the extract so this is going to allow us to extract it we are going to choose app. Asar which is the name of the file here and I will give it a new folder and we'll just call this extracted so now if I was to use this and run it to the directory extracted so npx will go off it will get the necessary pack package required and it will use that in order to run extract
00:07:04	against the as package here and that's going to give us the extracted output so in this case I received an error saying that it cannot find the app or directory in my application roaming directory for npm but that's quite fine what I'm going to do is I'm going to open that up and I'm just going to create a folder and call it npm now I'm going to run it again and it will say it needs the following packages no worries okay to proceed and this is going to pull what I need and then use it that was the only
00:07:34	error that I had there it was that I needed to have a folder called npm in my roaming directory so I've created that and now if I look in the extracted components we actually have the package Json file and we have the app Javascript file and the modules associated with it so if we look at the package Json file first there is still kind of the same messaging of this is Serenity therapy installer it's it's going to have a list of dependencies that are going to be required so we need the prim node Dey
00:08:06	package the node add-on the SQ light 3 and system information and all of these need to be particular version or up from a particular version so upward is specified here and they should be bundled within the package and be here available to us we're going to try to run this app.js script but we're going to try to debug it and we're going to use vs code code for this so opening up vs code we can open up a folder which is what we're going to want to do here we're going to find the malware directory that we had and we're going to
00:08:40	get the extracted location and we're going to select this folder so now once we open up this folder this is running in a virtual machine so it's okay for me to say yes I trust the authors but in no way would I trust the authors of this package anyway we can see the modules we can see this app package and if we go on down to the run and debug what we want to do is create a launch Json file cuz we are going to debug this node application using vs code so if we specify that it's going to know that it
00:09:15	has to launch the app.js file within this directory which is fine that's what we need so if we hit launch program we can actually see if there's any issues and in this case there are some issues so we're going to have to resolve them the issue here specified is that dei. node is not a valid win32 application so obviously the version that is bundled with this is not functioning on my particular operating system after I've extracted it in this method but that's okay because we can just install it and
00:09:47	make sure that it works so to ensure that this runs properly what I'm going to do is I'm going to go into the node modules I'm going to find the problem one so we do have deppy here so I'm just going to Nuke this entire folder and now that the folder's gone I'm going to try to install that module again and see whether it functions so I'm going to open up my command prompt and I'm going to run an npm I'm going to run install we are going to use the primo and we are going to specify toppy so this should go
00:10:18	out and grab what is required yep so it says it's up to date and found zero vulnerabilities cool let's try and run our malware again so in this instance there was another error however this is for a different package this is now specifying that site 3 so the node SQ light 3 module is having some issues so I'm going to fix that one up as well let's go down and find that so we have site 3 and I'm just going to delete that now I'm going to run pretty much the same method I did before except instead of installing Prim
00:10:55	node to papy we just going to have SQ light 3 yep so it looks like we got what we needed it's got 123 packages that got installed with it and we have likely everything that we need to run this malware so let's try again I've gone back to vs code now and I'm just going to give it a shot and see what happens first off I want to run it but I also want to be able to analyze it so on the left hand side we have variables and the core stack and these are kind of things that I want to keep an eye on as this
00:11:29	runs so if I launch the malware we can see the program has launched successfully I'm going to see if I can pause it but we may not be able to and we can pause it and straight away you're starting to see something that's a little bit interesting so there is mention of a payload there is mention of GPU etc etc but this could all be benign stuff right this says it's a system information Library so this might be completely benign let's see what else we have we've got we've got some stuff on the co stack
00:12:08	here there is something known as New injection so suddenly this is a bit more interesting to me so there is this new injection on the call stack there is going out and getting IP address information from IP info. there is this Discord injection as well let's see if we can follow that and we can and so this looks like it's grabbing Discord tokens so there is this or infecting Discord instances is very interesting so there is browser cookies as well so this actually might be the full functionality of this malware so we
00:12:53	might actually have it now we can see the function is defined as Anonymous and this is specifying a vow and then a particular entry so this looks like this has been dynamically built and thrown onto the call stack if we go back to the malware and we look in app 32 and we look in the resources we know this is running the app.js file now if we open this up in notepad++ we can see that this is a heavily obfuscated piece of JavaScript analyzing this and every single thing that's being returned by it can be quite
00:13:32	challenging however because we've been able to break on this we can actually see some of the stuff that is is being dynamically built and then used by the malware we can probably look through these functions to get a bit of more of an idea and high confidence that this is actually malware that isn't being detected by a lot of Av vendors for example if we look down there is mention of Steel Firefox tokens awesome token requests so stuff to do with the scored the new injection method that we saw immediately we can begin to see also a
00:14:05	number of tasks that are of Interest so this is looking to see if Opera is running if faket is running if wire shark or Fiddler is running and if any of these particular processes are running after it executes a task list and sees them it looks like it's just going to kill the executables so that's going to hinder us in our analysis efforts there's also this check V M so this is going out and looking for particular virtual machines there is the elit magnetic site API a user ID specified here and log out Discord so
