BLOG | OFFICE OF THE CTO

Advanced Threat Research: Dissecting the Russian Origin Collector-Stealer Malware


Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. To aid the industry in guarding against this threat, Aditya K Sood and Rohit Chaturvedi from the Advanced Threat Research Center of Excellence within F5's Office of the CTO present a 360 analysis of the Collector-stealer malware to unearth hidden artifacts covering binary analysis, its working, and the design of associated C&C panels.

Collector-stealer has become quite pervasive in a relatively short time. Stolen information resulting from the malware is generally made available through underground markets for nefarious purposes. Attackers primarily target European countries using Collector-stealer, but it also impacts users from other countries such as the U.S.A., China, and Cambodia.

Here are some of the highlights and interesting characteristics of Collector-stealer uncovered through this analysis:

  • Collector-stealer uses multiple ways to initiate infection, including:
    • Luring users to visit phishing portals hosting free-game downloads
    • Windows activation/crack software packages
    • Fake miner web-portal (web-portal that mimics similar content from cryptocurrency software provider portal to trigger drive-by downloads attacks)
  • Collector stealer is written in C++ and infects the user machine for the purpose of stealing crucial data such as stored passwords, web data, cookies, screenshots, and more. Malware authors used obfuscation techniques in their code to frustrate researchers and make the code more complicated.
     
  • Collector-stealer, before sending data to C&C server, checks internet connectivity on the victim’s machine by pinging Cloudflare DNS resolver IP address 1.1.1.1. If the ping request fails, it deletes the executable along with collected data from the victim machine and then silently exits. Otherwise, it sends collected data to the C&C server.
     
  • Collector-stealer uses the HTTP protocol and POST method to send collected data. Before sending data, the malware compresses data into an archive .zip file which is then sent to the C&C server.

Collector-stealer gained popularity on underground forums due to broad malware features. We have seen many users show interest in buying this malware and some groups have even attempted to provide a cracked version. The "Hack_Jopi" Russian group has sold Collector-stealer on forums since October 2018.

The complete research detailing analysis of this malware has been released in Virus Bulletin. Get the research paper expanding on the above and other findings by visiting:
https://www.virusbulletin.com/virusbulletin/2021/12/collector-stealer-russian-origin-credential-and-information-extractor/ 

Enjoy!