New Infostealer Malware Yunit Stealer Targets Credentials and Crypto

New Infostealer Malware Yunit Stealer Targets Credentials and Crypto

Threat Group: Freeboox
Threat Type: Infostealer Malware
Exploited Vulnerabilities: Browser data storage, registry manipulation, scheduled tasks, system utilities
Malware Used: Yunit Stealer
Threat Score: High (8.7/10) — Due to its advanced evasion techniques, ability to extract sensitive data, and its persistence in critical system areas
Last Threat Observation: October 7, 2024, reported by AlienVaultPublic TLP: White


Overview

Yunit Stealer is a sophisticated malware targeting sensitive user data through credential theft and system manipulation. It employs advanced evasion techniques to bypass security measures, maintaining persistence on compromised systems. The malware performs comprehensive data extraction, including system information, browser data, and cryptocurrency wallets. It achieves persistence through registry modifications, scheduled tasks, and Windows Defender exclusions. Data exfiltration occurs via Telegram and Discord webhooks. The developer is believed to be a French speaker with connections to gaming platforms, suggesting a link to the online gaming community.

Key Details

  • Delivery Method: Distributed through malicious links, JavaScript, and PowerShell-based payloads.
  • Target: Browser-stored credentials, cryptocurrency wallets, and sensitive system data.
  • Functions:
    • Data Extraction: Retrieves and decrypts passwords, cookies, and credit card information from browser databases.
    • Cryptocurrency Wallet Theft: Scans for wallet directories, focusing on apps like Atomic and Exodus.
    • Registry Manipulation: Modifies Windows Defender settings and registry keys to avoid detection.
    • Exfiltration: Utilizes Discord webhooks and Telegram channels for anonymized data transfer.
    • Geofencing: Targets specific geographic locations, such as France, to evade detection in non-targeted regions.
  • Obfuscation Techniques: Uses command line obfuscation and hidden window execution to evade detection, along with file and command concealment techniques​.

Attack Vectors

Yunit Stealer employs multiple tactics to infiltrate and maintain control over infected systems:

  • Persistence Mechanisms: Uses scheduled tasks, registry modifications, and startup folder entries to ensure the malware auto-executes on system boot.
  • Windows Defender Exclusions: Employs PowerShell commands to add itself to the exclusion list of Windows Defender, hiding its activities from antivirus tools.
  • Command Execution: Executes commands via PowerShell and VBScript to manipulate system settings and initiate malicious processes.

Known Indicators of Compromise (IoCs)

File Hashes (MD5):

  • 050f8501f97ac8d067c31a22ed6f57e4

File Hashes (SHA1):

  • 1eadccc4db0b9455aa5858027571ec0725026581

File Hashes (SHA256):

  • f1f4176c1cfb6eedbdc025510b1fcdbfeaee857e2bbb5db63c1e0ebf2d71d077

Domains:

  • Example Malicious Domains: Placeholder (to be identified in environment-specific data)

URLs:

  • Discord Webhooks and Telegram Channels are used for exfiltration purposes.

MITRE ATT&CK Techniques:

  • T1053.005 - Scheduled Task
  • T1082 - System Information Discovery
  • T1005 - Data from Local System
  • T1112 - Modify Registry
  • T1041 - Exfiltration Over C2 Channel
  • T1059.001 - PowerShell
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1564.003 - Hidden Window.

Mitigation and Prevention

  • User Awareness: Train users on recognizing phishing attempts and suspicious links.
  • Email Filtering: Configure email systems to block attachments that contain scripts or executables.
  • Antivirus Protection: Regularly update antivirus definitions to detect Yunit Stealer and similar threats.
  • Two-Factor Authentication (2FA): Enforce 2FA across all accounts to reduce unauthorized access.
  • Monitor Logs: Continuously review system and network logs for unusual activities.
  • Regular Updates: Patch software and operating systems frequently to close security loopholes.

Conclusion

Yunit Stealer poses a significant risk to organizations and individuals due to its ability to bypass traditional security measures and steal sensitive data. It remains active on compromised systems by employing advanced persistence techniques. Enhanced vigilance, endpoint monitoring, and regular security updates are essential to counteract this evolving threat.

Sources:

  1. Security Online: Yunit Stealer Analysis
  2. TechRadar: Yunit Stealer Capabilities
  3. CYFIRMA: Yunit Stealer Report
  4. AlienVaultPublic TLP: White Report on Yunit Stealer