00:14:42	this looks like configuration options for this piece of malware so maybe there is some sort of specification as to whether someone is infected with this whether it will kick them out of their Discord session or not so this is actually really interesting this is quite possibly everything that we need to know so let's comb over it and see what this malware is doing so first off the malware is taking a look at the total memory that has been assigned to the machine and if it is less than 1,24 by 1024 by 1024 so what are you looking
00:15:20	at there you're looking at kilobytes or bytes to kilobytes to megabytes basically if you haven't got more than uh 2 gigs of RAM by the looks of things then it's just going to exit and it's not going to do anything then we're looking at the system name so it is getting the host name of the operating system and it's comparing it to a lot of these hardcoded strings and if none of them match then it continues otherwise it exits so there's obviously some checking to see if this is running in a VM which ironically is the name of the
00:15:54	function now there is the task list to task Hill that we spoke about before so this is also looking for stuff like virtual box and VMware tools so if any of these things or Joe's sandbox by the looks of things Joe boox server if any of these things are seen it's once again just going to actually this time is going to kill those executables to hinder analysis so it's not going to exit itself it's just going to kill those executables so they don't get anything during their detonation then there's getting Discord tokens so this
00:16:28	is likely getting the particular token that is saved on your system and then using that in order to allow them to authenticate as you so this is a bit interesting and it seems to it is looking for encrypto tokens with a Rex that's been specified here and then it's going to extract or decrypted so because these are encrypted using deppy so they're encrypted using the data protection API on Windows what it needs to do is use that in order to decrypt it before it sends it somewhere else because if it doesn't do that then
00:17:11	they're going to have a token that they can't use because it's just in crypted junk so that's a bit interesting and it looks like it is taking these and then sending them away so you're going to get a token you're going to get a key and then some other information associated with that as well then there's stealing Firefox tokens then it's performing some sort of injection so this looks like it's getting operating system information and then doing that Discord injection which I'm sure we'll find out
00:17:42	as we go along what that's doing it makes a connection to ipinfo.io to get your publicly facing IP address that then is going to be sent off as well it's going to then look at the options that you specify so this options. API this is the C2 that we're specifying here so it's going to use that in order to figure out where it's sending the information and then it's making a post request to that with the parameters new injection so this is likely saying hey we've got a new infected system here's the information and it's going to give
00:18:20	the IP address the country that's tied to that City the network region and so on and so forth including the computer name user CPU and and all that other good stuff then we've got this token requests so this is a bit interesting so this is using the Discord API and it looks like it's going to use your ID to get your profile name so it's going to use the Discord API use your user ID that it's extracted through stealing the Discord tokens and then it's going to find out what user that applies to to
00:19:00	figure out what access they have what Discord access do they have then it's also going to use the API and look at payment sources so maybe this is actually retrieving any kind of credit card details or other information that you have saved within your Discord it looks like there is profile payment sources once again financial information it's being stolen here checking your token then stealing your Firefox token so this is using the SQ d databases so it's finding them on the operating system and then from that it's looking
00:19:34	at hardcoded strings that are obviously known as particular tokens of interest and then it's using that to say hey I found these Firefox tokens there is also stealing of Discord here by the looks of things so it's using the discore desktop index.js file and then it looks like it is getting that information as well hi everyone it's j here from the future so the reason why it's getting the index.js file is because that is located within one of the modules in this case the Discord desktop core module of Discord
00:20:14	and that index.js file is going to be modified so injected in this case it actually makes a get requests to the C2 server SL API injections and the response of that is then going to be appended to this index.js file so that it is going to run malicious code when Discord starts up and this is likely a way to intercept the requests on Discord as it is running as well maybe even multiactor authentication tokens or any other information of Interest so that's what this Discord injection method is doing it is very much about infecting
00:20:51	the Discord client itself and determining whether it's going to kick you out or not there is browser cookies so it looks like it is getting stuff from a list of hardcoded browsers but it is killing these browsers as well if they are found so that's Chrome Microsoft Edge Brave Opera etc etc then it looks like it is getting the cookies so select star from cookies for your current user once again using deppy where required to make sure that it is decrypted got Firefox mentioned here looking for Firefox cookies
00:21:29	go down further Firefox cookies you know similar stuff browser password so stealing your browser passwords makes a lot of sense to me so anything that you've saved in your browser your browser autofills that's a little bit more interesting not something that you see as much but basically if you've got anything to automatically fill looks like it's going to be stealing that information as well so the name and data that's going to be filled within those the auto fill when you onto a website and you go to forms that you've used
00:22:02	before so that's quite interesting that's quite useful for an attacker to be able to take that kind of information as well go down further so get browser autofills you got get browser passwords yep SE that all browser data so this looks like it's just essentially running and getting you know the browser cookies Auto fs and passwords so that it's it's going to do it for all of them going to send all of that information off there is check CMD installation so this would be as soon as that asynchronous process
00:22:38	tries to run it's going to be doing that VM check it's going to then run check CMD installation and then it's going to be running that new injection process as well so we'll browse the data etc etc let's see exceptions and this remember that this is being done in this of like post requests to the specified endpoint that has an API there and so this is very much how that electron application is functioning with this JavaScript that runs so it does look like it's got that kill process stuff so this is interesting so it's checking to
00:23:17	see if CMD doesn't exist at C Windows system 32 not entirely sure what that is doing hey it's j here from the future again so basically this check CMD installation function is checking to see if cmd.exe does not exist within the system 32 Windows directory and if it does not exist it's going to make a get request off to the C2 server using the/ API SL CMD hyphen file request and what this is going to do is then push down a executable presumably cmd.exe and it's going to be placing this in the users
00:24:00	documents directory and then it's going to be setting the environment variable so that that is the specified comspec so the environment variable used in the same way that CMD would be so basically it's just checking if you've got cmd.exe and if you don't have cmd.exe it looks like it's pushing its own version to the users documents directory so it can function properly but honestly we can see the vast majority of exactly what this malware is doing right it is continuously trying to Beacon to that
00:24:29	and it is a information stealer now I don't know if this has a name I haven't seen any kind of Yara hits but I think it definitely needs a name I've stopped the malware but I was looking at this code and I noticed something a little bit interesting in the headers under the get Discord tokens async function there is this parameter that specified called duve user so I was sitting here trying to figure out what this maare was and thought well I'm going to name this duvet Steeler because of this duvet user
00:25:04	reference now while looking for that string one of the things that I like to do is look for that string across GitHub just to see if there's any kind of Open Source malware that this might be related to now I didn't quite find what I was after but I did find something else of interest there is this user stucks VT and they mentioned this Sonic Glide Discord malware so this is actually what I found when searching for that string and so they claim that this is an Epsilon stealer variant so this could be a variant of Epsilon Steeler
00:25:37	now it looks like Sonic Glide here was the other game that was being used in this campaign that people were essentially pretending was a game for them to run so it says that it is being distributed via a manual fishing in Discord DMS using the stolen accounts to Pivot to new victims and they linking to this URL that then's going to be used to download the malware so I guess in this particular case they would then be instead linking to Serenity therapy as the game that is going to be legitimately downloaded so it seems like
00:26:16	this is targeting individuals and they can come up with whatever games they like right they can pretend that it is some other game but just by pivoting off of that indicator this seems like it's going to be the same kind of malware it's pretty interesting because this has the same characteristics that we saw in the malware weed reverse so the virus is an electron project and it is De obfuscating some JavaScript in order to then run in memory and and be used to steal the Discord tokens and if we look
00:26:50	at the time of this project it was only a couple of weeks ago that it was actually updated as well so this looks like the individual here is investigating the same type of malware we are but for a different game that's been specified so what I've done is actually gone out and downloaded a copy of the malware that this person is providing and it's a bit interesting because if we go into it you know it was only from a couple of weeks ago like we expected and we look at the Grabber JS file that they've provided this is
00:27:25	identical besides maybe the configuration details in the options here to the malware that we saw when we were doing our analysis so if we go up we can see this function and we can probably put these side by side so if we go up there are the options specified this doesn't seem to have the check VM which we saw here if we go down a bit further there are the same merge and get Discord tokens so get Discord tokens is the first one up here with this duvet _ user so it looks really similar right except you know without the anti-vm
00:28:05	check maybe this means that it is the same malware except it can be configured to have different components in it so there is this new injection once again and we can see it does pretty much identical actions to what we found in our malware here remember these are two different pieces of malware that we are analyzing so if we go back we can begin to see a few other things the obvious get the JavaScript even when it's deobfuscated is a lot of gibberish as we can see here and we had that same issue
00:28:36	when we are analyzing it so stage two there is this injection and so this is doing something that we haven't seen this looks like it is specifying some end points maybe there's some Shell Code or some just C Char bite characters that are being used here but once again this does look like it's stealing Discord information so all interest things and if we look at the payload we saw a similar thing with the nsis setup file the plugins directory it looks like uh it had similar aspect there as well so we have the same type
00:29:14	of electron application which is being used to run malware on endpoints and steal Discord tokens as well as browser tokens and passwords as well interesting enough if we look at the pass. Json I'm not entirely sure where this has been extracted from but this is a bit more interesting because it seems to have configuration details for where it's going to be stolen from so there are browser processes that this seems to be the directory where stuff like the browsers are located on endpoints and that's going to be where it's storing
00:29:49	your username password credentials tokens anything else so all interesting things under that past Json file as well but look that's all I wanted to show you we've got a good idea of what this malware is doing even just through the analysis that we performed and then comparing it to some of the publicly available analysis of some other like-minded samples so that's it thanks so much for watching shout out to stocks hacker vtu for putting their analysis out on GitHub which made it much easier to track back other examples of this
00:30:22	malware being used in the wild and how it's being targeted and the only reason that they know is cuz they mentioned that a few of their friends got hit with this malware so they decided to reverse it so that's it any questions comments feelings anything else in the comment section below I might still call this duve Stiller because I can if you want to see more videos like this let me know and I'll catch you next [Music] time

You may also enjoy